

Ask HN: LibreSSL symmetric encryption using ChaCha20 (openssl -enc) - chachalarue

Seems you can use command line option &quot;openssl -enc -cipher chacha&quot; with LibreSSL for file encryption however the documentation doesn&#x27;t mention this as a supported cipher. Is it insanity to use a stream cipher for data at rest or should I stick to what the manpage for Libre&#x2F;OpenSSL recommends which is &quot;a strong block cipher in CBC mode such as bf or des3&quot;.
======
anewaccountqq
I suggest you don't pick cipher and encryption parameters by hand, and instead
use a full encryption solution designed for this use case.

An example is using dm-crypt and LUKS. If you don't want to have a dedicated
encrypted partition, you can mount a file with a loop device. For example, see
it here:

[https://wiki.archlinux.org/index.php/Dm-
crypt/Encrypting_a_n...](https://wiki.archlinux.org/index.php/Dm-
crypt/Encrypting_a_non-root_file_system#Loop_device)

It will use AES by default in XTS mode. (the default was changed because of
CBC malleability attacks).

Anyway, compared to AES, ChaCha is simpler, don't suffer from timing attacks,
and don't require a mode of operation. There's nothing wrong with using it for
data at rest.

~~~
chachalarue
Thanks, this is for multi-platform encryption of data at rest, as where I work
all systems are using LibreSSL now so can abstract away the openssl shell
commands for easy encrypt/decrypt and since Android will soon have a similar
library through BoringSSL can extend it to mobile devices.

Went through the Salsa20/ChaCha djb pages to see it doesn't use modes, and
LibreSSL source for e_chacha/e_chacha20poly1305.c indicates a 2TB limit but
would never come close to encrypting anything that large as that's why we have
Tarsnap backups. Reasons I eyed the AEAD stream cipher for file encryption was
because how crazy fast it was during tests and the small size of the output,
just was wondering about any potential 'gotchas' I wouldn't know about since
I'm no expert on crypto hashing/file encryption.

