Hi! I saw at https://bcachefs.org/Encryption/ that bcachefs is supposed to be secure "even when the attacker controls the storage device itself, and can see reads and writes as they happen and return arbitrary data from read requests".
That same page also talks about using key version numbers to ensure that nonces are unique (which, as the page says, is important: "Note that ChaCha20 is a stream cypher. This means that it’s critical that we use a cryptographic MAC (which would be highly desirable anyways), and also avoiding nonce reuse is critical."). What happens in the following scenario? - the evil disk takes a snapshot S1 of its state while the system is shut down - the system boots, writes some data to disk, and shuts down again - the evil disk takes a snapshot S2 of its state - the evil disk restores snapshot S1 - the system boots again, and writes some more data to disk - the evil disk takes a snapshot S3 of its state When the system is booted off an old snapshot the second time, can bcachefs end up reusing nonces, such that S2 and S3 contain different data with the same nonce?
