Find a room full of professional cryptographers, and ask them, “Can I use a stream cipher for disk encryption?” and, most likely, you will be laughed at. “Of course not. Stream ciphers, when used for disk-encryption, can only provide confidentiality—not integrity. You should always use a block cipher for full-disk encryption.”.

This is true.

Find a room full of common people who use disk encryption, and ask them why they’re encrypting their disk. My hunch is that most of them do so because, if their hard drive is lost or stolen, they want their data to be 100% unreadable—i.e., they want confidentiality.

But, wait! Did you notice? The common users never said anything about integrity.

Let’s clarify what confidentiality gets us:

Full-disk confidentiality keeps our data safe even if, at some point in time, someone else gains physical access to our disk (i.e., we lost it, it was stolen, or they broke into our house and inspected it).

Let’s clarify what integrity adds to this:

Full-disk confidentiality keeps our data safe even if, at some point in time, someone else gains physical access to our disk (i.e., we lost it, it was stolen, or they broke into our house and inspected it), and then, at a later point in time, we get our disk back, and try to access it.

The second scenario is much more paranoid: it assumes we have an attacker who is targetting us, with insider knowledge on the actual format of our disk, coordinating an effort to steal our disk, modify it in some sophisticated way, and then give it back to us without leaving any trail of evidence. While there are certainly many cases where this paranoia is justified, the majority of individuals just want their data to be hidden if their disk is lost or stolen.

So, my point so far is that a stream cipher is “usually good enough” for disk-encryption.

The next question then is whether we should settle for “good enough”. The alternatives (i.e,. block ciphers), which are clearly “better”. So, then, let’s talk about the benefits of stream ciphers.

Stream ciphers, arguably, do have certain advantages over block ciphers:

• They’re (theoretically) less vulnerable to bit rot.
• They’re (usually) faster.
• They’re (usually) more resistant to timing attacks.

Bit rot is something that happens with all information storage mediums, unavoidably, especially when they’re unplugged. Store a hard drive in a closet for 10 years, and you will probably have a few bits flipped. If you encrypted the disk with a stream cipher, then only those bits will be flipped: you can probably still recover the data by detecting which bits flipped and reversing them. In contrast, if you used a block cipher, then, depending on which mode you use, at least 16 bits and at worst 512 bytes may be unrecoverable.

The fact that stream ciphers are faster than safely-implemented block ciphers is common knowledge. They’re essentially just cryptographic hashes combined with xor: you hash the byte-offset of your data to get a random-looking “stream”, then xor the stream with your data. In comparison, extremely fast versions of popular block ciphers have historically been vulnerable to timing attacks.

As for the speed/timing attacks, I said “usually” because there’s one notable exception: in some modern CPUs, there are hardware-implementations of AES which are so fast that they make my point moot. (But, as a last-ditch defense, not all CPUs implement this, and besides, a stream cipher could be theoretically implemented in hardware, too, and would likely use less energy.)