DSL Ideas and Suggestions :: Backup Encryption Choice
Is there a way to make the backup be encrypted with an algorithm other than blowfish. Alowing users to switch to something else like serpent or AES would be nice.
There are several encryption extensions in MyDSL if you're not satisfied with what's included in the base. If DSL were to include alternatives for everything in the base, it wouldn't be small anymore.
And blowfish is a definite improvement over the previous 3des.
Not sure I'd entirely agree with that.
bcrypt is smaller and faster perhaps but it doesn't work in a pipe so dsl is currently writing unencrypted plaintext to disk before encrypting it, then using bcrypt's overwriting feature to overwrite the plaintext. For strong security, the unencrypted data should never get written to disk in the first place, since (especially on very old drives) overwriting a few times may not prevent recovery of the data, especially when attacked with the right resources, which are not expensive.
Also, bcrypt has not been maintained for a long time. For any program related to security, that is not so good.
In my reading flaws in the algorithm itself are much less likely these days than common flaws in implementation, as far as vulnerabilities go. Writing to disk in plaintext has to be considered a problematic implementation.
My $0.02 worth.
original here.