Would it be better to split a file and then encrypt, or vice versa?

Question

Assuming that you are paranoid before storing your file (distributed across a shared location), which will be the best case scenario: splitting the file first and then encrypting or encrypting first and then splitting?

Answer 1

Either could be implemented securely, but if you encrypt first and split afterwards, you can use standard tools and get everything right more easily. If you used the opposite order, you would have several pitfalls to deal with:

• With password-based encryption you would either have to derive the key many times (spending resources that would be better used on additional hashing) or have a separate key derivation step and then use the key on all the parts.
• If you had a single key used multiple times, you would have to make sure IVs are unique, when with a single-use key you can forgo it completely.
• To fully authenticate the encrypted file you would need to add some metadata or a whole-file MAC, instead of simply using authenticated encryption on each part. Otherwise an attacker could be able to drop or reorder the parts.
• As a practical issue, if you are splitting to a certain target size, you would have to take into account the expansion caused by encryption IVs and authentication tags.

Answer 2

When doing backups to an online (cloud) provider, I split first, then encrypt. My files are all first tarred together, and the resulting file can end up being many GB in size.

If I try to encrypt that large tar file, it would take hours or days, and any problem will cause the encryption process to fail with no option to resume. By splitting first, I can encrypt each individual piece with the ability to resume the batch encryption process if it dies in the middle.

Another problem with encryption before splitting is that you must have all of the pieces to decrypt. If any get lost, the entire archive is gone as well. Contrasted with splitting first, you have a good chance at recovering most of the files even if one piece is lost, especially if they are tarred (one file after another with no compression).