99% of users are probably going to use a single password for encryption and integrity. We could use pbkdf2 to generate two keys at once and split it in half. Increasing performance by removing additional calls without decreasing security. Using one salt for both keys is perfectly fine.

We could also set the IV counter to 0. Since the key is never the same, and a random IV is no different as far as cipher strength. But I understand objections to this.

My issue is that you just had to write all this text to explain why we could deviate from the BCP approach... I think the key split is good optimization with zero actual impact on security. The rest I'm not sold on.

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.