Checksum before encryption breaks deniability

[goblin]

A slight cryptographic problem: checksumming the chunk before encryption means that someone who has access to the chunk filenames can prove that you backed up some sensitive data. This does not provide deniability.

If the chunks could be checksummed after encryption (or renamed to something else), then the backup scheme would correctly hide whatever data we're encrypting.

In other words, naming the chunks with the checksum of the data before encryption allows Google/Amazon/Dropbox/wherever-you-store-your-encrypted-backup to ban you on the grounds of supposed copyright infringement. That's because if they know the copyrighted data, they can chunk it themselves and they will know by the name of your file and its size that you're potentially holding the same (copyrighted) data on their machines.

I'm thinking the index could be extended to also hold the checksum of the chunk after encryption, so that it'd provide a 1-1 mapping to the hidden filename. But this would require you to have all the previous index files when adding data to a backup :-(