Talking about the idea of using plain AES-CBC for disk encryption:<p>>He can then inject arbitrary sectors into this file, dump the file, and recover plaintext.<p>You wouldn't recover any plaintext here unless you could create an actual oracle based on that plaintext. It is unclear to me how you could generically do that with a disk encryption situation. You would have to do something like triggering errors based on the decrypted and modified plaintext. How would the attacker get access to these errors? The real problem is the ability to create valid changes to the disk (malleability).<p>>There are cryptographic modes (like XTS) which fix these problems.<p>XTS is malleable at the block level. CBC is malleable at the bit level but that isn't really a lot worse for whole disk encryption. XTS is still better, so yes, you should still prefer XTS over CBC. Integrity checking requires extra data. For full disk encryption there is no obvious place to put such data. So the common practice is to just not worry about integrity.<p>>In CBC, the chaining aspect will screw up the first block only, and even that can be manually fixed since the ciphertext is known.<p>The screwed up block shows up as decrypted plaintext. So you can't get around the bad blocks on the edges of splices with knowledge of the ciphertext.