Use sharded counter for nonces

[DemiMarie]

Describe the feature would like to see added to OpenZFS

I would like to see OpenZFS use a sharded counter for encryption. This can be implemented by using a CPU-local 32-bit counter for the least significant bits. When it overflows, a global counter is atomically incremented, and the new value is used for the most significant bits.

How will this feature improve OpenZFS?

Currently, OpenZFS uses a random nonce for every encryption. This forces it to rotate keys frequently, and still risks nonce reuse in certain scenarios. This allows guaranteeing that nonces will never be reused, which means that keys only need to be derived once.

Additional context

This would allow AES-GCM to replace AES-CCM as the default encryption method.

[ahrens]

@tcaputi could you comment on how significant this improvement would be?