What encryption is used between the Canary and Console?

In live mode, messages between the Canary and its Console are carried over DNS. To ensure their confidentiality and integrity, the contents are encrypted with a strong symmetric cipher. During registration, the bird registers a symmetric key with the Console, and from then on all live mode comms occur with that key.

The underlying symmetric encryption library used is NaCl, which provides the Salsa20 stream cipher for encryption and Poly1305 MAC for authentication. Messages from bird to Console use a counter as a nonce (incremented on each message and saved across reboots and factory resets), and messages from Console to bird use a random 24-byte nonce.