In https://github.com/mongodb/mongo/blob/82424b742342d4b35cf10eb9d471984d1e805210/src/mongo/db/storage/remove_saver.cpp#L123 the output file pointer is reset to 0 to write the calculated GCM tag after the file has been encrypted.

Unfortunately, the tag should appear at offset 1. Writing the tag here will prevent easy decryption as the contents will appear to contain an invalid version, and the tag will be invalid.

Note that incorrectly written saver files may still be recovered by moving the tag bytes forward by one, and writing a zero to the version byte.

A fix should include creating a protector API for requesting tag offset (rather than hardcoding to 1) and moving the write as a whole behind a check for tag size (if it's zero, then there's no tag to write, e.g. CBC mode).