SQLite官方提供了一个加密扩展,叫做SQLite Encryption Extension,简称SEE。
How To Compile And Use SEE
使用SEE加密过的数据库文件,看起来像一团无序的乱码。
但是在The Importance of a Nouce章节提到:Bytes 16 through 23 of the database are unencrypted
SEE支持如下加密算法:
- RC4 with security enhancements
- AES-128 in OFB mode
- AES-128 in CCM mode
- AES-256 in OFB mode
SEE有8中工作模式,前四种对应上面列举的四种加密。第五种支持除了AES-128 CCM之外的三种。第六种可以使用CCCrypt。第七种使用OpenSSL。第八种只是简单地对数据进行XOR。
对应地源代码文件列举如下:
- see.c → AES-128, AES-256, and RC4
- see-cccrypt.c → AES-128 and AES-256 using the CCCrypt library
- see-aes128-ofb.c → AES-128
- see-aes128-ccm.c → AES-128 in CCM mode
- see-aes256-ofb.c → AES-256
- see-aes256-openssl.c → AES-256 using the OpenSSL EVP routines
- see-rc.c → RC4 (legacy only - not secure)
- see-xor.c → XOR (demonstration only - not secure)
SEE引入了三个cli地点命令:
- .rekey OLD NEW NEW
- .hex-rekey OLD NEW NEW
- .text-rekey OLD NEW NEW
每种加密算法的key都有长度:256 bytes (RC4) or 16 bytes (AES128) or 32 bytes (AES256) 。提供的key会被处理成加密算法所需的key长度。
如果see编译成dll,那么需要调用:sqlite3_activate_see("7bb07b8d471d642e");
来激活。
可以使用sqlite3_rekey_v2或者PRAGMA key='your-secret-key';
来解密一个数据库,或者在ATTACH命令末尾加上key值:ATTACH DATABASE 'file2.db' AS two KEY 'xyzzy';
。
限制:
- TEMP tables are not encrypted.
- In-memory (":memory:") databases are not encrypted.
- Bytes 16 through 23 of the database file contain header information which is not encrypted.
替代方案
SEE的一次性授权需要2000USD,有点小贵。
SQLite with encryption/password protection提供一些替代方案:
- wxSQLite - A wxWidgets style C++ wrapper that also implements SQLite’s encryption.
- SQLCipher - Uses openSSL’s libcrypto to implement.
- SQLiteCrypt - Custom implementation, modified API.
- botansqlite3 - botansqlite3 is an encryption codec for SQLite3 that can use any algorithms in Botan for encryption.
- sqleet - another encryption implementation, using ChaCha20/Poly1305 primitives. Note that wxSQLite mentioned above can use this as a crypto provider.
其他
- 给.Net的System.Data.SQLite貌似自带加密功能
- Encryption in Microsoft.Data.Sqlite
- EntityFrameworkCore.Sqlite
- SEE老的介绍页面:The SQLite Encryption Extension (SEE)
- How does SQLCipher compare to other SQLite encryption extensions?
- sqlite-net: Improve support for SQLCipher #597
- Using pysqlcipher with SqlAlchemy?
- sqleet: a new public domain encryption extension for SQLite
- Sqlite encryption in php
- $encryption_key parameter seems to be ineffective
- Unable to attach with sqlcipher encrypted database to another one
- SQLite Attach encrypted database
- 一个介绍SQLite内部实现的项目:How Does a Database Work?
- SQLite Database Encryption
(完)