SQLite官方提供了一个加密扩展,叫做SQLite Encryption Extension,简称SEE。

How To Compile And Use SEE

使用SEE加密过的数据库文件,看起来像一团无序的乱码。

但是在The Importance of a Nouce章节提到:Bytes 16 through 23 of the database are unencrypted

SEE支持如下加密算法:

  • RC4 with security enhancements
  • AES-128 in OFB mode
  • AES-128 in CCM mode
  • AES-256 in OFB mode

SEE有8中工作模式,前四种对应上面列举的四种加密。第五种支持除了AES-128 CCM之外的三种。第六种可以使用CCCrypt。第七种使用OpenSSL。第八种只是简单地对数据进行XOR。

对应地源代码文件列举如下:

  • see.c → AES-128, AES-256, and RC4
  • see-cccrypt.c → AES-128 and AES-256 using the CCCrypt library
  • see-aes128-ofb.c → AES-128
  • see-aes128-ccm.c → AES-128 in CCM mode
  • see-aes256-ofb.c → AES-256
  • see-aes256-openssl.c → AES-256 using the OpenSSL EVP routines
  • see-rc.c → RC4 (legacy only - not secure)
  • see-xor.c → XOR (demonstration only - not secure)

SEE引入了三个cli地点命令:

  • .rekey OLD NEW NEW
  • .hex-rekey OLD NEW NEW
  • .text-rekey OLD NEW NEW

每种加密算法的key都有长度:256 bytes (RC4) or 16 bytes (AES128) or 32 bytes (AES256) 。提供的key会被处理成加密算法所需的key长度。

如果see编译成dll,那么需要调用:sqlite3_activate_see("7bb07b8d471d642e");来激活。

可以使用sqlite3_rekey_v2或者PRAGMA key='your-secret-key';来解密一个数据库,或者在ATTACH命令末尾加上key值:ATTACH DATABASE 'file2.db' AS two KEY 'xyzzy';

限制:

  • TEMP tables are not encrypted.
  • In-memory (":memory:") databases are not encrypted.
  • Bytes 16 through 23 of the database file contain header information which is not encrypted.

替代方案

SEE的一次性授权需要2000USD,有点小贵。

SQLite with encryption/password protection提供一些替代方案:

  • wxSQLite - A wxWidgets style C++ wrapper that also implements SQLite’s encryption.
  • SQLCipher - Uses openSSL’s libcrypto to implement.
  • SQLiteCrypt - Custom implementation, modified API.
  • botansqlite3 - botansqlite3 is an encryption codec for SQLite3 that can use any algorithms in Botan for encryption.
  • sqleet - another encryption implementation, using ChaCha20/Poly1305 primitives. Note that wxSQLite mentioned above can use this as a crypto provider.

其他

(完)