C# web app, best practice for SQLCipher password management?

SQLCipher
1

Hello!

I’ve got an sqlite/sqlcipher database with a password, used by a command line c# application on windows and we store/manage the password for the database with CredentialManager using WriteCredential() and ReadCredentials() and this seems secure enough for our purposes.

But now we need to access the database from a web application.

My question is what is the best practice for web applications to safely retrieve the password to unlock the sqlite database? In our test environment we’re just using web.config, but that’s not going to be appropriate on the production server.

I haven’t tried it yet, but I guess I can still use CredentialManager and assign a specific user for the pool processes and manually write the sqlite database password to the CredentialStore for that user using powershell or something.

Is there are recommendation of the ‘best practice’ for managing sqlite/sqlcipher passwords in web applications? Preferably for c#/windows specifically, but even general guidelines for linux/perl would be interesting to read.

To be clear, I’m talking about the password to open the sqlite/sqlcipher database.

Thanks!

2

Hello @Ayyyyybeeeee,

Thank you for reaching out. Key management for a specific application is often determined by the overall level of security the application requires. We touch on this a bit in our discussion of database key material and selection [1]. Note, the key material should never be hardcoded within the application.

There is a Secret Manager provided by ASP.NET Core [2], however, it is only intended for development purposes as credentials are stored in plaintext within a user profile directory. There are cloud-based solutions as well such as Azure Key Vault [3], and AWS Systems Manager Parameter Store [4]. Another approach is to require the end-user to provide the key material on demand. Ultimately, you will need to weigh the level of security the application requires when determining your key management strategy.

  1. SQLCipher Database Key Material and Selection ↩︎

  2. Safe storage of app secrets in development in ASP.NET Core | Microsoft Learn ↩︎

  3. What is Azure Key Vault? | Microsoft Learn ↩︎

  4. AWS Systems Manager Parameter Store - AWS Systems Manager ↩︎

1 Like