Cannot perform a backup from encrypted to encrypted

Hi all guys,
very nice work on Sqlcipher.

I would ask you how backup works in new versions on sqlcipher (tested on 4.4.2 and 4.4.3, on Debian 10 arm, Windows 10 and Ubuntu 18.04 x64, using openssl1-1-1d).
With version 3.20.1, the command used to perform a backup was:

./sqlcipher " {databasePath} " +
"\"PRAGMA KEY = '{databaseKey}'\" "+
"\".backup {backupTempPath}\" " +
"\"ATTACH DATABASE '{backupPath}' AS encrypted KEY '{databaseKey}'\" " +
"\"SELECT sqlcipher_export('encrypted')\" " +
"\"DETACH DATABASE encrypted\""

and works fine.
With the latest two versions, the result is always : Error: backup is not supported with encrypted databases.
The only way to perform a “backup” is to run this command:

./sqlcipher" {databasePath} " +
"\"PRAGMA KEY = '{databaseKey}';\" " +
"\"PRAGMA cipher_compatibility = 3;\" " +
"\"ATTACH DATABASE '{backupPath}' AS encrypted KEY '{databaseKey}';\" " +
"\"PRAGMA encrypted.cipher_compatibility = 3;\" " +
"\"PRAGMA encrypted.auto_vacuum=FULL;\" " +
"\"PRAGMA encrypted.journal_mode=WAL;\" " +
"\"SELECT sqlcipher_export('encrypted');\" " +
"\"DETACH DATABASE encrypted;\"";

Am i missing something? Is intended to not use the .backup API?
I thank you in advance for any reply and send you my best regards.

Hello @matteoPhre - thanks for getting in touch about this. This is actually the expected behavior in the current version. SQLCipher does permit using the backup API from an encrypted database to another encrypted database. However the command line shell’s .backup command does not target an encrypted database. Rather, it directs to an unencrypted database (it does not provide a mechanism to set a key). Thus, using .backup <filename> via the shell is blocked by the SQLCipher implementation to prevent potential corruption of a database on backup.

The workaround script you are using is a perfectly suitable alternative though, and should work well with any version of SQLCipher. If you are really interested in using the backup API for some reason, you could also build a C program that uses the backup API directly to ensure that the target database is encrypted.

Let me know if this explains the behavior you are seeing or if you have any other questions.

Hi @sjlombardo , thanks for the comprehensive response.
Any doubts are cleared up.