Developer wanted / Help to implement in-memory caching of SQLCipher decryption key

We’ve recently updated our Android/Java application away from a SQLite DB to utilize SQLCipher, however currently our approach is not acceptable from a security stand-point as we are storing the SQLCipher key within the app/on-disk.

We believe a much more suitable solution would be to store an encrypted version of the SQLCipher key on-disk but can only be decrypted with a user-supplied passphrase that is stored in-memory only and linked to the application login activity.

This way, if the app process dies or the phone reboots, it will be impossible for the app to decrypt the SQLcipher database without the user-supplied password.

There are some historic projects that achieved this such as: GitHub - guardianproject/cacheword: a password caching and management service for Android however I’m concerned there may be a more efficient way to do this since it’s been so long since that project has been updated.

If anyone has done something similar please reach out we are looking to pay generously for this help.

In this sample project I demonstrate opening a SQLCipher database from a user-supplied passphrase. However, the passphrase does not decrypt an on-disk key file — the passphrase is used directly.

In this sample project, I demonstrate opening a SQLCipher database from an on-disk encrypted passphrase. However, I do not use an application-specific user-entered passphrse to decrypt the on-disk passphrase — rather, I use the AndroidX Security’s EncryptedFile. That in turn is backed by the system cryptographic key store.

Both are covered in this free book. Perhaps they can give you some ideas!

2 Likes

Thanks @commonsguy you’re a legend! Just reading through the book now, amazingly informative and yet simple to follow! :call_me_hand: