Migration to 4.0.1 with non-default cipher in 3 db


#1

I have old database which is encrypted with ‘aes-256-cfb’. Now that PRAGMA cipher is gone, how I am supposed to make migration? PRAGMA cipher_migrate; is returning value 1. PRAGMA compatibility_mode = 3; works ok, but ATTACH DATABASE fails (when trying to migrate with sqlcipher_export()).


#2

Hello @Karitsa

The PRAGMA cipher command has been deprecated since 4/5/2016, which provided just under 3 years to migrate away prior to removal.

Given the situation where your application uses a non-default cipher, you will likely want to approach the migration process in two phases, depending on your application structure. First, you can use the 3.x version of SQLCipher to perform a custom export using sqlcipher_export(...) to migrate from aes-256-cfb to aes-256-cbc. Once you are comfortable customers have migrated to CBC mode, you could provide a new update to your users using SQLCipher 4 where your application performs a cipher_migrate to the latest default file format. Again, depending on your application structure, you may be able to perform this routine out of band from the application itself making the upgrade process smoother for the end user.

Alternatively, you could rebuild SQLCipher 4 to utilize aes-256-cfb by default. While we do not recommend this approach, it is an option, but not something we support.


#3

Thanks for excellent answer, even though neither of choices are optimal. I think we check if it is possible to make a little fork to support cfb for converting to default cbc. And then after we think all users are migrated, go back to master source.