Opening a legacy database with non-default OpenSSL cipher

Does specifying "-DCIPHER=“aes-128-cbc” when calling configure still work? I cannot seem to decrypt a legacy DB that we have when I do:

$ ./configure --enable-tempstore=yes CFLAGS="-DSQLITE_HAS_CODEC -DCIPHER=\"aes-128-cbc\"" LDFLAGS="-lcrypto"

$ make

I have verified the key, algo, etc. I am able to open it with SQLite Studio when selecting the algo manually, but not programmatically when I build sqlcipher from source

@Robin_Omlette this changed around in recent updates. Your best bet would be to edit src/crypto_openssl.c, modify the defined value of OPENSSL_CIPHER, and then build.


Thank you so much for your quick reply, and my apologies for getting back to you so late after it.

I was super hopeful when you said it was that easy! I found the value and made the changes and then configure'd and make'd successfully! However, after then running $ ./sqlcipher and PRAGMA key=""; and then $ .open Encrypted-DB-In-SQLCipher-Folder.db and $ SELECT * FROM some_table I was greeted with Error: file is not a database.

Am I building incorrectly? I removed the -DCIPHER CLFAG when configuring, so the build process looked like:

$ ./configure --enable-tempstore=yes CFLAGS="-DSQLITE_HAS_CODEC" LDFLAGS="-lcrypto"

$ make

EDIT: I suppose maybe I need to specify the page size and # of KDF iterations now? The HMAC may have also changed, but I’m not sure which one to use.

EDIT2: I’ve tried to set the KDF iters, etc., but am still unable to open the DB. Am I doing it right?

$ PRAGMA key="some_key";
$ PRAGMA kdf_iter='64000'
$ PRAGMA cipher_page_size=1024
$ select * from widgets

I’ve also tried adding $ PRAGMA cipher_use_hmac = OFF to no avail (but I think this is unnecessary). For reference, my settings in SQLiteStudio are below. I’ve tried digging through the source for SQLiteStudio to find out what they use for HMAC in this case but haven’t found anything helpful yet.

Screen Shot 2020-01-16 at 9.20.56 AM

@Robin_Omlette - what version of SQLCipher was the database created with? You should probably try to use PRAGMA cipher_compatibility = version after you set the key.

@sjlombardo - Thanks for your reply.

That’s a nifty shortcut. I’m not able to find which version it was built with, but I tried 1-4 for good measure in separate sessions and still got Error: file is not a database with every one. I feel like I have to be doing something wrong in the build process, but I’m not seeing any errors.

EDIT: I’ve tried changing the cipher_hmac_algirthm to HMAC_SHA1 and HMAC_SHA512 as well to no avail.

EDIT2: It was build with 3.3

@Robin_Omlette using PRAGMA cipher_compatibility should take care of all the HMAC settings for you. Are you certain that there aren’t any other custom setting being used to create / manage the old database like adjustments to KDF iterations, disabling HMAC entirely, different page size, etc?

Fairly certain. I’m able to open it with SQLite Studio without changing any settings other than the cipher.

Hello @Robin_Omlette I’ve moved this thread to a new topic. I have tested this as follows. I downloaded SQLite Studio, and created a new database using aes-128-cbc cipher mode, created a table and downloaded it. Then I made the code modification I recommended above to the crypto_openssl.c file:

diff --git a/src/crypto_openssl.c b/src/crypto_openssl.c
index efc096c..becaee4 100644
--- a/src/crypto_openssl.c
+++ b/src/crypto_openssl.c
@@ -85,7 +85,7 @@ static int sqlcipher_openssl_add_random(void *ctx, void *buffer, int length) {
   return SQLITE_OK;

-#define OPENSSL_CIPHER "aes-256-cbc"
+#define OPENSSL_CIPHER "aes-128-cbc"

 /* activate and initialize sqlcipher. Most importantly, this will automatically

After building the command line tool, I was able to successfully open the file using the key and PRAGMA cipher_compatibility = 3.

sqlite> pragma key = 'test';
sqlite> pragma cipher_compatibility = 3;
sqlite> .schema
sqlite> select * from t1;

As far as I can tell the recommended approach works as described in this scenario.