SQLiteDataReader (.Net) - is there a way to getSecureString


#1

Hi,

I know that it is not directly related to a sqlicipher but it is related to a overall security.
So, does anybody knows how to directly read database field into the SecureString variable? With. GetString method we are saving the string to an unsecured/plain text which can be exposed in memory dump. There is, of course, a way to keep encrypted data in the database field and perform decryption to a SecureString, but does anybody knows is there a implementation of method which will read db field into the SecureString?

Thanks!


#2

Hello @aleksandarkostic - There isn’t really a way to do this with the ADO.NET API. In practice, the use of a SecureString is very difficult outside the specific scenario of capturing password that is used a single time, discarded and never displayed. In particular, for data fetched from a SQLite result set, the content will exist in the heap for a period of time while the query is being processed, regardless of how the results are represented in managed code. It is just very difficult to secure against an attacker with escalated administrative privileges that would allow access to process memory.