V3.20.1: sqlite3_key() with raw binary or raw string of hex?


#1

Hi:

Thanks for providing this great library.

I have v3.20.1 built with GCC using C++ and encrypting my SQLite databases properly. I’ve spent some time reading the docs and analyzing the codebase, so I think I know the answer to my question, but I wanted to at least ask it here for clarity.

SUMMARY
I am currently using the PRAGMA method of setting my raw key (with salt) for database encryption. My raw key is stored as a chunk of binary data from an external source, Using this approach, I have to do extra processing to convert it to a string of hex for the PRAGMA statement, which takes up extra time and also creates extra security risks from literal strings/string processing.

sqlite3_key() looked like it provided me a way to send they binary key data directly (and avoid using any sql execs/statements), but after testing and reading, it appears this is not the case.

Question 1: is it possible to pass binary data directly into sqlite3_key()? In my case, an array of char data with the raw/salted key.

Question 2: If #1 is not possible, is it possible to pass a full/raw key (with salt) as a string of hex to sqlite3_key()? Similar to the PRAGMA approach, except the sqlite3_key() call would save me from adding string literals for the PRAGMA/sqlite3_exec call.

Thanks for your time.

~ Chris


#2

Hello @ChristopherB2K - While you can pass binary data to sqlite3_key(), SQLCipher will not treat it as a raw key (i.e. it will go through key derivation). However, you can pass through a hex string in the SQLite BLOB format to sqlite3_key and it will work, provided it meets the key and salt specification, as per your question #2. It is certainly possible. Internally, pragma key calls sqlite3_key. It should certainly be possible for you to do that witout using any string literals. Also, it is safe to zero out the application’s copy of the key material after calling sqlite3_key. Let us know if that answers your question.


#3

Thanks for the response and some good news. I thought I tried passing the same hex string through sqlite3_key as PRAGMA, but maybe I screwed it up somehow.

Thanks again!

EDIT: turns out I was including the encapsulating quotes from the PRAGMA sql examples in my attempt to use sqlite3_key() with the hex string:
“x’key1234’” (wrong)
x’key1234’ (right)