I want to use SQLCipher to encrypt my local database on Android.
By reading docs and docs on the web I can’t find a clear recommendation on the handling of an encryption key.
Using SQLCipher without a proper pattern for the encryption key is worth nothing as far as I understand, so I am trying to find the best practice.
- Write the key in the code -> Not secured, can be found by reverse engineering.
- Save the key in the shared preferences -> Not secured, can be found if Root access.
- Save the key in the Android KeyStore -> so so… Android 4.2 has a vulnerability on this, but we can accept this.
Also you can use it without passing a user generated password (example: https://android.googlesource.com/platform/development/+/master/samples/ApiDemos/src/com/example/android/apis/security/KeyStoreUsage.java)
Can anyone explain?
- Derive the key from a user input (PIN number for ex).
Do you guys have a good example of a way to generate the key from this (salting function??)
If I want to access the database from a background service while the tablet is at rest, since the user is not there to input the PIN, I can’t do anything with the DB, right?
Do you have any other suggestion?