I have noticed that if an application opens a database and then calls the
sqlite3_key() C function, the password is not really applied until the application attempts to read or write data. I did not notice any explicit documentation of this behavior, which I think is needed. My one remark is that this behavior could add a little more work to unit testing of password error handling in application code and higher-level wrapper libraries.
I noticed another gotcha that if an application opens a new database and sets a password using
sqlite3_key(), the database file would have zero size until the application starts writing data. I did not notice any documentation of this, which I think is needed as well. I think this could also add more work to unit testing of password error handing.
My recollection from the past is that android-database-sqlcipher did immediately apply the password when opening a database, not sure at this point whether or not this is still the case. I wouldn’t mind documentation of this behavior as well.
I would like to thank the SQLCipher team for the efforts of developing and supporting this library over the years.