23

What is the best approach to encrypting a SQLite database file in .Net/C#? I'm using sqlite-dotnet2 wrapper.

There are tools like SQLite Encryption Extension and SQLite Crypt, but both are non-free, while my project is under GPL.

The naive approach I thought of using was to let SQLite handle a temporary file, then to encrypt it on program exit, and overwrite (zero-out) the original. The obvious drawback is that if program crashes (and while it is running), the plain text DB is accessible.

Is there a better way to approach this? Can I pass an encrypted stream to the wrapper (instead of using SQLiteConnection.CreateFile) ?

[edit] Maybe I am overthinking this. Is is sufficient to use Password option in the connection string? Would the file be encrypted properly in that case (or is it some weaker protection)?

dbkk
  • 12,643
  • 13
  • 53
  • 60
  • 1
    > There are tools like SQLite Encryption Extension and SQLite Crypt, but both are non-free, while my project is under GPL. We haven't tried using it with .NET just yet, but I'm on the development team for [SQLCipher][1], which is basically a free and unencumbered version of SQLite that provides transparent database encryption. I'd recommend it for use in mobile and/or stand-alone application settings where an embedded db is desirable. [1]: http://github.com/sjlombardo/sqlcipher – Billy Gray Sep 30 '09 at 17:59
  • 1
    ...and .NET version of SQLCipher is also now a commercial product :( – Cocowalla Aug 23 '12 at 17:38

3 Answers3

23

I recommend using the System.Data.Sqlite wrapper, which includes encryption. It works great, it's easy to use, and it's a complete ADO.Net implementation. You can get the wrapper from https://system.data.sqlite.org, and the developer describes how to use the encryption on this forum at: https://web.archive.org/web/20100207030625/http://sqlite.phxsoftware.com/forums/t/130.aspx. Hint - you just set the password property. He also describes how he does the encryption using the Microsoft Crypto API elsewhere in the forum.

Marcello B.
  • 4,177
  • 11
  • 45
  • 65
Ed Power
  • 8,310
  • 3
  • 36
  • 42
  • 1
    The links are broken. Could you provide the new one? – Protocole Sep 18 '14 at 09:20
  • 1
    Looks like Robert Simpson abandoned the phxsoftware site once control of the software was transfered to http://system.data.sqlite.org in 2011. I don't think that the old forum pages are posted anywhere else. – Ed Power Sep 18 '14 at 16:36
  • 2
    cached version of the above link http://web.archive.org/web/20130325100811/http://sqlite.phxsoftware.com/forums/t/130.aspx – Josh Anderson Oct 28 '14 at 00:01
  • version 113 did drop support SetPassword. SEE is the new way to go, even thought it does cost 2000$ and requires manual compilation. – Bin4ry Sep 16 '20 at 00:25
  • @Bin4ry see here for more info: https://stackoverflow.com/a/72073407/8586332 – scooter May 01 '22 at 01:46
8

Take a look at:

http://zetetic.net/software/sqlcipher

It is open source.

You can chek also the code for the wxsqlite3.

6

I would try http://code.google.com/p/csharp-sqlite/, it's rewrite of SQLite 3.6.16 in C#, under MIT License. I suppose it will be easy to tweak it.

EDIT: As mentioned in the note below, it also support sqlcipher encryption

UPDATE: Since Google Code went read only the project has moved to it's own website https://system.data.sqlite.org/index.html/doc/trunk/www/index.wiki

Marcello B.
  • 4,177
  • 11
  • 45
  • 65
Yakeen
  • 2,142
  • 1
  • 17
  • 21
  • 1
    C#-SQLite includes built in support for the sqlcipher package; You compile it with SQLITE_HAS_CODEC and activate it with PRAGMA hexkey="0x0102030405060708090a0b0c0d0e0f10"; – Noah Sep 02 '11 at 16:17