SQLCipher — Encrypted SQLite Database Engine

Introduction

SQLCipher is an open-source extension to SQLite that provides transparent, page-level 256-bit AES encryption of the entire database file. Maintained by Zetetic, it allows developers to protect data at rest using the same SQLite API they already know, making it the standard choice for encrypted local storage on mobile and desktop platforms.

What SQLCipher Does

• Encrypts the entire SQLite database file with AES-256 in CBC or GCM mode
• Provides transparent encryption requiring no application code changes beyond setting a key
• Supports key derivation via PBKDF2-HMAC-SHA512 with configurable iteration counts
• Allows re-keying and cipher migration on existing databases without data export
• Maintains full compatibility with the SQLite API, extensions, and tooling ecosystem

Architecture Overview

SQLCipher hooks into SQLite at the pager level, encrypting and decrypting individual database pages as they move between disk and the page cache. Each page is encrypted independently using a derived key, and an HMAC is computed per page to detect tampering. The key derivation uses PBKDF2 with a configurable number of iterations and a per-database random salt stored in the first page.

Self-Hosting & Configuration

• Build from source with OpenSSL or LibreSSL as the crypto provider
• Set the encryption key at runtime with PRAGMA key before any other operations
• Configure cipher settings with PRAGMA cipher_page_size, cipher_kdf_algorithm, and cipher_hmac_algorithm
• Migrate plaintext SQLite databases using sqlcipher_export with ATTACH
• Use the community edition for open-source projects or the commercial edition for support and FIPS compliance

Key Features

• Full database encryption with zero changes to existing SQLite queries
• Page-level HMAC prevents silent data tampering and corruption
• Cross-platform support for iOS, Android, Windows, macOS, and Linux
• Configurable KDF iterations allow tuning the security-performance tradeoff
• Compatible with standard SQLite tools when the correct key is provided

Comparison with Similar Tools

• SQLite (plain) — SQLite stores data unencrypted; SQLCipher adds transparent AES encryption
• SQLite Encryption Extension (SEE) — SEE is a proprietary SQLite add-on; SQLCipher is open source
• Realm — Realm is a mobile object database with encryption; SQLCipher encrypts standard SQLite
• LevelDB — LevelDB has no built-in encryption; SQLCipher provides it out of the box
• libsodium secretbox — libsodium encrypts arbitrary data; SQLCipher encrypts structured SQL databases

FAQ

Q: Does SQLCipher slow down queries? A: Encryption adds overhead of roughly 5-15% depending on workload and hardware. The impact is minimal for most applications.

Q: Can I encrypt an existing SQLite database? A: Yes. Use ATTACH with sqlcipher_export to convert a plaintext database to an encrypted one.

Q: Is SQLCipher FIPS 140-2 compliant? A: The commercial edition supports FIPS-validated crypto providers. The community edition uses OpenSSL which may or may not be FIPS-certified depending on your build.

Q: Does SQLCipher work with ORMs like Room or Core Data? A: Yes. SQLCipher provides drop-in replacements for Android Room (via SQLCipher for Android) and iOS Core Data (via encrypted-core-data wrappers).

Sources

• https://github.com/sqlcipher/sqlcipher
• https://www.zetetic.net/sqlcipher/