Can't access encrypted databases after upgrading SQLCipher

Question

I recently upgraded from SQLCipher 3.7.12 to 3.8.5. After doing this, I just now discovered that none of my encrypted databases are readable - they all return error 26, indicating that the password is wrong, but I am using the same password that they were encrypted with. If I access the same database using an old binary linked against 3.7.12 I can access the database fine.

I don't see anything in the documentation that would suggest an incompatibility between these two versions or which mentions any changes that are needed to access a database created by an older version. Maybe one of the pragma defaults has changed (i.e. kdf_iter), or maybe there actually is an incompatibility? What do I need to do in order to make my existing databases work with the new version of SQLCipher?

Answer 1

After some digging in the source code I found that my initial suspicion was absolutely correct:

$ diff src/crypto.h ~/Downloads/sqlcipher-master/src/crypto.h
47c47
< #define CIPHER_VERSION "2.2.1"
---
> #define CIPHER_VERSION "3.1.0"
62c62
< #define PBKDF2_ITER 4000
---
> #define PBKDF2_ITER 64000

So to make databases compatible with an existing database, simply change the #define on line 62 of src/crypto.h back to 4000, or explicitly use either:

PRAGMA kdf_iter = '4000';

or

PRAGMA cipher_default_kdf_iter = 4000;

before trying to access the database.

Update: This doesn't seem to be sufficient if performing an ATTACH... the documentation says

In practice, this means that calling applications should provide the key on the ATTACH parameter when opening any existing databases that may use a different salt.

This appears to be different behavior from the different version, in which merely having the same key (not salt) was sufficient to not need to specify the key to an attach.

Answer 2

The key derivation length did change from 4,000 to 64,000 between versions 2.x and 3.x as you have noted. You can issue PRAGMA cipher_migrate to migrate a 2.x database to the 3.x format. More documentation on this feature can be found here.