3

When using the library System.Data.SQLite to password protect your SQLite Database what type/level of encryption is used?

When researching SQLite encryption there are many options however when creating a SQLite Database from within a .NET application using the above mentioned library what method of encryption does it use?

To encrypt a SQLite Database all that is required within the .NET code is to simply provide a password within the connection string.

SQLite Connection String

Data Source= [DBFile.sqlite] ;Version=3;Password= [Password];datetimeformat=CurrentCulture;

If the route of encrypting a SQLite file above is implemented what type of encryption was applied? I have been unable to locate any documentation that spells this out.

Encryption Options:

I did locate the below link however it does not tell me what I need to know. Unless I'm dense and am missing it.

https://www.bricelam.net/2016/06/13/sqlite-encryption.html

Stackoverflow Post:

This SO Post here is outdated as it is pre SQLite 3 however it does have some nice documentation on encryption possibilities. One of the answers in this post an individual states that the post is outdated by saying "SQLite3 .Net as built in support for encryption now, which largely invalidates this answer"

What is the built in encryption mentioned above?

SQLite with encryption/password protection

Community
  • 1
  • 1
Code Novice
  • 2,043
  • 1
  • 20
  • 44

1 Answers1

1

I took a look through the CHM documentation on the home page. It barely mentions the encryption. The only info I could find was in the version history, which says this:

1.0.24.3 beta - January 10, 2006

...

  • Added support for database encryption at the pager level. Databases are encrypted using a 128-bit RC4 stream algorithm. To open an existing encrypted database, you may now specify a "Password={password}" text in the ConnectionString, or you may call the SQLiteConnection.SetPassword() function to set the password on an open connection. To encrypt existing non-encrypted databases or to change the password on an encrypted database, you must use the SQLiteConnection.ChangePassword() function. If you use SetPassword() instead of specifying a password in the connection string, or call ChangePassword() you may use a binary byte array or a text string as the password.

...

(emphasis mine)

A quick glance at the RC4 Wikipedia Page reveals that "multiple vulnerabilities have been discovered in RC4, rendering it insecure." I wouldn't trust it.

Also worth noting: the encryption module you're talking about is not a feature of SQLite, but rather an extension that the System.Data.SQLite library provides. Using it will make your database inoperable with other SQLite readers.

Colonel Thirty Two
  • 23,953
  • 8
  • 45
  • 85