New Feature: Encryption

Bernardo
Site Admin
Posts: 10
Joined: Tue Oct 27, 2015 1:14 am

New Feature: Encryption

Postby Bernardo » Thu Jan 05, 2017 2:20 am

I am glad to announce the new feature just added to litereplica:

Database and Communication Encryption!

Now litereplica comes with encryption of databases as well as the communication between the nodes.

The chosen ciphers were ChaCha, which is faster than AES on small devices, and XRC4, an extended version of RC4 even faster than ChaCha.


To open an encrypted database we use the URI parameters cipher and key or hexkey. Example:

"file:/path/to/file.db?cipher=...&key=..."

Or

"file:/path/to/file.db?cipher=...&hexkey=..."


THE CIPHER

The cipher argument an be set to one of these values:

xrc4 - fastest
chacha8 - fast
chacha12 - medium
chacha20 - strongest


THE KEY

Using XRC4 the key can be up to 256 bytes. Example:

"file:data.db?cipher=xrc4&key=testing"

Using ChaCha the key must be 32 bytes long. Example:

"file:data.db?cipher=chacha20&key=ThisIsAReallyLongKeyWith32Bytess"


The key can also be in hex format, using the hexkey parameter:

"file:data.db?cipher=...&hexkey=11223344556677889900AABBCCDDEEFF..."


CREATING AN ENCRYPTED DATABASE

Open the database with an URI like the above ones and then create the tables and populate them.


CONVERTING AN EXISTING DATABASE

Currently it is not possible to make a direct conversion of an existing database. We must create an encrypted database using the SQLite shell and then copy the data from the plain database to it.

This can be done in just 1 step:

sqlite3 plain.db .dump | sqlite3 "file:encrypted.db?cipher=...&key=..."

Or in 2 steps if you want to inspect the generated SQL commands:

sqlite3 plain.db .dump > out.sql

sqlite3 "file:encrypted.db?cipher=...&key=..." < out.sql


If you want to use a page size different from the default open the generated out.sql file and add the pragma line at the top:

PRAGMA page_size=...;


REPLICATING AN ENCRYPTED DATABASE

Mix the URI parameters. Example:

PRIMARY:

"file:data.db?cipher=xrc4&key=testing&replica=master&slave=tcp://127.0.0.1:1234"

REPLICA:

"file:replica.db?cipher=xrc4&key=testing&replica=slave&bind=tcp://0.0.0.0:1234"


DATABASE HEADER

The first 100 bytes of an SQLite database form the header. Most of it is fixed data.

In encryption if we have a known plain data this helps an attacker to try to discover the encryption key.

For this reason the database header is not encrypted by default, but you have a total of 3 options:

1. Do not encrypt the db header (default).
2. Do not encrypt the db header and use a custom header string to decrease chance of identifying the file type.
3. Encrypt the db header but do not encrypt the bytes 16-23 from it (required by SQLite).

The default header string is "SQLite format 3". To enable the use of a custom header compile litereplica with:

CODEC_USE_CUSTOM_HEADER
CODEC_CUSTOM_HEADER="ExampleNewHeader"

The custom header string must be 15 or 16 bytes long. If using 15, the last one will be a null terminator.


To encrypt the database header compile litereplica with:

CODEC_ENCRYPT_DB_HEADER


Feel free to ask questions in the general discussion forum or via e-mail.

Happy Coding!
brian
Posts: 1
Joined: Thu Oct 26, 2017 9:29 pm

Re: New Feature: Encryption

Postby brian » Thu Oct 26, 2017 9:33 pm

Could you please clarify if this encryption feature is available for sqlite3.8 or it is only available for sqlite3.15 the commercial license folder? Thanks.
Bernardo
Site Admin
Posts: 10
Joined: Tue Oct 27, 2015 1:14 am

Re: New Feature: Encryption

Postby Bernardo » Thu Oct 26, 2017 10:23 pm

Hi!

It is available only in the commercial licensed version.

Return to “Anouncements”

Who is online

Users browsing this forum: No registered users and 1 guest