SQLCipher provides you with a fully-encrypted SQLite database. It’s fast, especially with transactions and indexes; you generally will only see a 5% performance hit. No unencrypted data is written to disk, SQLite’s page caching allows for decrypted pages to be stored in memory.

The SQLCipher program relies on the peer-reviewed OpenSSL library for several encryption requirements including the AES-256 algorithm, pseudo random number generation, and PBKDF2 key derivation.

Building SQLCipher is almost the same as compiling a regular version of SQLite with two small exceptions:

1. You must define SQLITE_HAS_CODEC
 2. You need to link against OpenSSL’s libcrypto with sha256 support compiled in

Compiling with static linking: (replace /opt/local/lib with the path to libcrypto.a)

 ./configure CFLAGS="-DSQLITE_HAS_CODEC" LDFLAGS="/opt/local/lib/libcrypto.a"
 make

Compiling with dynamic linking:

 ./configure CFLAGS="-DSQLITE_HAS_CODEC -lcrypto"
 make

To specify an encryption passphrase for the database you can use a pragma. The passphrase you enter is hashed using sha256 and the result is used as the encryption key for the database.

PRAGMA key = 'passphrase';

Alternately, you can specify an exact byte sequence using a blob literal. If you use this method it is your responsibility to ensure that the data you provide a 64 character hex string, which will be converted directly to 32 bytes (256 bits) of key data.

PRAGMA key = "x'2DD29CA851E7B56E4697B0E1F08507293D761A05CE4D1B628663F411A8086D99'";

To re-key a database, the PRAGMA rekey is implemented:

PRAGMA rekey = 'newpassphrase';

To encrypt a database programatically you can use the sqlite3_key function. The data provided in pKey is converted to an encryption key according to the same rules as PRAGMA key.

int sqlite3_key(sqlite3 *db, const void *pKey, int nKey);

PRAGMA key or sqlite3_key should be called as the first operation when a database is open.