The SQLite Encryption Extension (SEE)


The SQLite Encryption Extension (SEE) is an add-on to the public domain version of SQLite that allows an application to read and write encrypted database files. Four different encryption algorithms are supported:

A version of SQLite that is equipped with SEE is able to read and write ordinary database files created using a public domain version of SQLite in addition to reading and writing encrypted files. In fact, an application can use the ATTACH command of SQLite to simultaneously talk to two or more encrypted and/or unencrypted database files. Each database file can have its own encryption key.

The SEE encrypts the entire database file - both data and metadata. To an outside observer, an encrypted SQLite database file appears to be white noise. Both the database file itself and its rollback journal are encrypted.

Usage

The SEE includes two new APIs:

int sqlite3_key(
   sqlite3 *db,        /* The connection from sqlite3_open() */
   const void *pKey,   /* The key */
   int nKey            /* Number of bytes in the key */
);

int sqlite3_rekey(
   sqlite *db,                    /* Database to be rekeyed */
   const void *pKey, int nKey     /* The new key */
);

The sqlite3_key() interface is used to specify the encryption key on a newly opened database connection. The sqlite3_rekey() interface is used to change the encryption key on a database connection that is already opened. The sqlite3_rekey() interface can also decrypt a previously encrypted database (so that it is accessible from an unenhanced public-domain version of SQLite) by specifying a NULL key.

The extended APIs are also accessible via PRAGMA statements so that they can be reached without having to extend language wrappers. The details are available in the on-line documentation.

The SQLite Command-Line Interface (CLI) is enhanced with two additional command-line options, "-key" and "-hexkey", that are used to specify the encryption key. The -key option takes an argument which is the encryption key in ASCII text. The -hexkey option takes an argument which is the binary encryption key represented in hexadecimal. The CLI also includes a new dot-command called ".rekey" that invokes the sqlite3_rekey() interface in order to change the encryption key on a database.

Deliverables

The SEE is shipped as source code. You are responsible for compiling it yourself. But SEE is written entirely in uncomplicated ANSI-C code. If you are able to compile the public domain SQLite, then you should have no difficulty compiling the SEE. SEE is a drop-in replacement for public-domain SQLite.

After you purchase a license to use SEE, we will email you a username and password that lets you access the on-line configuration management system for SEE. You will be able to log on whenever you want to download the latest source code and documentation for SEE. Your password will never expire, so you can log in again in the future, as often as you like, to download updates and enhancements to SEE.

License

The SEE is licensed software. Here is a copy of a sample license agreement. Your license is perpetual. You can ship as many compiled, binary copies of SQLite with your commercial product as long as each copy is attached to your product in such a way that it cannot be separated from your product. Normally this means that you should statically link SEE with your product, thought exceptions to this rule can be made as circumstances require. There are no per-copy royalties or fees and there are no license renewals.

If you upgrade to a newer version of the public-domain SQLite and your SEE module stops working, you can request a free update. There is no limit to the number of updates, however you must request the updates. Updates are not sent automatically.

Your SEE license is valid for multiple products as long as all products are developed and maintained by a single team. For the purposes of this paragraph a "team" is a group of people who work together and all know each others names. For smaller organizations, an entire company is usually considered a single team. However, for larger firms, we may ask that different project teams each acquire their own separate license.

The cost of a perpetual source code license for SEE is US $2000. You can order on-line or send email to sqlite@hwaci.com or call during east-coast business hours: +1.704.948.4565.

Support

The base price of SEE does not include support. We will answer a few simple questions to help you get started, and we will fix any bugs you find within 90 days of purchase. But for help beyond this, we ask that you obtain an Annual Maintenance Subscription for SQLite. An Annual Maintenance Subscription entitles you to support for both SEE and for the public-domain SQLite code.

Higher levels of support are available on a negotiated basis. Baseline support packages include a Technical Support Agreements and SQLite Consortium Membership. Consortium membership is the highest level of support offered. The US $2000 SEE license fee is waived for Consortium members.

Additional Information

If you have other questions about SQLite, please contact us directly at sqlite@hwaci.com or by phone at +1.704.948.4565 during east-coast business hours.