sqlite: see: encryption

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

sqlite: see: encryption

Vadiraj Villivalam
Hi,

Our client software uses sqlite for persistence and db is currently
encrypted by passing a app generated key to SEE.
With the open os like android providing keystore and key generation
mechanism, we want to switch to this secure key generation mechanism and
avoid generating  key ourselves. As the key store does not allow the key
itself to be exported out, I would like to know if sqlite has a mechanism
to leverage the key store way of en/decrypting it (could be with a callback
implemented by app that interfaces with Android keystore)? Any insight will
help. Thanks.

Regards,
Vadiraj

--


Your privacy is important to us. That is why we have taken appropriate
measures to ensure the data you provide to us is kept secure. To learn more
about how we process your personal information, how we comply with
applicable data protection laws, and care for the security and privacy of
your personal data, please review our Privacy Policy
<https://www.motorolasolutions.com/en_us/about/privacy-policy.html#privacystatement>.
If you have any questions related to data protection and compliance with
applicable laws, please contact us at our Security Operations Center at
1-302-444-9838 or mail us at: 

Attention: Privacy Compliance Program, P.O.
Box 59263, Schaumburg, IL USA, 60159-0263
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: sqlite: see: encryption

Simon Slavin-3
On 3 Sep 2019, at 7:41am, Vadiraj Villivalam <[hidden email]> wrote:

> As the key store does not allow the key
> itself to be exported out, I would like to know if sqlite has a mechanism to leverage the key store way of en/decrypting it (could be with a callback implemented by app that interfaces with Android keystore)? Any insight will help.

Can you write code in C/C++ to retrieve the key from the key store ?  If so, you can provide the key to SQLite by creating your own SQLite function which does that.

<https://sqlite.org/c3ref/create_function.html>

In your case, the function can ignore any argumnets.  Or perhaps you could pass the key for your encryption hash.

I've found it difficult to find examples of this on the web.  Perhaps if you tell us your programming language someone else can find one.  Or perhaps this will do:

<https://stackoverflow.com/questions/7867099/how-can-i-create-a-user-defined-function-in-sqlite#8283265>
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: sqlite: see: encryption

Kees Nuyt
In reply to this post by Vadiraj Villivalam
On Tue, 3 Sep 2019 12:11:32 +0530, Vadiraj Villivalam wrote:

> Hi,
>
> Our client software uses sqlite for persistence and db is currently
> encrypted by passing a app generated key to SEE.
> With the open os like android providing keystore and key generation
> mechanism, we want to switch to this secure key generation mechanism and
> avoid generating  key ourselves. As the key store does not allow the key
> itself to be exported out, I would like to know if sqlite has a mechanism
> to leverage the key store way of en/decrypting it (could be with a callback
> implemented by app that interfaces with Android keystore)? Any insight will
> help. Thanks.

This article may be of help. It also talks about limitations,
e.g. "The Keystore itself is encrypted using the user’s own
lockscreen pin/password, hence, when the device screen is locked
the Keystore is unavailable. Keep this in mind if you have a
background service that could need to access your application
secrets."

<https://www.androidauthority.com/use-android-keystore-store-passwords-sensitive-information-623779/>

It is the first hit in a search on "android keystore api
tutorial".

Hope this helps.

--
Regards,
Kees Nuyt

_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: sqlite: see: encryption

Jens Alfke-2
In reply to this post by Vadiraj Villivalam


> On Sep 2, 2019, at 11:41 PM, Vadiraj Villivalam <[hidden email]> wrote:
>
> With the open os like android providing keystore and key generation
> mechanism, we want to switch to this secure key generation mechanism and
> avoid generating  key ourselves. As the key store does not allow the key
> itself to be exported out, I would like to know if sqlite has a mechanism
> to leverage the key store way of en/decrypting it

I'm not familiar with Android's keystore, but I know the iOS/macOS Keychain quite well.

If the keystore _only_ supports keys that it creates & manages internally and won't export, then you can:
1. Create your own key for SQLite, e.g. by generating 32 securely-random bytes.
2. Ask the keystore to create a symmetric key.
3. Ask the keystore to use its key to encrypt the SQLite key [from step 1].
4. Store the resulting encrypted data somewhere, e.g. in a file.

To recover the SQLite key on the next launch:
1. Read the encrypted data [from step 4 above]
2. Ask the keystore to decrypt it using its managed key.
3. Use the resulting key to open the SQLite database.

But check the docs to see if there's a keystore API that lets you simply store a key you've generated yourself. If not, it probably has an API for storing passwords; you can then just base64-encode the key and store that as though it were a password. That's simpler than going through the above steps.

—Jens
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users