The SQLite architecture provides the functionality for work with encrypted databases. This means that encoding/decoding is applied to a database file, in the moment of execution of the file read/write operations. This is a low-level encryption "on the fly", it is implemented at the level of the SQLite client library and is completely transparent to the applications working with the database.
But, the fact is that in the client libraries available at the official SQLite website, the algorithms of database file encryption are not implemented. Therefore, usually, to work with encrypted databases one has to either use a custom-built client library with encryption support, or create an own library from the source code, available on the SQLite website.
UniDAC provides built-in capabilities for Database File Encryption, which becomes available when working in Direct mode. Database File Encryption, built in UniDAC, allows to:
To encrypt/decrypt the database file, one of the following encryption algorithms can be used:
Important note: there are no strict standardized requirements for implementation of database file encryption in SQLite. Therefore, implementation of Database File Encryption in UniDAC is incompatible with other implementations. When using UniDAC, it is possible to work only with encrypted databases, created with the use of UniDAC. In turn, no third-party application will be able to work with encrypted databases, created with the use of UniDAC
The functionality of Data Encryption, which is realized with the help of the TUniEncryptor component, allows to encrypt individual fields in database tables. In this case, the database itself is not encrypted. I.e. on the one hand, the information in this database (with the exception of the encrypted fields) is easily accessible for viewing by any SQLite DB-tools. On the other hand, such database is more simple in terms of modification of data structures.
Database File Encryption encrypts all the data file. Both structure and information on such database becomes unavailable for any third-party applications. An indisputable advantage is the increased level of secrecy of information. The disadvantage is that, for making any changes in the structure of the database, developers will have to use only UniDAC.
Both Database File Encryption and Data Encryption methods are not mutually exclusive and can be used at the same time.
To control database encryption in UniDAC, the following properties and methods of the TUniConnection component are used:
The following example shows how to encrypt an existing database:
UniConnection.Database := 'C:\sqlite.db3'; // the name of the database to be encrypted
UniConnection.SpecificOptions.Values['ForceCreateDatabase'] := 'False'; // to check that the database exists
UniConnection.SpecificOptions.Values['Direct'] := 'True'; // database file encryption is supported in the Direct mode only
UniConnection.SpecificOptions.Values['EncryptionAlgorithm'] := 'leBlowfish'; // the database will be encrypted with the Blowfish encryption algorithm
UniConnection.SpecificOptions.Values['EncryptionKey'] := ''; // no encryption key specified, because the database is not encrypted yet
UniConnection.Open; // connect to the database
TLiteUtils.EncryptDatabase(UniConnection, '11111'); // encrypt the database using the "11111" encryption key
The following example shows creating a new encrypted database:
UniConnection.Database : = 'C:\sqlite_encoded.db3'; // the name of the database to be created
UniConnection.SpecificOptions.Values['ForceCreateDatabase'] := 'True'; // this will allow to create the new database
UniConnection.SpecificOptions.Values['Direct'] := 'True'; // database file encryption is supported in the Direct mode only
UniConnection.SpecificOptions.Values['EncryptionAlgorithm'] := 'leBlowfish'; // the database will be encrypted with the Blowfish encryption algorithm
UniConnection.SpecificOptions.Values['EncryptionKey'] := '11111'; // the encryption key for the database
UniConnection.Open; // create and connect to the database
To connect to an existing encrypted database, the following should be performed:
UniConnection.Database := 'C:\sqlite_encoded.db3'; // the name of the database to connect to
UniConnection.SpecificOptions.Values['ForceCreateDatabase'] := 'False'; // to check that the database exists
UniConnection.SpecificOptions.Values['Direct'] := 'True'; // database file encryption is supported in the Direct mode only
UniConnection.SpecificOptions.Values['EncryptionAlgorithm'] := 'leBlowfish'; // the encryption algorithm of the database
UniConnection.SpecificOptions.Values['EncryptionKey'] := '11111'; // the encryption key for the database
UniConnection.Open; // connect to the database
To change the encryption key in the encrypted database, you must perform the following:
UniConnection.Database := 'C:\sqlite_encoded.db3'; // the name of the database to connect to
UniConnection.SpecificOptions.Values['ForceCreateDatabase'] := 'False'; // to check that the database exists
UniConnection.SpecificOptions.Values['Direct'] := 'True'; // database file encryption is supported in the Direct mode only
UniConnection.SpecificOptions.Values['EncryptionAlgorithm'] := 'leBlowfish'; // the encryption algorithm of the database
UniConnection.SpecificOptions.Values['EncryptionKey'] := '11111'; // the encryption key for the database
UniConnection.Open; // connect to the database
TLiteUtils.EncryptDatabase(UniConnection, '22222'); // change the database encryption key to '22222'
After changing the encryption key, the database connection remains open and the further work with the database can continue. However, if disconnected from the database and for subsequent connection, the new value of the encryption key should be assigned to the UniConnection.EncryptionKey property.
The encrypted database can be decrypted, after that it becomes available for viewing and editing in third-party applications. To decrypt the database you must first connect to it, as shown in the examples above, and then execute the UniConnection.EncryptDatabase('') method, specifying an empty string as a new key.