Repository files navigation

SQLCipher is a standalone fork of theSQLite database library that adds 256 bit AES encryption of database files and other security features like:

• on-the-fly encryption
• tamper detection
• memory sanitization
• strong key derivation

SQLCipher is based on SQLite and stable upstream release features are periodically integrated. While SQLCipher is maintained as a separate version of the source tree, the project minimizes alterations to core SQLite code whenever possible.

SQLCipher is maintained by Zetetic, LLC, and additional information and documentation is available on the officialSQLCipher site.

• Fast performance with as little as 5-15% overhead for encryption on many operations
• 100% of data in the database file is encrypted
• Good security practices (CBC mode, HMAC, key derivation)
• Zero-configuration and application level cryptography
• Support for multiple cryptographic providers

SQLCipher maintains database format compatibility within the same major version number so an application on any platform can open databases created by any other application provided the major version of SQLCipher is the same between them. However, major version updates (e.g. from 3.x to 4.x) often include changes to default settings. This means that newer major versions of SQLCipher will not open databases created by older versions without using special settings. For example, SQLCipher 4 introduces many new performance and security enhancements. The new default algorithms, increased KDF iterations, and larger page size mean that SQLCipher 4 will not open databases created by SQLCipher 1.x, 2.x, or 3.x by default. Instead, an application would either need to migrate the older databases to use the new format or enable a special backwards-compatibility mode. The available options are described in SQLCipher'supgrade documentation.

SQLCipher is also compatible with standard SQLite databases. When a key is not provided, SQLCipher will behave just like the standard SQLite library. It is also possible to convert from a plaintext database (standard SQLite) to an encrypted SQLCipher database usingATTACH and the sqlcipher_export() convenience function.

The SQLCipher team welcomes contributions to the core library. All contributions including pull requests and patches should be based on theprerelease branch, and must be accompanied by acontributor agreement. We strongly encouragediscussion of the proposed change prior to development and submission.

Building SQLCipher is similar to compiling a regular version of SQLite from source, with a few small exceptions. You must:

1. defineSQLITE_HAS_CODEC
2. defineSQLITE_TEMP_STORE=2 orSQLITE_TEMP_STORE=3 (or useconfigure's --with-tempstore=yes option)
3. defineSQLITE_EXTRA_INIT=sqlcipher_extra_init andSQLITE_EXTRA_SHUTDOWN=sqlcipher_extra_shutdown
4. defineSQLITE_THREADSAFE to1 or2 (enabled automatically byconfigure)
5. compile and link with a supported cryptographic provider (OpenSSL, LibTomCrypt, CommonCrypto/Security.framework, or NSS)

The following examples demonstrate use of OpenSSL, which is a readily available provider on most Unix-like systems. Note that, in this example,--with-tempstore=yes is settingSQLITE_TEMP_STORE=2 for the build, andSQLITE_THREADSAFE has a default value of1.

$ ./configure --with-tempstore=yes CFLAGS="-DSQLITE_HAS_CODEC -DSQLITE_EXTRA_INIT=sqlcipher_extra_init -DSQLITE_EXTRA_SHUTDOWN=sqlcipher_extra_shutdown" \LDFLAGS="-lcrypto"$ make

The full SQLite test suite will not complete successfully when using SQLCipher. In some cases encryption interferes with low-level tests that require access to database file data or features which are unsupported by SQLCipher. Those tests that are intended to support encryption are intended for non-SQLCipher implementations. In addition, because SQLite tests are not always isolated, if one test fails it can trigger a domino effect with other failures in later steps.

As a result, the SQLCipher package includes it's own independent tests that exercise and verify the core functionality of the SQLCipher extensions. This test suite is intended to provide an abbreviated verification of SQLCipher's internal logic; it does not perform an exhaustive test of the SQLite database system as a whole or verify functionality on specific platforms. Because SQLCipher is based on stable upstream builds of SQLite, it is considered a basic assumption that the core SQLite library code is operating properly (the SQLite core is almost untouched in SQLCipher). Thus, the additional SQLCipher-specific test provide the requisite verification that the library is operating as expected with SQLCipher's security features enabled.

To run SQLCipher specific tests, configure as described here and run the following to execute the tests and receive a report of the results:

$ ./configure --with-tempstore=yes --enable-fts5 CFLAGS="-DSQLITE_HAS_CODEC -DSQLITE_EXTRA_INIT=sqlcipher_extra_init -DSQLITE_EXTRA_SHUTDOWN=sqlcipher_extra_shutdown -DSQLCIPHER_TEST" \LDFLAGS="-lcrypto"$ make testfixture$ ./testfixture test/sqlcipher.test

To specify an encryption passphrase for the database via the SQL interface youuse a PRAGMA. The passphrase you enter is passed through PBKDF2 key derivation toobtain the encryption key for the database

PRAGMA key = 'passphrase';

Alternately, you can specify an exact byte sequence using a blob literal. If youuse this method it is your responsibility to ensure that the data you provide is a64 character hex string, which will be converted directly to 32 bytes (256 bits) ofkey data without key derivation.

PRAGMA key = "x'2DD29CA851E7B56E4697B0E1F08507293D761A05CE4D1B628663F411A8086D99'";

To encrypt a database programmatically you can use thesqlite3_key function.The data provided inpKey is converted to an encryption key according to thesame rules asPRAGMA key.

int sqlite3_key(sqlite3 *db, const void *pKey, int nKey);

PRAGMA key orsqlite3_key should be called as the first operation when a database is open.

To change the encryption passphrase for an existing database you may use the rekey PRAGMAafter you've supplied the correct database password;

PRAGMA key = 'passphrase'; -- start with the existing database passphrasePRAGMA rekey = 'new-passphrase'; -- rekey will reencrypt with the new passphrase

The hex rekey pragma may be used to rekey to a specific binary value

PRAGMA rekey = "x'2DD29CA851E7B56E4697B0E1F08507293D761A05CE4D1B628663F411A8086D99'";

This can be accomplished programmatically by using sqlite3_rekey;

sqlite3_rekey(sqlite3 *db, const void *pKey, int nKey)

The primary source for complete documentation (design, API, platforms, usage) is the SQLCipher website:

https://www.zetetic.net/sqlcipher/documentation

The primary avenue for support and discussions is the SQLCipher discuss site:

https://discuss.zetetic.net/c/sqlcipher

Issues or support questions on using SQLCipher should be entered into theGitHub Issue tracker:

https://github.com/sqlcipher/sqlcipher/issues

Please DO NOT post issues, support questions, or other problems to blogposts about SQLCipher as we do not monitor them frequently.

If you are using SQLCipher in your own software please let us know atsupport@zetetic.net!

Copyright (c) 2025, ZETETIC LLCAll rights reserved.

Redistribution and use in source and binary forms, with or withoutmodification, are permitted provided that the following conditions are met:* Redistributions of source code must retain the above copyrightnotice, this list of conditions and the following disclaimer.* Redistributions in binary form must reproduce the above copyrightnotice, this list of conditions and the following disclaimer in thedocumentation and/or other materials provided with the distribution.* Neither the name of the ZETETIC LLC nor thenames of its contributors may be used to endorse or promote productsderived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY ZETETIC LLC ''AS IS'' AND ANYEXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AREDISCLAIMED. IN NO EVENT SHALL ZETETIC LLC BE LIABLE FOR ANYDIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED ANDON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THISSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This repository contains the complete source code for theSQLite database engine, includingmany test scripts. However, other test scriptsand most of the documentation are managed separately.

See theon-line documentation for more informationabout what SQLite is and how it works from a user's perspective. ThisREADME file is about the source code that goes into building SQLite,not about how SQLite is used.

SQLite sources are managed usingFossil, a distributed version control systemthat was specifically designed and written to support SQLite development.TheFossil repository contains the urtext.

If you are reading this on GitHub or some other Git repository or service,then you are looking at a mirror. The names of check-ins andother artifacts in a Git mirror are different from the officialnames for those objects. The official names for check-ins arefound in a footer on the check-in comment for authorized mirrors.The official check-in name can also be seen in themanifest.uuid filein the root of the tree. Always use the official name, not theGit-name, when communicating about an SQLite check-in.

If you pulled your SQLite source code from a secondary source and want toverify its integrity, there are hints on how to do that in theVerifying Code Authenticity section below.

The preferred way to ask questions or make comments about SQLite or toreport bugs against SQLite is to visit theSQLite Forum athttps://sqlite.org/forum/.Anonymous postings are permitted.

If you think you have found a bug that has security implications andyou do not want to report it on the public forum, you can send a privateemail to drh at sqlite dot org.

The SQLite source code is in the public domain. Seehttps://sqlite.org/copyright.html for details.

Because SQLite is in the public domain, we do not normally accept pullrequests, because if we did take a pull request, the changes in thatpull request might carry a copyright and the SQLite source code wouldthen no longer be fully in the public domain.

If you do not want to use Fossil, you can download tarballs or ZIParchives orSQLite archives as follows:

• Latest trunk check-in asTarball,ZIP-archive, orSQLite-archive.

• Latest release asTarball,ZIP-archive, orSQLite-archive.

• For other check-ins, substitute an appropriate branch name ortag or hash prefix in place of "release" in the URLs of the previousbullet. Or browse thetimelineto locate the check-in desired, click on its information page link,then click on the "Tarball" or "ZIP Archive" links on the informationpage.

To access sources directly usingFossil,first install Fossil version 2.0 or later.Source tarballs and precompiled binaries available athttps://fossil-scm.org/home/uv/download.html. Fossil isa stand-alone program. To install, simply download or build the singleexecutable file and put that file someplace on your $PATH.Then run commands like this:

    mkdir -p ~/sqlite    cd ~/sqlite    fossil open https://sqlite.org/src

The "fossil open" command will take two or three minutes. Afterwards,you can do fast, bandwidth-efficient updates to the whatever versionsof SQLite you like. Some examples:

    fossil update trunk             ;# latest trunk check-in    fossil update release           ;# latest official release    fossil update trunk:2024-01-01  ;# First trunk check-in after 2024-01-01    fossil update version-3.39.0    ;# Version 3.39.0

Or type "fossil ui" to get a web-based user interface.

First create a directory in which to placethe build products. It is recommended, but not required, that thebuild directory be separate from the source directory. Cd into thebuild directory and then from the build directory run the configurescript found at the root of the source tree. Then run "make".

For example:

    apt install gcc make tcl-dev  ;#  Make sure you have all the necessary build tools    tar xzf sqlite.tar.gz         ;#  Unpack the source tree into "sqlite"    mkdir bld                     ;#  Build will occur in a sibling directory    cd bld                        ;#  Change to the build directory    ../sqlite/configure           ;#  Run the configure script    make sqlite3                  ;#  Builds the "sqlite3" command-line tool    make sqlite3.c                ;#  Build the "amalgamation" source file    make sqldiff                  ;#  Builds the "sqldiff" command-line tool    # Makefile targets below this point require tcl-dev    make tclextension-install     ;#  Build and install the SQLite TCL extension    make devtest                  ;#  Run development tests    make releasetest              ;#  Run full release tests    make sqlite3_analyzer         ;#  Builds the "sqlite3_analyzer" tool

See the makefile for additional targets. For debugging builds, thecore developers typically run "configure" with options like this:

    ../sqlite/configure --enable-all --enable-debug CFLAGS='-O0 -g'

For release builds, the core developers usually do:

    ../sqlite/configure --enable-all

Almost all makefile targets require a "tclsh" TCL interpreter version 8.6 orlater. The "tclextension-install" target and the test targets that followall require TCL development libraries too. ("apt install tcl-dev"). It ishelpful, but is not required, to install the SQLite TCL extension (the"tclextension-install" target) prior to running tests. The "releasetest"target has additional requiremenst, such as "valgrind".

On "make" command-lines, one can add "OPTIONS=..." to specify additionalcompile-time options over and above those set by ./configure. For example,to compile with the SQLITE_OMIT_DEPRECATED compile-time option, one could say:

    ./configure --enable-all    make OPTIONS=-DSQLITE_OMIT_DEPRECATED sqlite3

The configure script uses autoconf 2.61 and libtool. If the configurescript does not work out for you, there is a generic makefile named"Makefile.linux-gcc" in the top directory of the source tree that youcan copy and edit to suit your needs. Comments on the generic makefileshow what changes are needed.

On Windows, everything can be compiled with MSVC.You will also need a working installation of TCL.See thecompile-for-windows.md document foradditional information about how to install MSVC and TCL and configure yourbuild environment.

If you want to run tests, you need to let SQLite know the location of yourTCL library, using a command like this:

    set TCLDIR=c:\Tcl

SQLite uses "tclsh.exe" as part of the build process, and so thatprogram will need to be somewhere on your %PATH%. SQLite itselfdoes not contain any TCL code, but it does use TCL to help with thebuild process and to run tests. You may need to install TCL developmentlibraries in order to successfully complete some makefile targets.It is helpful, but is not required, to install the SQLite TCL extension(the "tclextension-install" target) prior to running tests.

Build using Makefile.msc. Example:

    nmake /f Makefile.msc sqlite3.exe    nmake /f Makefile.msc sqlite3.c    nmake /f Makefile.msc sqldiff.exe    # Makefile targets below this point require TCL development libraries    nmake /f Makefile.msc tclextension-install    nmake /f Makefile.msc devtest    nmake /f Makefile.msc releasetest    nmake /f Makefile.msc sqlite3_analyzer.exe

There are many other makefile targets. See comments in Makefile.msc fordetails.

As with the unix Makefile, the OPTIONS=... argument can be passed on the nmakecommand-line to enable new compile-time options. For example:

    nmake /f Makefile.msc OPTIONS=-DSQLITE_OMIT_DEPRECATED sqlite3.exe

• src/ - This directory contains the primary source code for theSQLite core. For historical reasons, C-code used for testing isalso found here. Source files intended for testing begin with "test".Thetclsqlite3.c andtclsqlite3.h files are the TCL interfacefor SQLite and are also not part of the core.

• test/ - This directory and its subdirectories contains code usedfor testing. Files that end in ".test" are TCL scripts that runtests using an augmented TCL interpreter named "testfixture". Usea command like "make testfixture" (unix) or"nmake /f Makefile.msc testfixture.exe" (windows) to build thataugmented TCL interpreter, then run individual tests using commands like"testfixture test/main.test". This test/ subdirectory also containsadditional C code modules and scripts for other kinds of testing.

• tool/ - This directory contains programs and scripts used tobuild some of the machine-generated code that goes into the SQLitecore, as well as to build and run tests and perform diagnostics.The source code tothe Lemon parser generator isfound here. There are also TCL scripts used to build and/or transformsource code files. For example, the tool/mksqlite3h.tcl script readsthe src/sqlite.h.in file and uses it as a template to constructthe deliverable "sqlite3.h" file that defines the SQLite interface.

• ext/ - Various extensions to SQLite are found under thisdirectory. For example, the FTS5 subsystem is in "ext/fts5/".Some of these extensions (ex: FTS3/4, FTS5, RTREE) might get builtinto the SQLite amalgamation, but not all of them. The"ext/misc/" subdirectory contains an assortment of one-file extensions,many of which are omitted from the SQLite core, but which are includedin theSQLite CLI.

• doc/ - Some documentation files about SQLite internals are foundhere. Note, however, that the primary documentation designed forapplication developers and users of SQLite is in a completely separaterepository. Note also that the primary API documentation is derivedfrom specially constructed comments in the src/sqlite.h.in file.

Several of the C-language source files used by SQLite are generated fromother sources rather than being typed in manually by a programmer. Thissection will summarize those automatically-generated files. To create allof the automatically-generated files, simply run "make target_source".The "target_source" make target will create a subdirectory "tsrc/" andfill it with all the source files needed to build SQLite, bothmanually-edited files and automatically-generated files.

The SQLite interface is defined by thesqlite3.h header file, which isgenerated from src/sqlite.h.in, ./manifest.uuid, and ./VERSION. TheTcl script at tool/mksqlite3h.tcl does the conversion.The manifest.uuid file contains the SHA3 hash of the particular check-inand is used to generate the SQLITE_SOURCE_ID macro. The VERSION filecontains the current SQLite version number. The sqlite3.h header is reallyjust a copy of src/sqlite.h.in with the source-id and version number insertedat just the right spots. Note that comment text in the sqlite3.h file isused to generate much of the SQLite API documentation. The Tcl scriptsused to generate that documentation are in a separate source repository.

The SQL language parser isparse.c which is generated from a grammar inthe src/parse.y file. The conversion of "parse.y" into "parse.c" is doneby thelemon LALR(1) parser generator. The source codefor lemon is at tool/lemon.c. Lemon uses the tool/lempar.c file as atemplate for generating its parser.Lemon also generates theparse.h header file, at the same time itgenerates parse.c.

Theopcodes.h header file contains macros that define the numberscorresponding to opcodes in the "VDBE" virtual machine. The opcodes.hfile is generated by scanning the src/vdbe.c source file. TheTcl script at ./mkopcodeh.tcl does this scan and generates opcodes.h.A second Tcl script, ./mkopcodec.tcl, then scans opcodes.h to generatetheopcodes.c source file, which contains a reverse mapping fromopcode-number to opcode-name that is used for EXPLAIN output.

Thekeywordhash.h header file contains the definition of a hash tablethat maps SQL language keywords (ex: "CREATE", "SELECT", "INDEX", etc.) intothe numeric codes used by the parse.c parser. The keywordhash.h file isgenerated by a C-language program at tool mkkeywordhash.c.

Thepragma.h header file contains various definitions used to parseand implement the PRAGMA statements. The header is generated by ascripttool/mkpragmatab.tcl. If you want to add a new PRAGMA, editthetool/mkpragmatab.tcl file to insert the information needed by theparser for your new PRAGMA, then run the script to regenerate thepragma.h header file.

All of the individual C source code and header files (both manually-editedand automatically-generated) can be combined into a single big source filesqlite3.c called "the amalgamation". The amalgamation is the recommendedway of using SQLite in a larger application. Combining all individualsource code files into a single big source code file allows the C compilerto perform more cross-procedure analysis and generate better code. SQLiteruns about 5% faster when compiled from the amalgamation versus when compiledfrom individual source files.

The amalgamation is generated from the tool/mksqlite3c.tcl Tcl script.First, all of the individual source files must be gathered into the tsrc/subdirectory (using the equivalent of "make target_source") then thetool/mksqlite3c.tcl script is run to copy them all together in just theright order while resolving internal "#include" references.

The amalgamation source file is more than 200K lines long. Some symbolicdebuggers (most notably MSVC) are unable to deal with files longer than 64Klines. To work around this, a separate Tcl script, tool/split-sqlite3c.tcl,can be run on the amalgamation to break it up into a single small C filecalledsqlite3-all.c that does #include on about seven other filesnamedsqlite3-1.c,sqlite3-2.c, ...,sqlite3-7.c. In this way,all of the source code is contained within a single translation unit sothat the compiler can do extra cross-procedure optimization, but noindividual source file exceeds 32K lines in length.

SQLite is modular in design.See thearchitectural descriptionfor details. Other documents that are useful inhelping to understand how SQLite works include thefile format description,thevirtual machine that runsprepared statements, the description ofhow transactions work, andtheoverview of the query planner.

Decades of effort have gone into optimizing SQLite, bothfor small size and high performance. And optimizations tend to result incomplex code. So there is a lot of complexity in the current SQLiteimplementation. It will not be the easiest library in the world to hack.

• sqlite.h.in - This file defines the public interface to the SQLitelibrary. Readers will need to be familiar with this interface beforetrying to understand how the library works internally. This file isreally a template that is transformed into the "sqlite3.h" deliverableusing a script invoked by the makefile.

• sqliteInt.h - this header file defines many of the data objectsused internally by SQLite. In addition to "sqliteInt.h", somesubsystems inside of sQLite have their own header files. These internalinterfaces are not for use by applications. They can and do changefrom one release of SQLite to the next.

• parse.y - This file describes the LALR(1) grammar that SQLite usesto parse SQL statements, and the actions that are taken at each stepin the parsing process. The file is processed by theLemon Parser Generator to produce the actual C codeused for parsing.

• vdbe.c - This file implements the virtual machine that runsprepared statements. There are various helper files whose namesbegin with "vdbe". The VDBE has access to the vdbeInt.h header filewhich defines internal data objects. The rest of SQLite interactswith the VDBE through an interface defined by vdbe.h.

• where.c - This file (together with its helper files namedby "where*.c") analyzes the WHERE clause and generatesvirtual machine code to run queries efficiently. This file issometimes called the "query optimizer". It has its own privateheader file, whereInt.h, that defines data objects used internally.

• btree.c - This file contains the implementation of the B-Treestorage engine used by SQLite. The interface to the rest of the systemis defined by "btree.h". The "btreeInt.h" header defines objectsused internally by btree.c and not published to the rest of the system.

• pager.c - This file contains the "pager" implementation, themodule that implements transactions. The "pager.h" header filedefines the interface between pager.c and the rest of the system.

• os_unix.c andos_win.c - These two files implement the interfacebetween SQLite and the underlying operating system using the run-timepluggable VFS interface.

• shell.c.in - This file is not part of the core SQLite library. Thisis the file that, when linked against sqlite3.a, generates the"sqlite3.exe" command-line shell. The "shell.c.in" file is transformedinto "shell.c" as part of the build process.

• tclsqlite.c - This file implements the Tcl bindings for SQLite. Itis not part of the core SQLite library. But as most of the tests in thisrepository are written in Tcl, the Tcl language bindings are important.

• test*.c - Files in the src/ folder that begin with "test" go intobuilding the "testfixture.exe" program. The testfixture.exe program isan enhanced Tcl shell. The testfixture.exe program runs scripts in thetest/ folder to validate the core SQLite code. The testfixture program(and some other test programs too) is built and run when you type"make test".

• VERSION,manifest, andmanifest.uuid - These files definethe current SQLite version number. The "VERSION" file is human generated,but the "manifest" and "manifest.uuid" files are automatically generatedby theFossil version control system.

There are many other source files. Each has a succinct header comment thatdescribes its purpose and role within the larger system.

Themanifest file at the root directory of the source treecontains either a SHA3-256 hash or a SHA1 hashfor every source file in the repository.The name of the version of the entire source tree is just theSHA3-256 hash of themanifest file itself, possibly with thelast line of that file omitted if the last line begins with"# Remove this line".Themanifest.uuid file should contain the SHA3-256 hash of themanifest file. If all of the above hash comparisons are correct, thenyou can be confident that your source tree is authentic and unadulterated.Details on the format for themanifest files are availableon the Fossil website.

The process of checking source code authenticity is automated by themakefile:

make verify-source

Or on windows:

nmake /f Makefile.msc verify-source

Using the makefile to verify source integrity is good for detectingaccidental changes to the source tree, but malicious changes could behidden by also modifying the makefiles.

The main SQLite website ishttps://sqlite.org/with geographically distributed backups athttps://www2.sqlite.org/ andhttps://www3.sqlite.org/.

Contact the SQLite developers through theSQLite Forum. In an emergency, youcan send private email to the lead developer at drh at sqlite dot org.