RFC: Managing passphrases of encrypted databases with GRDB+SQLCipher

Hello Swift Community,

This message is a Request For Comment about a change in the way the SQLite toolkit GRDB handles passphrases of databases encrypted with SQLCipher.

Before this change ships, I prefer to ask you, the users, if it fits your existing and future applications that use encrypted databases.

The goal of the change is to make GRDB more secure. Passphrases used to be kept in memory for the whole duration of a connection to a database. I am not a security expert, but it wasn't difficult to convince me that this wasn't a good security practice.

To make the library more secure, two APIs become deprecated:

// Opening an encrypted database
var config = Configuration()
config.passphrase = "secret" // Deprecated
let dbQueue = try DatabaseQueue(path: dbPath, configuration: config)

// Changing the passphrase of an encrypted database
try dbQueue.change(passphrase: "newSecret") // Deprecated

Those deprecated APIs will remain supported until GRDB 5, but you will get a warning if you keep on using them.

The replacement APIs are documented in the rewritten Encryption chapter.

Would you please take a look at this updated guide, and report any question or concern you may have?

Several edge scenarios have to be handled at the application level. No sample code has been provided, because there is no one-size-fits-all solution. Those edge cases, left as an exercice to the reader, are evoked in the "Changing the passphrase of an encrypted database" and "Security considerations" paragraphs. Your scrutiny will be dearly welcomed here.

If you need some context or rationale for the new APIs, you may refer to:

  • The initial pull request that has revealed the need for a change: #599.

  • The pull request that contains the change: #602.

Thank you very much in advance,
Gwendal Roué

Thanks to the users who chimed in and helped vetting the new APIs: you can update GRDB to version 4.4.0!

Terms of Service

Privacy Policy

Cookie Policy