I want to encrypt an SQLlite database. What is the longest effective text string I can use for the encryption key? Is it just a matter of computing characters available in 128-bits? (or 256-bits)? - assuming AES 128 or 256.
It probably doesn’t matter what length key you provide… that value is not store anywhere… ever.
What is stored is the encrypted value… which is one-way and most likely a internally determined length
Deep in the archives and/or Real Studio lore is some mention of AES-128. A FR to add this to documentation would save everyone who has to consider this a little bit of time. For some high level background on security implications of AES-128 v. AES_256, I really like this article:
http://blog.agilebits.com/2013/03/09/guess-why-were-moving-to-256-bit-aes-keys/
Customer service confirmed that for me
Thanks for the feedback. My reason for asking is I want to generate a string that I will use for the database.encrypt method, and I don’t know where to draw the line on string length. In other words are the following strings all equivalent if used for the encrypt method?
qwertyuiop, or
qwertyuiopasdfghjkl, or
qwertyuiopasdfghjklzxcvbnm
doubtful that you could find two strings that generate the same encryption key…
Mark,
The other bit of lore not in the docs is that the encryption scheme is the one offered commercially by the developer of SQLite. I’d assume they pass through text keys to the pragma described here:
http://www.hwaci.com/sw/sqlite/see.html
Looking at HWACI’s licensing approach and considering what we get with Xojo’s SQLiteDatabase, it’s not entirely clear how those mesh up in a way that makes encryption available to us. I’ve always assumed they have some private agreement or understanding. And that could be why this is all lore rather than extensively documented. I don’t think anyone outside of Xojo really knows :-).
HTH.
Yes - I saw exactly the same thing, and did also assume there was a licensing deal with Xojo for the extension.
Thanks all for the feedback.
FYI: This confirms the source of encryption engine.
https://forum.xojo.com/4567-encrypted-sqlite-database
[quote=31915:@Mark Pastor]I want to encrypt an SQLlite database. What is the longest effective text string I can use for the encryption key? Is it just a matter of computing characters available in 128-bits? (or 256-bits)? - assuming AES 128 or 256.
[/quote]
Xojo uses SQLite SEE extension’s AES-128 encryption. So, the key lenght you use is no more or no less than 128 bits or 16 characters. “No more” means that longer strings are truncated and “No less” is that SEE pads the key to full length by multiplying it. For example, if you set “mark” as passphrase, your database is actually encrypted using “markmarkmarkmark” (128 bits). (And consider that a stupi… eh… an average user sets password to “aaaaaaa”. What happens is that any number of letters “a” unlocks the database.)
Therefore, I strongly advice to hash the password with a pinch of salt.
Perfect - thanks!