SQLite encryption at-rest is a hot requested feature of both the “default” CGo driver [1] and the transpiled alternative driver [2]. So, this is a feature I wanted to bring to my own Wasm based Go driver/bindings [3].
Open-source SQLite encryption extensions have had a troubled last few years. For whatever reason, in 2020 the (undocumented) feature that made it easy to offer page-level encryption was removed [4]. Some solutions are stuck with SQLite 3.31.1, but Ulrich Telle stepped up with a VFS approach [5].
Still, their solution seemed harder than something I'd want to maintain, as it requires understanding the structure of what's being written to disk at the VFS layer. So, I looked at full disk encryption for something with less of an impedance mismatch.
Specifically, I'm using the Adiantum tweakable and length-preserving encryption (with 4K blocks, matching the default SQLite page size), and encrypting whole files (rather than page content).
I'm not a cryptographer, so I'd really appreciate some roasting before release.
There is nothing very Go specific about this (apart from the implementation) so if there are no obvious flaws, it may make sense to port it to C/Rust/etc and make it a loadable extension.
[1] https://github.com/mattn/go-sqlite3/pull/1109
[2] https://gitlab.com/cznic/sqlite/-/issues/105
[3] https://github.com/ncruces/go-sqlite3/issues/55
[4] https://github.com/sqlite/sqlite/commit/b48c0d59
[5] https://github.com/utelle/SQLite3MultipleCiphers
Comments URL: https://news.ycombinator.com/item?id=40208800
Points: 30
# Comments: 7
https://github.com/ncruces/go-sqlite3/tree/main/vfs/adiantum
Zaloguj się, aby dodać komentarz
Inne posty w tej grupie
Article URL: https://blondihacks.com/reversing-choplifter/
Oracolo is a minimalist blog powered by Nostr, that consists of a single html file, weighing only ~140Kb. It works also without a web server; for example you can send it via email as a business ca
Article URL: https://github.com/ImageOptim/gifski
Comments URL: https://news.ycomb
Article URL: https://github.com/tombonez/noTunes
Comments URL: https://news.ycombin
Article URL: https://ollama.com/blog/firebase-genkit
Comments URL: https://news