On 29 Aug 2011, at 6:19pm, Jonathon wrote: > I am using a sqlite database to store/retrieve sensitive information. > I am currently encrypting the database to secure the actual data,
If you are merely encrypting individual field entries that's not so secure. If you are using a file structure which encrypts the entire database, including structure information, that's good. I would recommend the encryption addon created by the creators of SQLite: http://www.hwaci.com/sw/sqlite/see.html > but > I am still concerned about my actual sql statements. The sql > statements themselves are left in plaintext in memory so if someone > was ambitious enough, they could just attach a debugger to my process > and see the plain strings. If someone can place a breakpoint at the entry point to sqlite3_prepare() then you're pretty-much out of luck. Since you know where the SQL command is in memory you can scramble it after the SQL command has been executed, but there's not much you can do before then. In fact, I think the same is true of all the mass-market SQL engines: there's no real way to protect against someone stepping through your code with a debugger. Even if your OS forbids that, there's no protection against a decompiler and a determined cracker with a couple of weeks spare. Physical possession of the computer always ends any hope of security. > Does sqlite provide any functionality to protect against this? I know > that some databases have encrypted stored procedures. Does sqlite > have something similar? No. SQLite has no embedded language apart from TRIGGERs, and no special measures are taken to wipe trigger text from memory after use. Simon. _______________________________________________ sqlite-users mailing list [email protected] http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
