> On Sep 2, 2019, at 11:41 PM, Vadiraj Villivalam 
> <vadiraj.villiva...@motorolasolutions.com> wrote:
> 
> With the open os like android providing keystore and key generation
> mechanism, we want to switch to this secure key generation mechanism and
> avoid generating  key ourselves. As the key store does not allow the key
> itself to be exported out, I would like to know if sqlite has a mechanism
> to leverage the key store way of en/decrypting it

I'm not familiar with Android's keystore, but I know the iOS/macOS Keychain 
quite well.

If the keystore _only_ supports keys that it creates & manages internally and 
won't export, then you can:
1. Create your own key for SQLite, e.g. by generating 32 securely-random bytes.
2. Ask the keystore to create a symmetric key.
3. Ask the keystore to use its key to encrypt the SQLite key [from step 1].
4. Store the resulting encrypted data somewhere, e.g. in a file.

To recover the SQLite key on the next launch:
1. Read the encrypted data [from step 4 above]
2. Ask the keystore to decrypt it using its managed key.
3. Use the resulting key to open the SQLite database.

But check the docs to see if there's a keystore API that lets you simply store 
a key you've generated yourself. If not, it probably has an API for storing 
passwords; you can then just base64-encode the key and store that as though it 
were a password. That's simpler than going through the above steps.

—Jens
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Reply via email to