> On Sep 2, 2019, at 11:41 PM, Vadiraj Villivalam > <vadiraj.villiva...@motorolasolutions.com> wrote: > > With the open os like android providing keystore and key generation > mechanism, we want to switch to this secure key generation mechanism and > avoid generating key ourselves. As the key store does not allow the key > itself to be exported out, I would like to know if sqlite has a mechanism > to leverage the key store way of en/decrypting it
I'm not familiar with Android's keystore, but I know the iOS/macOS Keychain quite well. If the keystore _only_ supports keys that it creates & manages internally and won't export, then you can: 1. Create your own key for SQLite, e.g. by generating 32 securely-random bytes. 2. Ask the keystore to create a symmetric key. 3. Ask the keystore to use its key to encrypt the SQLite key [from step 1]. 4. Store the resulting encrypted data somewhere, e.g. in a file. To recover the SQLite key on the next launch: 1. Read the encrypted data [from step 4 above] 2. Ask the keystore to decrypt it using its managed key. 3. Use the resulting key to open the SQLite database. But check the docs to see if there's a keystore API that lets you simply store a key you've generated yourself. If not, it probably has an API for storing passwords; you can then just base64-encode the key and store that as though it were a password. That's simpler than going through the above steps. —Jens _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users