sqleet: ChaCha20-Poly1305
This cipher was introduced for SQLite database encryption by the project sqleet in 2017.
The Internet Engineering Task Force (IETF) officially standardized the cipher algorithm ChaCha20 and the message authentication code Poly1305 in RFC 7905 for Transport Layer Security (TLS).
For wxSQLite3 this cipher was the default since version 4.0.0, and continues to be the default for SQLite3 Multiple Ciphers, too.
The encryption key is derived from the passphrase using a random salt (stored in the first 16 bytes of the database file) and the standardized PBKDF2 algorithm with an SHA256 hash function.
One-time keys per database page are derived from the encryption key, the page number, and a 16 bytes nonce. Additionally, a 16 bytes Poly1305 authentication tag per database page is calculated. Therefore this cipher requires 32 reserved bytes per database page.
The following table lists all parameters related to this cipher that can be set before activating database encryption.
| Parameter | Default | sqleet | Min | Max | Description |
|---|---|---|---|---|---|
kdf_iter | 64007 | 12345 | 1 | Number of iterations for the key derivation function | |
legacy | 0 | 1 | 0 | 1 | Boolean flag whether the legacy mode should be used |
legacy_page_size | 4096 | 4096 | 0 | 65536 | Page size to use in legacy mode, 0 = default SQLite page size |
Note
- It is not recommended to use legacy mode for encrypting new databases. It is supported for compatibility reasons only, so that databases that were encrypted in legacy mode can be accessed.
- Only page size values corresponding to a power of 2 (i.e. 0, 512, 1024, 2048, 4096, 8192, 16384, 32768, 65536) are allowed.