2024-10-17 23:53:39 +01:00
|
|
|
# Go `xts` SQLite VFS
|
|
|
|
|
|
|
|
|
|
This package wraps an SQLite VFS to offer encryption at rest.
|
|
|
|
|
|
|
|
|
|
The `"xts"` VFS wraps the default SQLite VFS using the
|
|
|
|
|
[AES-XTS](https://pkg.go.dev/golang.org/x/crypto/xts)
|
|
|
|
|
tweakable and length-preserving encryption.\
|
|
|
|
|
In general, any XTS construction can be used to wrap any VFS.
|
|
|
|
|
|
|
|
|
|
The default AES-XTS construction uses AES-128, AES-192, or AES-256
|
|
|
|
|
for its block cipher.
|
2025-09-18 18:40:56 +01:00
|
|
|
Additionally, we use [PBKDF2-HMAC-SHA512](https://pkg.go.dev/crypto/pbkdf2)
|
2024-10-17 23:53:39 +01:00
|
|
|
to derive AES-128 keys from plain text where needed.
|
|
|
|
|
File contents are encrypted in 512 byte sectors, matching the
|
|
|
|
|
[minimum](https://sqlite.org/fileformat.html#pages) SQLite page size.
|
|
|
|
|
|
2025-09-18 18:40:56 +01:00
|
|
|
This VFS uses _only_ NIST and FIPS 140-3 approved cryptographic primitives,
|
2024-10-18 11:59:36 +01:00
|
|
|
which _may_ help you become FIPS compliant.
|
|
|
|
|
|
2024-10-17 23:53:39 +01:00
|
|
|
The VFS encrypts all files _except_
|
|
|
|
|
[super journals](https://sqlite.org/tempfiles.html#super_journal_files):
|
|
|
|
|
these _never_ contain database data, only filenames,
|
|
|
|
|
and padding them to the sector size is problematic.
|
|
|
|
|
Temporary files _are_ encrypted with **random** AES-128 keys,
|
|
|
|
|
as they _may_ contain database data.
|
|
|
|
|
To avoid the overhead of encrypting temporary files,
|
|
|
|
|
keep them in memory:
|
|
|
|
|
|
|
|
|
|
PRAGMA temp_store = memory;
|
|
|
|
|
|
|
|
|
|
> [!IMPORTANT]
|
|
|
|
|
> XTS is a cipher mode typically used for disk encryption.
|
|
|
|
|
> The standard threat model for disk encryption considers an adversary
|
|
|
|
|
> that can read multiple snapshots of a disk.
|
|
|
|
|
> The only security property that disk encryption provides
|
|
|
|
|
> is that all information such an adversary can obtain
|
|
|
|
|
> is whether the data in a sector has or has not changed over time.
|
|
|
|
|
|
|
|
|
|
The encryption offered by this package is fully deterministic.
|
|
|
|
|
|
|
|
|
|
This means that an adversary who can get ahold of multiple snapshots
|
|
|
|
|
(e.g. backups) of a database file can learn precisely:
|
|
|
|
|
which sectors changed, which ones didn't, which got reverted.
|
|
|
|
|
|
2024-10-18 11:59:36 +01:00
|
|
|
This is weaker than other forms of SQLite encryption
|
|
|
|
|
that include *some* nondeterminism.
|
|
|
|
|
With limited nondeterminism, an adversary can't distinguish between
|
|
|
|
|
pages that actually changed, and pages that got reverted;
|
|
|
|
|
a `VACUUM` can fully rebuild the database file,
|
|
|
|
|
preventing this differential analysis.
|
2024-10-17 23:53:39 +01:00
|
|
|
|
|
|
|
|
> [!CAUTION]
|
|
|
|
|
> This package does not claim protect databases against tampering or forgery.
|
|
|
|
|
|
|
|
|
|
The major practical consequence of the above point is that,
|
|
|
|
|
if you're keeping `"xts"` encrypted backups of your database,
|
|
|
|
|
and want to protect against forgery, you should sign your backups,
|
|
|
|
|
and verify signatures before restoring them.
|
|
|
|
|
|
2024-10-18 11:59:36 +01:00
|
|
|
This is weaker than other forms of SQLite encryption
|
2024-10-17 23:53:39 +01:00
|
|
|
that include page-level [MACs](https://en.wikipedia.org/wiki/Message_authentication_code).
|
|
|
|
|
Page-level MACs can protect against forging individual pages,
|
|
|
|
|
but can't prevent them from being reverted to former versions of themselves.
|
|
|
|
|
|
|
|
|
|
> [!TIP]
|
2024-10-18 11:59:36 +01:00
|
|
|
> The [`"adiantum"`](../adiantum/README.md) VFS also offers encryption at rest.
|
2024-10-17 23:53:39 +01:00
|
|
|
> In general Adiantum performs significantly better,
|
|
|
|
|
> and as a "wide-block" cipher, _may_ offer improved security.
|
