Skip to content
Shiny.NET
Blog

SQLCipher (Encrypted SQLite)

The Shiny.DocumentDb.Sqlite.SqlCipher package provides an encrypted SQLite provider using SQLCipher. It shares all query generation, expression translation, and LINQ support with the standard SQLite provider — the only differences are the native bundle and encryption-aware backup/rekey support.

NuGet package Shiny.DocumentDb.Sqlite.SqlCipher

Setup

Section titled “Setup”

  1. Install the package

    Terminal window
    dotnet add package Shiny.DocumentDb.Sqlite.SqlCipher

    This replaces Shiny.DocumentDb.Sqlite — do not install both. The SqlCipher package references Microsoft.Data.Sqlite.Core (without the default unencrypted bundle) and adds SQLitePCLRaw.bundle_e_sqlcipher for the SQLCipher native library.

  2. Register with dependency injection

    using Shiny.DocumentDb.Sqlite.SqlCipher;
    

    services.AddSqlCipherDocumentStore("mydata.db", "mySecretKey");
    

    // or with full options
    services.AddSqlCipherDocumentStore(opts =>
    {
        opts.DatabaseProvider = new SqlCipherDatabaseProvider("mydata.db", "mySecretKey");
        opts.TypeNameResolution = TypeNameResolution.FullName;
        opts.JsonSerializerOptions = new JsonSerializerOptions
        {
            PropertyNamingPolicy = JsonNamingPolicy.CamelCase
        };
    });

    Or instantiate directly:

    // Quick setup
    var store = new SqlCipherDocumentStore("mydata.db", "mySecretKey");
    

    // Full options
    var store = new SqlCipherDocumentStore(new DocumentStoreOptions
    {
        DatabaseProvider = new SqlCipherDatabaseProvider("mydata.db", "mySecretKey")
    });

The constructor takes a file path and password as separate parameters so requirements are explicit. All other DocumentStoreOptions (table mapping, AOT, logging, etc.) work identically to the standard SQLite provider.

Rekeying

Section titled “Rekeying”

Change the encryption key of an existing database using the RekeyAsync extension method on IDocumentStore. This issues PRAGMA rekey with SQL injection protection via SQLite’s quote() function.

using Shiny.DocumentDb.Sqlite.SqlCipher;


await store.RekeyAsync("newPassword");

RekeyAsync throws InvalidOperationException if the store is not using SqlCipherDatabaseProvider.

Backup

Section titled “Backup”

Backup works the same as the standard SQLite provider. The encryption password is automatically propagated to the backup database — the backup file will be encrypted with the same key.

await store.Backup("/path/to/backup.db");

Differences from Shiny.DocumentDb.Sqlite

Section titled “Differences from Shiny.DocumentDb.Sqlite”
Shiny.DocumentDb.SqliteShiny.DocumentDb.Sqlite.SqlCipher
Native bundlebundle_e_sqlite3 (via Microsoft.Data.Sqlite)bundle_e_sqlcipher (via SQLitePCLRaw.bundle_e_sqlcipher)
EncryptionNot supportedAES-256 via SQLCipher
ConstructorConnection stringFile path + password
BackupUnencrypted destinationPassword propagated to destination
RekeyN/Astore.RekeyAsync("newPassword")
Query/LINQFull supportIdentical — inherits from SqliteDatabaseProvider
Package sizeSmaller (no encryption native libs)Larger (includes SQLCipher native binaries)

When to use which

Section titled “When to use which”
  • Use Shiny.DocumentDb.Sqlite when encryption is not needed — smaller package, simpler setup.
  • Use Shiny.DocumentDb.Sqlite.SqlCipher when the database file must be encrypted at rest (mobile apps with sensitive data, HIPAA/PCI compliance, etc.).