SQLite support for Encrypted DBs(SQLCipher)

[guliashvili]

I'd love to be able to access SQL tables, encrypted by the SQLCipher via Velociraptor. It could be as optional argument addition of key to the existing SQLlight plugin, or creating the new one.

Happy to work on the feature myself. But before I invest too much time in it, was wondering, if there are any general concerns that I should consider or push back on landing such a feature on main brunch, from the core developers.

Thank you

[scudette]

It would be a nice addition - the issue is more about how to pass key material to the plugin. For other plugins we sometimes pass key material in the environment or in secrets or in parameters. I dont know much about SQLCipher but does it use the same key for all the rows in the same file or does it have more fine grained control?

The other issue is that we need to make sure the sqlite bindings are built hermetically (i.e. without linking external libraries) so this means compile the C code directly in the build process. I am not sure how you can enable that extension in practice.

[guliashvili]

Hi,

As far as I know usually key will be available on the machine locally, one key for the whole DB.

Would it be possible to use VQL to extract key and pass it to sqlite plugin? Wondering if something like that is already done in the user friendly manner.

Yeap I understand why Velociraptor would need the hermetic build, I can look into it. By the way is SQLCipher license https://github.com/sqlcipher/sqlcipher/blob/master/LICENSE.md acceptable for the Velociraptor?

[scudette]

It's hard to know, it doesn't look very well maintained and we use the regular sqlite bindings which are very often maintained.

Probably replacing the more common bindings will be less ideal. Maybe it's best to write another plugin in parallel.

What are some encrypted databases we will gain access to with this change? What's the benefit?