absurder-sql 0.1.23

AbsurderSQL - SQLite + IndexedDB that's absurdly better than absurd-sql
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240

# Database Encryption Guide

AbsurderSQL supports optional database encryption using SQLCipher for native applications (not available in WASM/browser mode).

## Overview

When enabled with the `encryption` feature flag, AbsurderSQL provides:
- **AES-256 encryption** for data at rest
- **Key-based access control** - wrong key = no access
- **Re-keying capability** - change encryption keys without re-creating database
- **Zero performance impact** when disabled (optional feature)

## Feature Flag

Add to your `Cargo.toml`:

```toml
[dependencies]
absurder-sql = { version = "0.1", features = ["encryption", "fs_persist"] }
```

Or build with:
```bash
cargo build --features encryption,fs_persist
```

## Usage

### Creating an Encrypted Database

```rust
use absurder_sql::{Database, DatabaseConfig};

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let config = DatabaseConfig {
        name: "secure.db".to_string(),
        ..Default::default()
    };
    
    let encryption_key = "your-secure-key-min-8-chars";
    let mut db = Database::new_encrypted(config, encryption_key).await?;
    
    // Use database normally
    db.execute("CREATE TABLE secrets (id INTEGER, data TEXT)").await?;
    db.execute("INSERT INTO secrets VALUES (1, 'confidential')").await?;
    
    Ok(())
}
```

### Changing Encryption Key (Re-keying)

```rust
let new_key = "new-secure-key-min-8-chars";
db.rekey(new_key).await?;

// Old key no longer works
// New key is required to access database
```

### Opening Existing Encrypted Database

```rust
let config = DatabaseConfig {
    name: "secure.db".to_string(),
    ..Default::default()
};

// Must use the correct key
let db = Database::new_encrypted(config, "your-secure-key-min-8-chars").await?;
```

## Key Management Best Practices

### Mobile Applications

#### iOS
Store encryption keys in **iOS Keychain**:
```swift
// Store key securely
let keyData = key.data(using: .utf8)!
let query: [String: Any] = [
    kSecClass as String: kSecClassGenericPassword,
    kSecAttrAccount as String: "database_encryption_key",
    kSecValueData as String: keyData
]
SecItemAdd(query as CFDictionary, nil)

// Retrieve key
let searchQuery: [String: Any] = [
    kSecClass as String: kSecClassGenericPassword,
    kSecAttrAccount as String: "database_encryption_key",
    kSecReturnData as String: true
]
var result: AnyObject?
SecItemCopyMatching(searchQuery as CFDictionary, &result)
```

#### Android
Store encryption keys in **Android Keystore**:
```kotlin
// Generate or retrieve key
val keyStore = KeyStore.getInstance("AndroidKeyStore")
keyStore.load(null)

val keyGenerator = KeyGenerator.getInstance(
    KeyProperties.KEY_ALGORITHM_AES,
    "AndroidKeyStore"
)
val keyGenSpec = KeyGenParameterSpec.Builder(
    "database_key",
    KeyProperties.PURPOSE_ENCRYPT or KeyProperties.PURPOSE_DECRYPT
)
    .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
    .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
    .build()

keyGenerator.init(keyGenSpec)
val secretKey = keyGenerator.generateKey()
```

### Server/CLI Applications

- Store keys in **environment variables** (not in code)
- Use **secrets management** (HashiCorp Vault, AWS Secrets Manager)
- Implement **key rotation** policies
- Never commit keys to version control

## Security Considerations

### Key Length
- **Minimum**: 8 characters (enforced)
- **Recommended**: 16+ characters
- **Best**: 32+ random characters

### Key Derivation
SQLCipher automatically applies PBKDF2 key derivation:
- 256,000 iterations (SQLCipher 4.x)
- Makes brute-force attacks computationally expensive

### Wrong Key Behavior
Attempting to open an encrypted database with the wrong key will:
1. Either fail immediately with an error, OR
2. Succeed in opening but fail on first query attempt

This is SQLCipher's security-by-design behavior.

## Performance

### Overhead
- **Encryption overhead**: < 10% (typical)
- **Query performance**: Nearly identical to unencrypted
- **File size**: Same as unencrypted database

### Benchmarks
```bash
# Run encryption benchmarks
cargo test --features encryption,fs_persist --test encryption_tests
```

## Platform Support

| Platform | Encryption Support |
|----------|-------------------|
| Native (Rust) | [x] Full support |
| iOS (React Native) | [x] Via FFI (Phase II) |
| Android (React Native) | [x] Via FFI (Phase II) |
| WASM/Browser | [ ] Not supported |

> **Note**: Browser environments cannot use SQLCipher. For browser encryption, use Web Crypto API separately.

## Compliance

SQLCipher encryption helps meet:
- **HIPAA** - Healthcare data protection
- **GDPR** - EU data privacy
- **PCI DSS** - Payment card data security
- **SOC 2** - Security controls

**Important**: Encryption alone doesn't guarantee compliance. Consult with legal/compliance teams.

## Troubleshooting

### Database Locked Error
```
ENCRYPTION_ERROR: Database is locked
```
**Solution**: Ensure no other process has the database open.

### Wrong Key Error
```
ENCRYPTION_ERROR: Failed to set encryption key
```
**Solution**: Verify you're using the correct encryption key.

### File Not Encrypted
```
# Check if database is encrypted (will fail if encrypted)
sqlite3 secure.db "SELECT * FROM sqlite_master"
# Error: file is not a database
```

This confirms the database is properly encrypted.

## Examples

See `/tests/encryption_tests.rs` for comprehensive examples:
- Creating encrypted databases
- Re-keying
- Persistence validation
- Error handling

## FAQ

**Q: Can I convert an unencrypted database to encrypted?**  
A: Not directly. You must export data, create new encrypted database, and re-import.

**Q: Can I use encryption in browser/WASM?**  
A: No. SQLCipher requires native compilation. Use Web Crypto API for browser encryption.

**Q: What happens if I lose the encryption key?**  
A: The data is **permanently inaccessible**. There is no recovery mechanism.

**Q: Can I change the encryption algorithm?**  
A: SQLCipher uses AES-256 by default. This cannot be changed.

**Q: Is the encryption FIPS 140-2 compliant?**  
A: SQLCipher itself can be FIPS-compliant when built with appropriate OpenSSL. Check SQLCipher documentation.

## Related Documentation

- [SQLCipher Official Documentation](https://www.zetetic.net/sqlcipher/)
- [Mobile FFI Integration](./mobile/Design_Documentation_II.md)
- [Security Best Practices](./CODING_STANDARDS.md)

## Version History

- **v0.1.7** - Initial encryption support (native only)
- **v0.2.0** - Mobile FFI support (planned)