Encryption is an experimental feature and is not production ready. Do not use it for critical data.
Enabling encryption
Pass the --experimental-encryption flag when opening a database:
tursodb --experimental-encryption database.db
Generating a key
Generate a secure 32-byte key encoded as a hex string:
Example output:
2d7a30108d3eb3e45c90a732041fe54778bdcf707c76749fab7da335d1b39c1d
Setting the cipher and key
After opening a new database with --experimental-encryption, set the cipher and key using PRAGMA statements before any other operations:
PRAGMA cipher = 'aegis256';
PRAGMA hexkey = '2d7a30108d3eb3e45c90a732041fe54778bdcf707c76749fab7da335d1b39c1d';
Supported ciphers
| Cipher | Description |
|---|
aegis256 | AEGIS-256 authenticated encryption. Recommended for new databases. |
aes256gcm | AES-256-GCM authenticated encryption. |
tursodb --experimental-encryption \
"file:database.db?cipher=aegis256&hexkey=2d7a30108d3eb3e45c90a732041fe54778bdcf707c76749fab7da335d1b39c1d"
To reopen an already-encrypted database, you must use the URI format with cipher and hexkey as URI parameters. Opening the file by path alone without these parameters will fail.
Example: creating and reopening an encrypted database
Generate a key
openssl rand -hex 32
# 2d7a30108d3eb3e45c90a732041fe54778bdcf707c76749fab7da335d1b39c1d
Create the encrypted database
tursodb --experimental-encryption database.db
PRAGMA cipher = 'aegis256';
PRAGMA hexkey = '2d7a30108d3eb3e45c90a732041fe54778bdcf707c76749fab7da335d1b39c1d';
CREATE TABLE secrets (id INTEGER PRIMARY KEY, value TEXT);
INSERT INTO secrets VALUES (1, 'top secret');
Reopen the encrypted database
Use the URI format with cipher and hexkey parameters:tursodb --experimental-encryption \
"file:database.db?cipher=aegis256&hexkey=2d7a30108d3eb3e45c90a732041fe54778bdcf707c76749fab7da335d1b39c1d"