Skip to content
Shiny.NET
Blog
Client v5: BLE, BLE Hosting, HTTP, Jobs - Linux, MacOS, & Blazor Support! Full AOT, RX on BLE only & MANY other features! Check It Out

SQLCipher (Encrypted SQLite)

The Shiny.DocumentDb.Sqlite.SqlCipher package provides an encrypted SQLite provider using SQLCipher. It shares all query generation, expression translation, and LINQ support with the standard SQLite provider — the only differences are the native bundle and encryption-aware backup/rekey support.

NuGet package Shiny.DocumentDb.Sqlite.SqlCipher

Setup

Section titled “Setup”

  1. Install the package

    Terminal window
    dotnet add package Shiny.DocumentDb.Sqlite.SqlCipher

    This replaces Shiny.DocumentDb.Sqlite — do not install both. The SqlCipher package references Microsoft.Data.Sqlite.Core (without the default unencrypted bundle) and adds SQLitePCLRaw.bundle_e_sqlcipher for the SQLCipher native library.

    For vector search on encrypted databases, also add Shiny.DocumentDb.Sqlite.VectorSupport and call SqliteVec.RegisterAutoExtension() at startup — it registers vec0 against the active e_sqlcipher engine — then set VectorExtensionPreloaded = true on your SqlCipherDatabaseProvider. See Vector search.

  2. Register with dependency injection

    using Shiny.DocumentDb;
    using Shiny.DocumentDb.Sqlite.SqlCipher;
    

    services.AddDocumentStore(opts =>
    {
        opts.DatabaseProvider = new SqlCipherDatabaseProvider("mydata.db", "mySecretKey");
    });

    Or instantiate directly:

    // Quick setup
    var store = new SqlCipherDocumentStore("mydata.db", "mySecretKey");
    

    // Full options
    var store = new SqlCipherDocumentStore(new DocumentStoreOptions
    {
        DatabaseProvider = new SqlCipherDatabaseProvider("mydata.db", "mySecretKey")
    });

The constructor takes a file path and password as separate parameters so requirements are explicit. All other DocumentStoreOptions (table mapping, AOT, logging, etc.) work identically to the standard SQLite provider.

Rekeying

Section titled “Rekeying”

Change the encryption key of an existing database using the RekeyAsync extension method on IDocumentStore. This issues PRAGMA rekey with SQL injection protection via SQLite’s quote() function.

using Shiny.DocumentDb.Sqlite.SqlCipher;


await store.RekeyAsync("newPassword");

RekeyAsync throws InvalidOperationException if the store is not using SqlCipherDatabaseProvider.

Backup

Section titled “Backup”

Backup works the same as the standard SQLite provider. The encryption password is automatically propagated to the backup database — the backup file will be encrypted with the same key.

await store.Backup("/path/to/backup.db");

Differences from Shiny.DocumentDb.Sqlite

Section titled “Differences from Shiny.DocumentDb.Sqlite”
Shiny.DocumentDb.SqliteShiny.DocumentDb.Sqlite.SqlCipher
Native bundlebundle_e_sqlite3 (via Microsoft.Data.Sqlite)bundle_e_sqlcipher (via SQLitePCLRaw.bundle_e_sqlcipher)
EncryptionNot supportedAES-256 via SQLCipher
ConstructorConnection stringFile path + password
BackupUnencrypted destinationPassword propagated to destination
RekeyN/Astore.RekeyAsync("newPassword")
Query/LINQFull supportIdentical — inherits from SqliteDatabaseProvider
Package sizeSmaller (no encryption native libs)Larger (includes SQLCipher native binaries)

When to use which

Section titled “When to use which”
  • Use Shiny.DocumentDb.Sqlite when encryption is not needed — smaller package, simpler setup.
  • Use Shiny.DocumentDb.Sqlite.SqlCipher when the database file must be encrypted at rest (mobile apps with sensitive data, HIPAA/PCI compliance, etc.).