FIPS 140-2 validated cryptography is required for organizations operating in regulated environments:
SQLCipher Enterprise Edition offers optional support for FIPS 140-2 validated encryption, available upon request. FIPS 140-2 compliance is a somewhat complex and nuanced topic; this page provides additional background and clarification.
FIPS 140-2 is the U.S. government standard ensuring cryptographic modules meet stringent security levels for data encryption. Our validation was granted by the Cryptographic Module Validation Program (CMVP), operated jointly by the United States National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS) under certificates:
A common point of confusion when evaluating database encryption solutions is the distinction between software that uses FIPS-approved algorithms and software that incorporates a FIPS-validated cryptographic module. This is an important technical and compliance distinction.
FIPS-approved algorithms are the specific cryptographic algorithms (such as AES-256, SHA-256, and HMAC-SHA-256) that have been approved by NIST as meeting federal standards. Many software products, including all versions of SQLCipher and several other "encrypted SQLite" solutions, use these FIPS-approved algorithms in their implementations. However, using FIPS-approved algorithms alone does not constitute FIPS validation.
FIPS validation, by contrast, refers to a cryptographic module (a complete software or hardware component) that has undergone rigorous testing and formal validation by an accredited laboratory under the Cryptographic Module Validation Program (CMVP). This process verifies not only that the correct algorithms are used, but also that the entire cryptographic implementation meets stringent security requirements. These requirements include proper key management, secure random number generation, Power On Self Tests (POST) that verify module integrity and functionality at runtime before use, and adherence to strict operational procedures.
SQLCipher Enterprise FIPS is the only SQLite-compatible database encryption solution we are aware of that integrates a FIPS-validated cryptographic module. This validation provides organizations operating in regulated environments with the assurance that their encryption solution has been independently verified to meet federal security standards, not simply that it uses approved algorithms.
SQLCipher Enterprise FIPS is the first widely adopted database encryption tool to offer a SQLite-compatible API with a FIPS validated cryptographic module. SQLCipher has a decade-long history of supporting FIPS 140-2 validation and FedRAMP requirements for numerous U.S. federal and state agencies, the Department of Defense, and customers in regulated utilities, finance, and healthcare industries. These certificates and the corresponding cryptographic module and in SQLCipher Enterprise FIPS underscores our commitment to meeting the highest security standards for our customers.
In order to meet the needs of customers that require a FIPS 140-2 validated solution, we offer special SQLCipher Enterprise packages that are linked against a specific cryptographic provider that includes a cryptographic module that has undergone the FIPS 140-2 validation process.
If your application is already using SQLCipher then integration is typically very easy. The API is virtually identical to standard SQLCipher. There are only two simple calls for the FIPS mode check and license code. As part of the SQLCipher Enterprise program, licensing customers receive:
Beyond FIPS 140-2 compliance and full-database AES-256 encryption, SQLCipher Enterprise FIPS offers value-level encryption, encrypted virtual tables, performance counters, and optimization statistics. This ensures unparalleled security and performance, keeping application data secure and accessible only to authorized users.
By using this special SQLCipher package an application can enable and verify the FIPS status of SQLCipher at runtime. As long as SQLCipher is the only security library in use, an application can make an attestation about the validation status which will satisfy organizations with FIPS 140-2 requirements, for example like the following:
My App™ uses an embedded FIPS 140-2-validated cryptographic module running on 32 and 64 bit Windows Operating System platforms per FIPS 140-2 Implementation Guidance section G.5 guidelines.
For the avoidance of doubt, the cryptographic provider referred to above is a software library included with SQLCipher, not a separate hardware component.
SQLCipher's encryption calls would only be considered FIPS 140-2 validated if you are using the special SQLCipher FIPS builds. Standard SQLCipher builds do not use a FIPS 140-2 validated cryptographic module, regardless of any external operating system settings. For instance, on Windows the local / group policy setting for FIPS has no affect on SQLCipher because it is not using the Windows cryptography extensions. Thus, even with FIPS policy settings enabled at the operating system level, an application using SQLCipher for encryption would still need to use the special SQLCipher FIPS packages to meet FIPS 140-2 guidelines.
Still have questions? Please reach out to us and we'll get back to you soon.