SQLCipher Enterprise FIPS 140-2 Support

SQLCipher Enterprise Edition offers optional support for FIPS 140-2 validated encryption, available upon request. FIPS 140-2 compliance is a somewhat complex and nuanced topic; in this article we provide some additional background and clarification.

SQLCipher Architecture

In order to provide some context, it's useful to understand a bit about the architecture of SQLCipher. SQLCipher is linked into an application (in the case of .NET applications, this linking occurs at run time via DLL). SQLCipher exposes a set of functions that are used by the application to manipulate a secure database. When data would either be written to permanent storage or read from permanent storage, SQLCipher invokes cryptographic routines to encrypt or decrypt the data respectively. In order to do this, SQLCipher is linked with a cryptographic provider, a software library that contains implementations of requisite cryptographic primitives, e.g. AES, SHA1, HMAC-SHA1, PBKDF2, etc. Examples of cryptographic providers that SQLCipher may use include OpenSSL, CommonCrypto, and LibTomCrypt.

What We Provide

In order to meet the needs of customers that require a FIPS 140-2 validated solution, we offer special SQLCipher Enterprise packages that are linked against a specific cryptographic provider that includes a cryptographic module that has undergone the FIPS 140-2 validation process. This OpenSSL FIPS library includes a FIPS 140-2 validated component called the FIPS canister which is specially compiled and linked. When enabled it provides runtime verification of the software process in order to meet validation requirements.

What It Means For Your App

By using this special SQLCipher package an application can enable and verify the FIPS status of SQLCipher at runtime. As long as SQLCipher is the only security library in use, an application can make an attestation about the validation status which will satisfy organizations with FIPS 140-2 requirements, for example like the following:

Awesome App™ uses an embedded FIPS 140-2-validated cryptographic module running on 32 and 64 bit Windows Operating System platforms per FIPS 140-2 Implementation Guidance section G.5 guidelines.

For the avoidance of doubt, the cryptographic provider referred to above is a software library included with SQLCipher, not a separate hardware component.

What Is Validated

SQLCipher's encryption calls would only be considered FIPS 140-2 validated if you are using the special SQLCipher FIPS builds. Standard SQLCipher builds do not use a FIPS 140-2 validated cryptographic module, regardless of any external operating system settings. For instance, on Windows the local / group policy setting for FIPS has no affect on SQLCipher because it is not using the Windows cryptography extensions. Thus, even with FIPS policy settings enabled at the operating system level, an application using SQLCipher for encryption would still need to use the special SQLCipher FIPS packages to meet FIPS 140-2 guidelines.

Still have questions? Please reach out to us and we'll get back to you soon.