SQLCipher Enterprise Edition offers optional support for FIPS 140-2 validated encryption, available upon request. FIPS 140-2 compliance is a somewhat complex and nuanced topic; in this article we provide some additional background and clarification.
FIPS 140-2 is the U.S. government standard ensuring cryptographic modules meet stringent security levels for data encryption. Our validation was granted by the Cryptographic Module Validation Program (CMVP), operated jointly by the United States National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS) under certificates:
SQLCipher Enterprise FIPS is the first widely adopted database encryption tool to offer a SQLite-compatible API with a FIPS validated cryptographic module. SQLCipher has a decade-long history of supporting FIPS 140-2 validation and FedRAMP requirements for numerous U.S. federal and state agencies, the Department of Defense, and customers in regulated utilities, finance, and healthcare industries. These certificates and the corresponding cryptographic module and in SQLCipher Enterprise FIPS underscores our commitment to meeting the highest security standards for our customers.
In order to meet the needs of customers that require a FIPS 140-2 validated solution, we offer special SQLCipher Enterprise packages that are linked against a specific cryptographic provider that includes a cryptographic module that has undergone the FIPS 140-2 validation process.
If your application is already using SQLCipher then integration is typically very easy. The API is virtually identical to standard SQLCipher. There are only two simple calls for the FIPS mode check and license code. As part of the SQLCipher Enterprise program, licensing customers receive:
Beyond FIPS 140-2 compliance and full-database AES-256 encryption, SQLCipher Enterprise FIPS offers value-level encryption, encrypted virtual tables, performance counters, and optimization statistics. This ensures unparalleled security and performance, keeping application data secure and accessible only to authorized users.
By using this special SQLCipher package an application can enable and verify the FIPS status of SQLCipher at runtime. As long as SQLCipher is the only security library in use, an application can make an attestation about the validation status which will satisfy organizations with FIPS 140-2 requirements, for example like the following:
My App™ uses an embedded FIPS 140-2-validated cryptographic module running on 32 and 64 bit Windows Operating System platforms per FIPS 140-2 Implementation Guidance section G.5 guidelines.
For the avoidance of doubt, the cryptographic provider referred to above is a software library included with SQLCipher, not a separate hardware component.
SQLCipher's encryption calls would only be considered FIPS 140-2 validated if you are using the special SQLCipher FIPS builds. Standard SQLCipher builds do not use a FIPS 140-2 validated cryptographic module, regardless of any external operating system settings. For instance, on Windows the local / group policy setting for FIPS has no affect on SQLCipher because it is not using the Windows cryptography extensions. Thus, even with FIPS policy settings enabled at the operating system level, an application using SQLCipher for encryption would still need to use the special SQLCipher FIPS packages to meet FIPS 140-2 guidelines.
Still have questions? Please reach out to us and we'll get back to you soon.