SQLCipher for Windows FIPS

Introduction

This document describes the steps that differ from the standard SQLCipher for Windows integration instructions when using the FIPS package. Follow the base documentation for Visual Studio project configuration, preprocessor definitions, include paths, and additional dependencies, and apply the changes below.

SQLCipher for Windows FIPS uses an embedded FIPS validated cryptographic module per FIPS Implementation Guidance. Only dynamic linking is supported for FIPS use; the FIPS module is distributed as a set of DLLs and a configuration file that must be co-located with sqlcipher.dll at runtime.

Package Contents

Extract the sqlcipher-windows-fips-4.14.0.zip package. Under binaries/ each architecture directory (x64, x86, arm64) contains the header files along with the following binaries that must be deployed together:

  • sqlcipher.dll and sqlcipher.lib: SQLCipher dynamic library and import lib
  • fips.dll: FIPS cryptographic module
  • fips.cnf: FIPS configuration file
  • libcrypto-3-x64.dll / libcrypto-3.dll / libcrypto-3-arm64.dll: architecture-specific OpenSSL provider DLL

Static libraries (sqlcipher.lib for static linking, libcrypto.lib) are not included; FIPS operation requires the dynamic linking path only.

Library Installation

Configure your Visual Studio project for dynamic linking following the Dynamic Linking steps in the base documentation. The same preprocessor definition (SQLITE_HAS_CODEC), include directory, library directory, and sqlcipher.lib dependency apply unchanged.

Update the Post-Build Event to copy all of the FIPS runtime files, not just sqlcipher.dll, to the build output directory. For example, for an x64 build:

copy /Y "$(ProjectDir)binaries\x64\sqlcipher.dll" "$(OutDir)"
copy /Y "$(ProjectDir)binaries\x64\fips.dll" "$(OutDir)"
copy /Y "$(ProjectDir)binaries\x64\fips.cnf" "$(OutDir)"
copy /Y "$(ProjectDir)binaries\x64\libcrypto-3-x64.dll" "$(OutDir)"

Use $(PlatformTarget) in place of the hard-coded architecture if you build for multiple platforms. The libcrypto DLL filename differs by architecture:

Architecture libcrypto filename
x64 libcrypto-3-x64.dll
x86 libcrypto-3.dll
arm64 libcrypto-3-arm64.dll

Important: sqlcipher.dll, fips.dll, fips.cnf, and the architecture-specific libcrypto-3-*.dll must all be present in the same directory as your application at runtime. The FIPS module cannot load if any component is missing.

Apply License Code

License code application is identical to the non-FIPS integration. Apply PRAGMA cipher_license before any other database operation:

rc = sqlite3_exec(db, "PRAGMA cipher_license = 'YOUR_LICENSE_KEY';", NULL, NULL, NULL);

If the license code is not properly applied your application will receive not authorized or SQLITE_AUTH (23) errors.

Check FIPS Mode

Applications using a FIPS validated cryptographic module should, as a matter of practice, check that the library is operating in FIPS mode early in the application lifecycle. This ensures that the FIPS-enabled library has been integrated, loaded properly at runtime, that all Power On Self Tests have completed successfully, and that the library is running in FIPS mode.

sqlite3_stmt *stmt = NULL;
rc = sqlite3_prepare(db, "PRAGMA cipher_fips_status;", -1, &stmt, NULL);
rc = sqlite3_step(stmt);
if(rc == SQLITE_ROW && strcmp((const char*)sqlite3_column_text(stmt, 0), "1") == 0) {
  // operating in FIPS mode
} else {
  // not operating in FIPS mode - throw error
}
sqlite3_finalize(stmt);

Reference Application

A complete reference application is available under examples/sqlcipher-c/ in the sqlcipher-windows-fips-4.14.0.zip package. It includes:

  • demo.c: sample application demonstrating database operations and FIPS verification
  • Makefile.windows: NMAKE build configuration for use with a Visual Studio Developer Command Prompt that auto-detects the host architecture and copies the required FIPS files into the build output

Troubleshooting

  1. DLL Not Found: errors like The code execution cannot proceed because sqlcipher.dll was not found or equivalent errors for fips.dll or libcrypto-3-*.dll indicate that not all required runtime files are deployed alongside your application.
  2. FIPS Mode Validation Failure: if the application fails to validate FIPS mode, ensure all required files (sqlcipher.dll, fips.dll, fips.cnf, and the architecture-specific libcrypto-3-*.dll) are in the same directory. The FIPS module cannot operate without all components present.
  3. Not Authorized / SQLITE_AUTH (23): the License Code was not supplied, is not valid, or has expired. Check that the application is applying PRAGMA cipher_license before any other database operations.
  4. Architecture Mismatch: ensure you are using the binaries from the correct platform subdirectory (x64, x86, or arm64) and that the libcrypto DLL filename matches the architecture.

Please contact support@zetetic.net with any questions or to receive private support.