Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encryption at rest #236

Closed
AnalogJ opened this issue Aug 17, 2023 · 5 comments · Fixed by #284
Closed

Encryption at rest #236

AnalogJ opened this issue Aug 17, 2023 · 5 comments · Fixed by #284
Milestone
v1.0.0 Release

Comments

@AnalogJ
Copy link
Member

AnalogJ commented Aug 17, 2023

https://github.com/jackfr0st13/gorm-sqlite-cipher
@AnalogJ
Copy link
Member Author

AnalogJ commented Sep 29, 2023

Fasten currently uses https://github.com/glebarez/sqlite which is a Go sqlite driver for Gorm (depends on glebarez/go-sqlite which is a fork of https://gitlab.com/cznic/sqlite)

neither glebarez/sqlite nor cznic/sqlite support encryption at rest.

https://github.com/jackfr0st13/gorm-sqlite-cipher is a Gorm driver based on https://github.com/mattn/go-sqlite3 (written in C) that supports encryption. We should see if we can copy/translate its code to work with glebarez/sqlite or glebarez/go-sqlite

NOTE: for completeness, https://github.com/sqlcipher/sqlcipher does exist, however it's written in C, and may not have a GORM compatible driver. Worth investigation

@AnalogJ AnalogJ added this to the v1.0.0 Release milestone Oct 18, 2023
@AnalogJ
Copy link
Member Author

AnalogJ commented Oct 18, 2023
edited
Loading

mattn/go-sqlite3 has an open PR mattn/go-sqlite3#1109 which adds support for sqlcipher (and https://github.com/utelle/SQLite3MultipleCiphers)

If we feel comfortable switching to mattn/go-sqlite3, we can use @jgiannuzzi 's branch/PR to enable encryption

This comes with the following considerations:

  • Non-native Go, requires CGO for compilation. This is kind of painful given the numerous architectures and operating systems we'd like to support
    • Docker images should be fine -- given the Depot native Arch support
    • Desktop apps should also be ok (Windows x64, Windows ARM, Mac ARM)
    • Users building from scratch might run into weird issues.
  • Performance improvements - C Driver is faster than Golang Driver (not sure by how much)
  • Dev setup might be tougher

@jgiannuzzi
Copy link

For reference about building and distributing, we use my fork in https://github.com/G-Research/fasttrackml and we distribute Docker images and fully static binaries for all major platforms

AnalogJ added a commit that referenced this issue Oct 18, 2023
@AnalogJ
moving sqlitePragmaString function to SqliteRepository file.
eaecf4a 
Migrated from github.com/glebarez/sqlite to gorm.io/driver/sqlite (which uses github.com/mattn/go-sqlite3)

Override github.com/mattn/go-sqlite3 with forked version from @jgiannuzzi which supports Encryption at rest.
See mattn/go-sqlite3#1109
See #236

Added documentation for how to open an encrypted sqlite database in IntelliJ - CONTRIBUTING.md update
@AnalogJ AnalogJ mentioned this issue Oct 18, 2023
Merged
@AnalogJ
Copy link
Member Author

AnalogJ commented Oct 18, 2023

thanks for the confirmation @jgiannuzzi. I've built binaries using cross-compilation in the past, and its been pretty brutal when using CGO, but this wasn't too bad (and thankfully I don't need to do cross-compilation for Fasten)

I was able to use your branch, and get everything working pretty nicely - #284

Thanks for all your hard work @jgiannuzzi, I can't wait until your PR is merged into mattn/go-sqlite3!

@jgiannuzzi
Copy link

Could you please let the maintainers of mattn/go-sqlite3 know? They seem to be convinced that encryption is a niche case, but it does seem quite popular, and I really don't want to actually fork their library!

AnalogJ added a commit that referenced this issue Nov 7, 2023
@AnalogJ
moving sqlitePragmaString function to SqliteRepository file.
c08d548 
Migrated from github.com/glebarez/sqlite to gorm.io/driver/sqlite (which uses github.com/mattn/go-sqlite3)

Override github.com/mattn/go-sqlite3 with forked version from @jgiannuzzi which supports Encryption at rest.
See mattn/go-sqlite3#1109
See #236

Added documentation for how to open an encrypted sqlite database in IntelliJ - CONTRIBUTING.md update
@AnalogJ AnalogJ mentioned this issue Nov 7, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Fasten - Self-Hosted
Status: Done
Milestone
v1.0.0 Release
Development

Successfully merging a pull request may close this issue.

Encryption At Rest fastenhealth/fasten-onprem
2 participants
@AnalogJ @jgiannuzzi