Passphrases • Parameters • Backups • Integrity
Security Best Practices
A practical checklist for safely working with SQLCipher‑encrypted databases in DB Browser on Windows. Focus on strong passphrases, standardized parameters, careful handling of plaintext copies and disciplined backups.
Passphrases and key management
- Use long, unique passphrases; store in a trusted password manager.
- Never share passphrases in plaintext or through insecure channels.
- Rotate passphrases periodically and after any suspected exposure.
How‑to: Change passphrase (rekey)
Standardize and document parameters
- Pick and document KDF iteration counts suitable for your hardware.
- Choose a consistent page size across environments to avoid open errors.
- Record chosen cipher/integrity settings in team docs and project READMEs.
Background: SQLCipher basics • Diagnostics: Fix “wrong key”
Backups and recovery
- Maintain versioned backups (3‑2‑1 rule) and store them securely.
- Encrypt backups at rest (e.g., system volume encryption, protected storage).
- Test restores periodically to ensure data is recoverable.
When corruption is suspected, export what you can and restore from a known‑good backup.
Handle plaintext copies with care
- Minimize use of plaintext exports and remove them promptly after use.
- Store any temporary plaintext outputs in protected, access‑controlled folders.
- Redact or anonymize sensitive fields where possible.
Guide: Decrypt to a plain copy
Access control and environment hygiene
- Follow least‑privilege: restrict who can read/write database files.
- Keep Windows and security tooling updated; use reputable anti‑malware.
- Prefer encrypted storage (e.g., BitLocker) on devices holding encrypted databases.
Rotation and incident response
- Define rekey schedules (e.g., quarterly) aligned with your risk profile.
- On suspected compromise: revoke access, rekey databases, rotate credentials and review logs.
- Document incidents and update procedures to prevent recurrence.
Integrity and verification
- Verify downloads via checksums and trusted sources.
- Run integrity checks after unexpected shutdowns or crashes.
- Keep an audit trail of parameter changes and access events where feasible.
Team practices and handover
- Store secrets centrally (vault/PM), not in chat or email.
- Use change management for parameter updates and rekeys.
- Provide handover docs with exact access steps and defaults.