Securing UltraLite databases

By default, UltraLite databases are unencrypted on disk. Text and binary columns are plainly readable within the database when using a viewing tool such as a hex editor. If you need to encrypt data for greater security, consider the following options:

  • Obfuscation   Also known as simple encryption, this option provides protection against casual attempts to access data in the database. It does not provide as much security as strong encryption. Obfuscation has a minimal performance impact. You enable obfuscation with the obfuscate creation parameter. End users do not need to supply a corresponding connection parameter. You do not need any special configuration to use simple obfuscation on your device. See UltraLite obfuscate creation parameter.

  • AES 128-bit strong encryption   UltraLite databases can be strongly encrypted using the AES 128-bit algorithm, which is the same algorithm used to encrypt SQL Anywhere databases. Strong encryption provides security against skilled and determined attempts to gain access to the data, but has a significant performance impact. You set encryption in the wizards by selecting the Encrypt Database option and then selecting AES Strong Encryption. Using a creation utility, you set the key with the key connection parameter. This same parameter is used by end users when connecting to the database after it has been created. You do not need any special configuration to use AES encryption on your device. See UltraLite fips creation parameter.

  • AES FIPS 140-2 compliant encryption   UltraLite provides encryption libraries compliant with the FIPS 140-2 US and Canadian government standard (using a Certicom certified cryptographic module). You set FIPS compliant encryption with the fips creation parameter. The user must supply the required key in their connection string. AES FIPS encryption requires that you configure your device appropriately. See Setting up and deploying AES_FIPS database encryption in UltraLite, and UltraLite fips creation parameter.

Tip

The MobiLink server's synchronization streams can use public/private keys to encrypt streamed data. For ease of deployment, you can embed these certificates in the UltraLite database when you create it. See Configuring MobiLink clients to use transport-layer security.

Notes

Both the FIPS and AES database encryption types use 128-bit AES. Therefore, if you use the same encryption key, the database is encrypted the same way irrespective of the standard you choose.

Caution

You can change the encryption key after the database has been created, but only under extreme caution. See:

This operation is costly and is non-recoverable: if your operation terminates mid-course, you will lose your database entirely.

For strongly encrypted databases, be sure to store a copy of the key in a safe location. If you lose the encryption key there is no way to access the data, even with the assistance of technical support. The database must be discarded and you must create a new database.

See also