Add encrypted SQLite offline store support#3
Draft
fileman wants to merge 6 commits into
Draft
Conversation
Introduces CommunityToolkit.Datasync.Client.EncryptedSqlite, an additional package that provides an encrypted offline SQLite store backed by SQLite3 Multiple Ciphers (SQLCipher-compatible). The encryption key is generated on first run and supplied via EncryptedSqliteOptions. - EncryptedSqliteDbContextOptionsExtensions / EncryptedSqliteFactory wire the encrypted connection into an offline DbContext. - Correct rekey handling with WAL journaling and a SQLCipher-compatible reopen. - TodoApp.MAUI.Encrypted sample demonstrates the encrypted offline store with a key generated on first run. - Test project covering the encrypted store and offline DbContext behaviour. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The encrypted SQLite store was rejected upstream, so it ships from this fork under our own IDs. Set PackageId to Hisui.Datasync.Client / .EncryptedSqlite (assembly names/namespaces stay CommunityToolkit.Datasync.* so consumer `using` statements are unchanged), add fork metadata + Version 10.0.1, and point the sample's migration comment at the Hisui IDs. The publish workflow already builds via `dotnet build` (GeneratePackageOnBuild) to avoid NU5026. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…6965) EF Core 10.0.9 pulls SQLitePCLRaw.bundle_e_sqlite3 2.1.11 transitively into the test/support projects, whose native lib (SQLitePCLRaw.lib.e_sqlite3 <= 2.1.11) is vulnerable to CVE-2025-6965 / GHSA-2m69-gcr7-jv3q (high). The 2.1.x line has no patched release; the 3.0.x bundle replaces lib.e_sqlite3 with SourceGear.sqlite3 (SQLite >= 3.50.4), dropping the vulnerable package from the graph. Pin only the bundle (not SQLitePCLRaw.core) via CentralPackageTransitivePinning so the SQLite3MC encrypted-store graph keeps its own 2.x core. Verified: vuln scan clean across all projects; solution builds 0/0; SQLite runtime tests pass (EFCore 32, Client offline 64, EncryptedSqlite 7). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds support for encrypted SQLite offline storage to the Community Toolkit Datasync client, enabling applications to securely store sensitive data offline using SQLitePCLRaw 3's encryption capabilities.
Key Changes
New Library:
CommunityToolkit.Datasync.Client.EncryptedSqliteEncryptedSqliteDbContextOptionsExtensions: Extension method to configure DbContext with encrypted SQLite storage, accepting a password/key providerEncryptedSqliteOptions: Configuration class for encrypted SQLite settings including key derivation parametersEncryptedSqliteFactory: Factory for creating encrypted SQLite connections with proper encryption setupSqliteBatteries: Helper to initialize SQLitePCLRaw with the encrypted SQLite bundleSqliteLiteral: Utility for SQLite literal valuesTest Suite:
CommunityToolkit.Datasync.Client.EncryptedSqlite.TestOfflineDbContextintegration with encryptionSample Application:
TodoApp.MAUI.EncryptedEncryptionKeyProvider: Service for managing encryption keys securelyAppDbContext: Entity Framework Core context configured with encrypted SQLiteDocumentation
docs/in-depth/client/encryption.md: Comprehensive guide covering:docs/samples/todoapp/maui-encrypted.md: Sample-specific documentationInfrastructure Updates
Notable Implementation Details
bundle_e_sqlite3bundlehttps://claude.ai/code/session_01XVPNMhgt3RE6HdiJdm4JTr