--- description: Learn how to encrypt SQLite databases in Capacitor applications using 256-bit AES encryption and secure key management with the Capacitor SQLite plugin. title: Encrypting SQLite databases in Capacitor - Capawesome image: https://capawesome.io/docs/assets/images/social/blog/encrypting-capacitor-sqlite-database.png --- [ Skip to content](#encrypting-sqlite-databases-in-capacitor) [ πŸ” Introducing the **Capacitor Vault** plugin β€” store secrets behind biometrics or a device passcode.](/blog/announcing-the-capacitor-vault-plugin/) * [ Formbricks ](/docs/plugins/formbricks/) * [ Geocoder ](/docs/plugins/geocoder/) * [ Google Sign-In ](/docs/plugins/google-sign-in/) * [ Grafana Faro ](/docs/plugins/grafana-faro/) * [ libSQL ](/docs/plugins/libsql/) * [ Live Update ](/docs/plugins/live-update/) * [ Managed Configurations ](/docs/plugins/managed-configurations/) * [ Media Session ](/docs/plugins/media-session/) * [ ML Kit ](/docs/plugins/mlkit/) * [ Navigation Bar ](/docs/plugins/navigation-bar/) * [ NFC ](/docs/plugins/nfc/) * [ OAuth ](/docs/plugins/oauth/) * [ Pedometer ](/docs/plugins/pedometer/) * [ Photo Editor ](/docs/plugins/photo-editor/) * [ PostHog ](/docs/plugins/posthog/) * [ Printer ](/docs/plugins/printer/) * [ Purchases ](/docs/plugins/purchases/) * [ RealtimeKit ](/docs/plugins/realtimekit/) * [ Screen Orientation ](/docs/plugins/screen-orientation/) * [ Screenshot ](/docs/plugins/screenshot/) * [ Secure Preferences ](/docs/plugins/secure-preferences/) * [ Speech Recognition ](/docs/plugins/speech-recognition/) * [ Speech Synthesis ](/docs/plugins/speech-synthesis/) * [ Share Target ](/docs/plugins/share-target/) * [ Square Mobile Payments ](/docs/plugins/square-mobile-payments/) * [ SQLite ](/docs/plugins/sqlite/) * [ Superwall ](/docs/plugins/superwall/) * [ Torch ](/docs/plugins/torch/) * [ Vault ](/docs/plugins/vault/) * [ Wifi ](/docs/plugins/wifi/) * [ Zip ](/docs/plugins/zip/) * [ Cloud ](/docs/cloud/) * [ Live Updates ](/docs/cloud/live-updates/) * Advanced * Integrations * [ Native Builds ](/docs/cloud/native-builds/) * [ Configuration ](/docs/cloud/native-builds/configuration/) * [ Environments ](/docs/cloud/native-builds/environments/) * Guides * [ Sample Projects ](/docs/cloud/native-builds/sample-projects/) * [ Troubleshooting ](/docs/cloud/native-builds/troubleshooting/) * [ Automations ](/docs/cloud/automations/) * [ Assist ](/docs/cloud/assist/) * Account * Organizations * [ Organization and User Management ](/docs/cloud/organizations/memberships/) * [ Single Sign-On (SSO) ](/docs/cloud/organizations/sso/) * [ Teams ](/docs/cloud/organizations/teams/) * [ Two-Factor Authentication ](/docs/cloud/organizations/two-factor-authentication/) * [ Integrations ](/docs/cloud/integrations/) * [ License Keys ](/docs/cloud/license-keys/) * [ Webhooks ](/docs/cloud/webhooks/) * [ Pricing ](https://capawesome.io/pricing/) * [ FAQ ](/docs/cloud/faq/) * [ Support ](/docs/cloud/support/) * [ Contributing ](/docs/contributing/) * [ LLMs ](/docs/llms/) * [ Insiders ](/docs/insiders/) * [ License ](https://capawesome.io/legal/eula/) * [ Support ](/docs/insiders/support/) * [ FAQ ](/docs/insiders/faq/) * [ Blog ](/blog/) * Categories * [ Usage ](#usage) * [ Best Practices ](#best-practices) * [ Conclusion ](#conclusion) * Related links # Encrypting SQLite databases in Capacitor[ΒΆ](#encrypting-sqlite-databases-in-capacitor "Permanent link") Data security is paramount in mobile apps especially when handling sensitive user information. This guide shows how to encrypt SQLite databases in **Capacitor** using the [Capacitor SQLite plugin](/docs/plugins/sqlite/) with 256-bit AES and secure key management via the [Capacitor Secure Preferences](/docs/plugins/secure-preferences/) plugin. For full **Capacitor SQLite plugin documentation**, see the [plugin docs](/docs/plugins/sqlite/). ## Introduction[ΒΆ](#introduction "Permanent link") SQLite databases in mobile applications often contain sensitive user data such as personal information, authentication tokens, or financial records. Without proper encryption, this data remains vulnerable to unauthorized access if a device is compromised. The [Capacitor SQLite](/docs/plugins/sqlite/) plugin provides robust 256-bit AES encryption capabilities, ensuring that your database remains secure even if the device falls into the wrong hands. Combined with the [Capacitor Secure Preferences](/docs/plugins/secure-preferences/) plugin for secure key storage, you can implement a comprehensive encryption strategy that protects both your data and the encryption keys used to secure it. ## Installation[ΒΆ](#installation "Permanent link") To implement database encryption in your Capacitor application, you'll need to install and configure both the Capacitor SQLite plugin (with encryption support) and the Capacitor Secure Preferences plugin for secure key management. ### Secure Preferences[ΒΆ](#secure-preferences "Permanent link") The Capacitor Secure Preferences plugin provides secure storage for sensitive information like encryption keys using the [Android Keystore](https://developer.android.com/privacy-and-security/keystore) and [iOS Keychain](https://developer.apple.com/documentation/security/keychain-services). To install the plugin, please refer to the [Installation](/docs/plugins/secure-preferences/#installation) section in the plugin documentation. ### SQLite[ΒΆ](#sqlite "Permanent link") The Capacitor SQLite plugin supports encryption through SQLCipher integration. To install the plugin with encryption support, please refer to the [Installation](/docs/plugins/sqlite/#installation) section in the plugin documentation. **Important**: Make sure to enable SQLCipher support during installation by configuring the platform-specific settings as described in the plugin documentation. ## Usage[ΒΆ](#usage "Permanent link") Let's walk through the essential steps to encrypt a SQLite database in your Capacitor application. ### Generating the encryption key[ΒΆ](#generating-the-encryption-key "Permanent link") First, you need to generate a secure encryption key. This key will be used to encrypt and decrypt the database. It is crucial to use a strong, unique key for each database instance. You have several options for generating this key: 1. **Generate a random key on the client**: Use a cryptographically secure random number generator to create a 256-bit key. 2. **Generate a random key on the backend**: Generate the key on your backend server and securely transmit it to the client application. 3. **Use a user-provided key**: Allow users to set their own encryption key, but ensure it meets security standards (e.g., 256 bits). As an example, here's how to generate a random key on the client using the Web Crypto API: `[](#%5F%5Fcodelineno-0-1)const generateEncryptionKey = async (): Promise => { [](#%5F%5Fcodelineno-0-2) // Use a secure random number generator to create a 256-bit key [](#%5F%5Fcodelineno-0-3) const key = new Uint8Array(32); // 256 bits = 32 bytes [](#%5F%5Fcodelineno-0-4) window.crypto.getRandomValues(key); [](#%5F%5Fcodelineno-0-5) return Array.from(key).map(b => b.toString(16).padStart(2, '0')).join(''); [](#%5F%5Fcodelineno-0-6)}; ` This function generates a random 256-bit key and returns it as a hexadecimal string. You can call this function when you need to create a new database or change the encryption key. ### Storing the encryption key[ΒΆ](#storing-the-encryption-key "Permanent link") Next, you need to securely store the encryption key since it will be required every time you open the database. You can use the Capacitor Secure Preferences plugin to store the key securely on the device: `[](#%5F%5Fcodelineno-1-1)import { SecurePreferences } from '@capawesome-team/capacitor-secure-preferences'; [](#%5F%5Fcodelineno-1-2) [](#%5F%5Fcodelineno-1-3)const getEncryptionKeyFromSecurePreferences = async (): Promise => { [](#%5F%5Fcodelineno-1-4) const { value } = await SecurePreferences.get({ key: 'encryptionKey' }); [](#%5F%5Fcodelineno-1-5) return value; [](#%5F%5Fcodelineno-1-6)}; [](#%5F%5Fcodelineno-1-7) [](#%5F%5Fcodelineno-1-8)const setEncryptionKeyInSecurePreferences = async (key: string): Promise => { [](#%5F%5Fcodelineno-1-9) await SecurePreferences.set({ key: 'encryptionKey', value: key }); [](#%5F%5Fcodelineno-1-10)}; [](#%5F%5Fcodelineno-1-11) [](#%5F%5Fcodelineno-1-12)const getEncryptionKey = async (forceNew: boolean = false): Promise => { [](#%5F%5Fcodelineno-1-13) // Retrieve the encryption key from secure preferences [](#%5F%5Fcodelineno-1-14) let encryptionKey = await getEncryptionKeyFromSecurePreferences(); [](#%5F%5Fcodelineno-1-15) if (!encryptionKey || forceNew) { [](#%5F%5Fcodelineno-1-16) // Generate a new encryption key if it doesn't exist or if forced [](#%5F%5Fcodelineno-1-17) encryptionKey = await generateEncryptionKey(); [](#%5F%5Fcodelineno-1-18) // Store the new key securely [](#%5F%5Fcodelineno-1-19) await setEncryptionKeyInSecurePreferences(encryptionKey); [](#%5F%5Fcodelineno-1-20) } [](#%5F%5Fcodelineno-1-21) return encryptionKey; [](#%5F%5Fcodelineno-1-22)}; ` The `getEncryptionKey(...)` function retrieves the encryption key from secure preferences, generating a new one if it doesn't exist or if forced. This ensures that your key is always securely stored and easily retrievable when needed. ### Encrypting the database[ΒΆ](#encrypting-the-database "Permanent link") Now that you have a secure encryption key, you can open an encrypted SQLite database using the Capacitor SQLite plugin. For this, you'll use the `open(...)` method with the `encryptionKey` option: `[](#%5F%5Fcodelineno-2-1)import { Sqlite } from '@capawesome-team/capacitor-sqlite'; [](#%5F%5Fcodelineno-2-2) [](#%5F%5Fcodelineno-2-3)const openEncryptedDatabase = async () => { [](#%5F%5Fcodelineno-2-4) const encryptionKey = await getEncryptionKey(); [](#%5F%5Fcodelineno-2-5) [](#%5F%5Fcodelineno-2-6) const { databaseId } = await Sqlite.open({ [](#%5F%5Fcodelineno-2-7) encryptionKey, [](#%5F%5Fcodelineno-2-8) path: 'db.sqlite3' [](#%5F%5Fcodelineno-2-9) }); [](#%5F%5Fcodelineno-2-10) [](#%5F%5Fcodelineno-2-11) return databaseId; [](#%5F%5Fcodelineno-2-12)}; ` The `open(...)` method opens the database with the specified encryption key. Please note that it's not yet possible to encrypt an already existing database with the plugin. You must create a new database with the encryption key from the start. As a workaround, you can create a new encrypted database and then copy the data from the old unencrypted database to the new one. ### Changing the encryption key[ΒΆ](#changing-the-encryption-key "Permanent link") If you need to change the encryption key for an existing database, you can do so using the [changeEncryptionKey(...)](/docs/plugins/sqlite/#changeencryptionkey) method. This method allows you to update the encryption key while keeping the existing data intact: `[](#%5F%5Fcodelineno-3-1)const changeKey = async (databaseId: number) => { [](#%5F%5Fcodelineno-3-2) const encryptionKey = await getEncryptionKey(true); [](#%5F%5Fcodelineno-3-3) [](#%5F%5Fcodelineno-3-4) await Sqlite.changeEncryptionKey({ [](#%5F%5Fcodelineno-3-5) databaseId, [](#%5F%5Fcodelineno-3-6) encryptionKey, [](#%5F%5Fcodelineno-3-7) }); [](#%5F%5Fcodelineno-3-8)}; ` By passing `true` to the `getEncryptionKey(...)` function, you force it to generate a new key. The `changeEncryptionKey(...)` method updates the database with the new key, ensuring that your data remains secure. ## Best Practices[ΒΆ](#best-practices "Permanent link") ### Use Strong, Unique Encryption Keys[ΒΆ](#use-strong-unique-encryption-keys "Permanent link") Generate cryptographically secure random keys for each database. Avoid using predictable keys based on user passwords or device identifiers. Use platform-specific secure random number generators and ensure keys are at least 256 bits in length. ### Implement Key Rotation[ΒΆ](#implement-key-rotation "Permanent link") Regularly rotate encryption keys to minimize the impact of potential key compromise. Implement a key rotation strategy that can seamlessly migrate data from old keys to new ones without data loss. ### Handle Key Loss Gracefully[ΒΆ](#handle-key-loss-gracefully "Permanent link") Design your application to handle scenarios where encryption keys are lost or corrupted. Implement backup strategies and user recovery mechanisms, while ensuring that fallback procedures don't compromise security. ## Conclusion[ΒΆ](#conclusion "Permanent link") Encrypting SQLite databases in Capacitor with the [Capacitor SQLite](/docs/plugins/sqlite/) plugin and [Secure Preferences](/docs/plugins/secure-preferences/) adds a strong layer of security for sensitive data. By combining the Capacitor SQLite plugin's 256-bit AES encryption with secure key management through the Capacitor Secure Preferences plugin, you can build robust, secure mobile applications that protect user privacy and comply with modern security standards. **Related reading:** * [Exploring the Capacitor SQLite API](/blog/exploring-the-capacitor-sqlite-api/) * [Key-Value Storage with the SQLite plugin](/blog/key-value-storage-made-simple-with-the-sqlite-plugin/) * [Plugin documentation](/docs/plugins/sqlite/#api) If you have any questions or need assistance with Capacitor SQLite database encryption or database security, feel free to reach out to the Capawesome team. We're here to help you implement robust encryption strategies and secure your Ionic applications effectively. To stay updated with the latest updates, features, and news about the Capawesome, Capacitor, and Ionic ecosystem, subscribe to the [Capawesome newsletter](/newsletter/) and follow us on [X (formerly Twitter)](https://x.com/capawesomeio), and join the [Capawesome Discord server](https://discord.gg/VCXxSVjefW) for updates and support. May 7, 2026 Back to top