[guardian-dev] SQLCipher: best practices

Nathan of Guardian nathan at guardianproject.info
Tue Aug 5 14:54:25 EDT 2014

On 08/05/2014 02:30 PM, Cédric Jeanneret wrote:
> I'm considering using SQLCipher in a new app, as it will store location,
> wireless essid and timestamp.
> I've looked at the examples[1], but it seems they are using hard-coded
> password which, obviously, isn't that good…
> How shall I do in order to get some random password? If possible one per
> device, generated at install time or anything like that (well, if that's
> possible, of course ;) ).

Cacheword is our solution for that:

CacheWord is an Android library project for passphrase caching and
management. It helps app developers securely generate, store, and access
secrets derived from a user's passphrase.

CacheWord is still under development. Proceed with caution

Broadly speaking this library assists developers with two related problems:

Secrets Management: how the secret key material for your app is
generated, stored, and accessed
Passphrase Caching: store the passphrase in memory to avoid constantly
prompting the user
CacheWord manages key derivation, verification, persistence, passphrase
resetting, and caching secret key material in memory.


Strong key derivation (PBKDF2)
Secure secret storage (AES-256 GCM)
Persistent notification: informs the user the app data is unlocked
Configurable timeout: after a specified time of inactivity the app locks
Manual clearing: the user can forcibly lock the application
Uses Android's Keystore on 4.x if available - Not Yet Implemented
CacheWord requires at least SDK version 2.2 (API level 8)

More information about the Guardian-dev mailing list