Adds new PRAGMA cipher_status

sjlombardo · sjlombardo · commit 2cd5e4570a5e · 2025-12-02T10:49:30.000-05:00
PRAGMA cipher_status allows an application to verify that a database is
properly setup for encyption (i.e. that operations on the database will
be using SQLCipher). It returns a scalar result set "1" if the database
has been keyed and is not in an error state. Otherwise, it will return
a scalar result set of "0".
diff --git a/src/sqlcipher.c b/src/sqlcipher.c
@@ -2626,6 +2626,13 @@ int sqlcipher_codec_pragma(sqlite3* db, int iDb, Parse *pParse, const char *zLef
       sqlcipher_vdbe_return_string(pParse, "cipher_fips_status", fips_mode_status, P4_DYNAMIC);
     }
   } else
+  if( sqlite3_stricmp(zLeft, "cipher_status")== 0 && !zRight ){
+    if(ctx && ctx->error == SQLITE_OK) {
+      sqlcipher_vdbe_return_string(pParse, "cipher_status", "1", P4_TRANSIENT);
+    } else {
+      sqlcipher_vdbe_return_string(pParse, "cipher_status", "0", P4_TRANSIENT);
+    }
+  } else
   if( sqlite3_stricmp(zLeft, "cipher_store_pass")==0 && zRight ) {
     if(ctx) {
       char *deprecation = "PRAGMA cipher_store_pass is deprecated, please remove from use";
diff --git a/test/sqlcipher-core.test b/test/sqlcipher-core.test
@@ -995,5 +995,84 @@ do_test uri-key-2 {
 db close
 file delete -force test.db
 
+# test cipher_status reports encrypted for database
+do_test cipher-status-encrypted {
+  sqlite_orig db test.db
+
+  execsql {
+    PRAGMA key = 'test';
+    PRAGMA cipher_status;
+  }
+
+} {ok 1}
+db close
+file delete -force test.db
+
+# test cipher_status reports not-encrypted for plaintext database
+do_test cipher-status-plaintext {
+  sqlite_orig db test.db
+
+  execsql {
+    PRAGMA cipher_status;
+  }
+
+} {0}
+db close
+file delete -force test.db
+
+# test cipher_status reports encrypted for attached database
+# when main database is plaintext and attached database is
+# keyed
+do_test cipher-status-attached-encrypted {
+  sqlite_orig db test.db
+
+  execsql {
+    PRAGMA cipher_status;
+    ATTACH DATABASE 'test2.db' AS test2 KEY 'test';
+    PRAGMA test2.cipher_status;
+    DETACH DATABASE test2;
+  }
+
+} {0 1}
+db close
+file delete -force test.db
+file delete -force test2.db
+
+# test cipher_status reports plaintext for attached database
+# when main database is keyed and attached database is not
+do_test cipher-status-attached-plaintext {
+  sqlite_orig db test.db
+
+  execsql {
+    PRAGMA KEY = 'test';
+    PRAGMA cipher_status;
+    ATTACH DATABASE 'test2.db' AS test2 KEY '';
+    PRAGMA test2.cipher_status;
+    DETACH DATABASE test2;
+  }
+
+} {ok 1 0}
+db close
+file delete -force test.db
+file delete -force test2.db
+
+# test cipher_status reports unencrypted if key derivation
+# and operation fails
+setup test.db "'testkey'"
+do_test cipher-status-badkey {
+  sqlite_orig db test.db
+
+  catchsql {
+    PRAGMA key = 'test';
+    SELECT count(*) FROM sqlite_master;
+  }
+  execsql {
+    PRAGMA cipher_status;
+  }
+
+} {0}
+db close
+file delete -force test.db
+
 finish_test
 
