Add some docs on encryption

2026-01-31 05:44:25 +01:00 · 2025-08-26 19:53:13 +05:30
parent 77476de547
commit 4d7b4bb711
1 changed files with 21 additions and 0 deletions
--- a/docs/manual.md
+++ b/docs/manual.md
@@ -37,6 +37,7 @@ Welcome to Turso database manual!
      - [`sqlite3_column`](#sqlite3_column)
    - [WAL manipulation](#wal-manipulation)
      - [`libsql_wal_frame_count`](#libsql_wal_frame_count)
+  - [Encryption](#encryption)
  - [Appendix A: Turso Internals](#appendix-a-turso-internals)
    - [Frontend](#frontend)
      - [Parser](#parser)
@@ -489,6 +490,26 @@ in the `p_frame_count` parameter.
 * The `p_frame_count` must be a valid pointer to a `u32` that will store the
 * number of frames in the WAL file.

+## Encryption
+
+The work-in-progress RFC is [here](https://github.com/tursodatabase/turso/issues/2447).
+To use encryption, you need to enable it via feature flag `encryption`.
+To get started, generate a secure 32 byte key in hex: 
+
+```shell
+$ openssl rand -hex 32
+2d7a30108d3eb3e45c90a732041fe54778bdcf707c76749fab7da335d1b39c1d
+```
+
+Specify the key and cipher at the time of db creation to use encryption. Here is [sample test](https://github.com/tursodatabase/turso/blob/main/tests/integration/query_processing/encryption.rs):
+
+```shell
+$ cargo run --features encryption -- database.db
+
+PRAGMA cipher = 'aegis256'; -- or 'aes256gcm'
+PRAGMA hexkey = '2d7a30108d3eb3e45c90a732041fe54778bdcf707c76749fab7da335d1b39c1d';
+```
+
 ## Appendix A: Turso Internals

 Turso's architecture resembles SQLite's but differs primarily in its