SQLite Key Store

The SQLite key store persists encryption keys in a local SQLite database file. It is the recommended key store for local development — zero-config, no server dependencies, and keys survive application restarts.

Development Only

This key store stores raw key bytes in a SQLite file without envelope encryption, HSM backing, or access auditing. It is not suitable for production. For production, use a secrets manager: HashiCorp Vault, Azure Key Vault, or AWS KMS. If you need a self-managed production store, see the PostgreSQL key store with its Production Security Guide.

Installation

dotnet CLI

dotnet add package Tayra.KeyStore.Sqlite

Package Manager

Install-Package Tayra.KeyStore.Sqlite

Setup

The simplest registration requires no configuration — keys are stored in tayra_keys.db in the working directory:

services.AddTayra(opts => opts.LicenseKey = licenseKey)
    .UseSqliteKeyStore();

To specify a custom file path:

services.AddTayra(opts => opts.LicenseKey = licenseKey)
    .UseSqliteKeyStore(opts =>
    {
        opts.ConnectionString = "Data Source=/path/to/my-keys.db";
    });

Configuration Options

Property	Type	Default	Description
ConnectionString	string	"Data Source=tayra_keys.db"	SQLite connection string.
TableName	string	"tayra_encryption_keys"	Table name for storing encryption keys.
AutoMigrate	bool	true	When true, automatically creates the table on first use.

Table Schema

When AutoMigrate is enabled (the default), Tayra creates the following table on first use:

CREATE TABLE IF NOT EXISTS tayra_encryption_keys
(
    key_id      TEXT NOT NULL PRIMARY KEY,
    secret_key  TEXT NOT NULL,
    created_at  TEXT NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%fZ', 'now'))
);

CREATE INDEX IF NOT EXISTS idx_tayra_encryption_keys_prefix
    ON tayra_encryption_keys (key_id);

Non-DI Usage

For the non-DI path via TayraHost.Create(), pass a SqliteKeyStore instance directly:

using var tayra = TayraHost.Create(
    opts => opts.LicenseKey = licenseKey,
    keyStore: new SqliteKeyStore(
        Options.Create(new SqliteKeyStoreOptions()),
        NullLogger<SqliteKeyStore>.Instance));

When to Use

Scenario	Use SQLite?
Local development	Yes — zero-config, persistent across restarts
CI/CD pipelines	Yes — ephemeral .db file, no server needed
Unit tests	No — use the built-in InMemoryKeyStore (faster, no file I/O)
Production	No — use Vault, Azure Key Vault, or AWS KMS

.gitignore

Add the SQLite database file to your .gitignore to avoid committing encryption keys to source control:

tayra_keys.db
tayra_keys.db-wal
tayra_keys.db-shm

See Also

• Key Stores Overview — Comparison of all providers
• PostgreSQL — Development or self-managed production (with hardening)
• Custom Key Store — Build your own IKeyStore