In Transit Encryption
Data is always encrypted in transit using TLS — both between the client and PowerSync, and between PowerSync and the source database.At Rest Encryption
The client-side database can be encrypted at rest. This is currently available for:Dart/Flutter
Dart/Flutter
SQLCipher support is available for Dart/Flutter through the
powersync_sqlcipher SDK. See usage details in the package README:powersync_sqlcipher
React Native & Expo
React Native & Expo
SQLCipher support is available for PowerSync’s React Native SDK through the
@powersync/op-sqlite package. See usage details in the package README:npm: @powersync/op-sqlite
JavaScript Web
JavaScript Web
The Web SDK uses the ChaCha20 cipher algorithm by default. See usage details in the package README:Additionally, a minimal example demonstrating encryption of the web database is available here.
npm: @powersync/web
Node.js
Node.js
Encryption support is available for PowerSync’s Node.js SDK using
better-sqlite3-multiple-ciphers. See usage details and code examples in the Node.js SDK reference.Support for encryption on other platforms is planned. In the meantime, let us know your needs and use cases on Discord.
End-to-end Encryption
For end-to-end encryption, the encrypted data can be synced using PowerSync. The data can then either be encrypted and decrypted directly in memory by the application, or a separate local-only table can be used to persist the decrypted data — allowing querying the data directly. Raw SQLite Tables can be used for full control over the SQLite schema and managing tables for the decrypted data. We have a React & Supabase example app that demonstrates this approach. See also the accompanying blog post.See Also
- Database Setup → Security & IP Filtering
- Resources → Security