In my last question "Portable database for storing secrets" the best answer until now tell to use sqlite-crypt.
Reading sqlite-crypt docs, the new param for open the database is the pass-phrase. Of course, I don't want hardcode the password, so I was thinking what the best, simple and fast method to store that password?
You pretty well have to store it in a user.
Otherwise you're just substituting some other security mechanism for the one you're asking about...
David's point in the comment on Infamy's answer is well taken. One should allow some flexibility, in case the user is handling protection at a lower layer... So, go vote for Infamy.
Hardcoding is inevitable at some point, unless the password is only ever used interactively.
The best thing you can do in a password-in-file situation is make it damn hard to access it in the first place, and then limit what can be done with it if someone does find it. A rule of thumb is that you shouldn't give more privileges to a password stored in a string than one that you have to type at a prompt.
On Windows you could/should use the DPAPI, the Data Protection API that provides storage encryption.
It's there just for this type of problem.
Encryption of the storage is based on either:
- the user account, so only the logged-in user can access the data. This makes the data transferable to another PC with the exact same user credentials.
- the machine, making the data only accessible on that particular machine setup and not transferable to another PC.
There is a dnrTV show with Karl Franklin showing exactly what's needed to implement this, and other encryption functions.
The source code from the show is also available on the page.
There are, of course, lots of other articles on that subject.