2 min read

Hacky SQLCipher WASM Build

Here’s a hacky start to building SQLCipher for WASM. What makes it hacky?

  • Assumes latest emscripten only
  • Hard coded openssl location
  • OpenSSL flags and files added in random locations
  • mlock/munlock code commented out

Work remaining to make it less hacky:

  • autoconf flags to enable configuring OpenSSL flags and files and replacing hard coded stuff
  • allow variations on emscripten version and required flags
  • use a #ifdef around the mlock/unlock stuff instead of commenting it out completely, or replace it with something else if possible

If you attempt to follow these instructions, you will have to update all of the paths here and in the SQLCipher code yourself.

This is based mostly on the SQLite instructions for building it with Emscripten: https://sqlite.org/wasm/doc/trunk/emscripten.md

Set up emscripten

cd ~/Work
git clone https://github.com/emscripten-core/emsdk.git
cd emsdk/
./emsdk install latest
./emsdk activate latest
source "/home/mch/Work/emsdk/emsdk_env.sh"

Build openssl

I used this: https://github.com/cryptool-org/openssl-webterm/tree/master/emscr/builds/openssl. Just downloaded the two files in there to /home/mch/Downloads/openssl-wasm and run the build.sh. The rest of this note assumes OpenSSL is in that location.

Build sqlcipher

First checkout and build basic binaries of sqlcipher using my fork:

cd ~/Work
git clone [email protected]:mch/sqlcipher.git
cd sqlcipher/
git pull
git checkout wasm
./configure \
    --enable-tempstore=yes \
    LDFLAGS="/home/mch/Downloads/openssl-wasm/src/libcrypto.a" \

Then build the wasm part:

make fiddle
cd ext/wasm

Test with Caddy Server

Caddy is pretty easy to set up for local development with TLS certificates. TLS is required to use the features used by SQLite’s WASM build.

Install Caddy 2 somehow, see https://caddyserver.com/

Paste this into ext/wasm/fiddle/Caddyfile:

  http_port 8080
  https_port 8443


header {
  Cross-Origin-Embedder-Policy require-corp
  Cross-Origin-Opener-Policy same-origin


Go to https://localhost:8443/ (you may need to click through a browser warning about untrusted certificates, but you should be able to make your browser trust them, see https://caddyserver.com/docs/automatic-https#local-https) and paste this into the left Fiddle window:

.open file:tmi.db?vfs=opfs
PRAGMA key = 'asdf';
PRAGMA cipher_settings;
PRAGMA cipher_log = stdout;
PRAGMA cipher_log_level = trace;
create table foo(id int, desc text);
insert into foo values(1, 'hello');
insert into foo values(2, 'world');
select * from foo;

There should be a bunch of trace output and the results of the SQL commands.

Using the OPFS Explorer Chrome extension, you can download the resulting tmi.db file and try it locally with the normal sqlcipher binary, and it works!