Skip to main content
Turso Database provides native encryption for data at rest using industry-standard AEAD algorithms. Each database page is encrypted individually, ensuring data integrity and security across all environments.
  • Page-level encryption: Each 4 KiB page is encrypted individually with a unique nonce
  • AEAD algorithms: Support for AEGIS-256 (fast, modern) and AES-GCM (NIST-approved)
  • Data integrity: Built-in authentication tags prevent tampering and corruption
  • High performance: As little as 6% read overhead and 14% write overhead
  • In-memory keys: Encryption keys are never stored on disk
Turso Database with encryption is perfect for:

Fintech Applications

Meet regulatory requirements for sensitive financial data

Privacy-Focused Products

Build user trust with strong data protection

Healthcare Apps

Protect patient data and meet HIPAA compliance

AI/ML Applications

Secure training data and model outputs

What’s Encrypted

Encrypted

  • All database pages with your data - The database file - Write-Ahead Log (WAL) file

Not Encrypted

  • The database header (first 100 bytes)

Generate an Encryption Key

First, generate a secure 32-byte encryption key in hexadecimal format: 
openssl rand -hex 32
This will output a key similar to: 
2d7a30108d3eb3e45c90a732041fe54778bdcf707c76749fab7da335d1b39c1d
Store your key securely! If you lose the encryption key, you will not be able to access your encrypted database. Keys are never stored on disk.

Create an Encrypted Database

1

Launch with encryption

Use the --experimental-encryption flag and specify your cipher and key in the connection URI:
tursodb --experimental-encryption "file:encrypted.db?cipher=aegis256&hexkey=YOUR_HEX_KEY"
Replace YOUR_HEX_KEY with the key you generated above.
2

Create and insert data

Once in the interactive shell, create a table and insert some data:
CREATE TABLE secrets (id INT, data TEXT);
INSERT INTO secrets VALUES (1, 'sensitive information');
INSERT INTO secrets VALUES (2, 'confidential data');
3

Verify encryption

Exit the shell (type .quit) and try to open the database without the key:
tursodb encrypted.db
You won’t be able to access the data. The database is encrypted on disk.

Open an Encrypted Database

To access an existing encrypted database, provide the same cipher and key used during creation: 
tursodb --experimental-encryption "file:encrypted.db?cipher=aegis256&hexkey=YOUR_HEX_KEY"
Then query your data: 
SELECT * FROM secrets;

Supported Ciphers

Turso Database supports two AEAD encryption algorithms:

AEGIS-256

Recommended for most use cases
  • Extremely fast performance
  • Modern cryptographic design
  • Better security features
cipher=aegis256

AES-GCM

For compliance requirements
  • NIST-approved standard
  • Widely supported
  • Industry standard
cipher=aesgcm256

URI Parameters

When creating or opening an encrypted database, use the following URI format: 
file:database.db?cipher=CIPHER&hexkey=HEX_KEY
ParameterRequiredDescriptionValues
cipherYesEncryption algorithmaegis256, aesgcm256
hexkeyYes32-byte encryption key in hex format64-character hex string

Performance

Encryption overhead is minimal, especially for smaller databases:
  • Read operations: ~6% overhead with AEGIS-256
  • Write operations: ~14% overhead with AEGIS-256
  • Overall: ~1-3% total time overhead for mixed workloads
For detailed benchmarks, see the encryption announcement blog post.

Coming Soon

Future encryption features in development:
  • Key derivation from passphrases: Use memorable passphrases instead of raw keys
  • Encrypt existing databases: Migrate unencrypted databases to encrypted format
  • Key rotation: Update encryption keys without data loss
  • ATTACH support: Work with multiple encrypted databases simultaneously
I