Refactor/improve performance sqlite db

crates/matrix-sdk-sqlite/CHANGELOG.md

@@ -6,6 +6,14 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased] - ReleaseDate
 
+### Features
+- Implement a new constructrot that allow to open SqliteCryptoStore with a Key
+  ([#5472](https://github.com/matrix-org/matrix-rust-sdk/pull/5472))
+
+### Refactor
+- [breaking] Change the logic for opening a store so as to use a `Secret` enum in the function `open_with_pool` instead of a `passphrase`
+  ([#5472](https://github.com/matrix-org/matrix-rust-sdk/pull/5472))
+
 ## [0.13.0] - 2025-07-10
 
 ### Security Fixes

crates/matrix-sdk-sqlite/Cargo.toml

@@ -42,6 +42,7 @@ thiserror.workspace = true
 tokio = { workspace = true, features = ["fs"] }
 tracing.workspace = true
 vodozemac.workspace = true
+zeroize.workspace = true
 
 [dev-dependencies]
 assert_matches.workspace = true

crates/matrix-sdk-sqlite/src/crypto_store.rs

@@ -52,7 +52,7 @@ use crate::{
         repeat_vars, EncryptableStore, Key, SqliteAsyncConnExt, SqliteKeyValueStoreAsyncConnExt,
         SqliteKeyValueStoreConnExt,
     },
-    OpenStoreError, SqliteStoreConfig,
+    OpenStoreError, Secret, SqliteStoreConfig,
 };
 
 /// The database name.
@@ -92,9 +92,18 @@ impl SqliteCryptoStore {
         Self::open_with_config(SqliteStoreConfig::new(path).passphrase(passphrase)).await
     }
 
+    /// Open the SQLite-based crypto store at the given path using the given
+    /// key to encrypt private data.
+    pub async fn open_with_key(
+        path: impl AsRef<Path>,
+        key: Option<&[u8; 32]>,
+    ) -> Result<Self, OpenStoreError> {
+        Self::open_with_config(SqliteStoreConfig::new(path).key(key)).await
+    }
+
     /// Open the SQLite-based crypto store with the config open config.
     pub async fn open_with_config(config: SqliteStoreConfig) -> Result<Self, OpenStoreError> {
-        let SqliteStoreConfig { path, passphrase, pool_config, runtime_config } = config;
+        let SqliteStoreConfig { path, pool_config, runtime_config, secret } = config;
 
         fs::create_dir_all(&path).await.map_err(OpenStoreError::CreateDir)?;
 
@@ -103,26 +112,26 @@ impl SqliteCryptoStore {
 
         let pool = config.create_pool(Runtime::Tokio1)?;
 
-        let this = Self::open_with_pool(pool, passphrase.as_deref()).await?;
+        let this = Self::open_with_pool(pool, secret).await?;
         this.pool.get().await?.apply_runtime_config(runtime_config).await?;
 
         Ok(this)
     }
 
     /// Create an SQLite-based crypto store using the given SQLite database
-    /// pool. The given passphrase will be used to encrypt private data.
+    /// pool. The given secret will be used to encrypt private data.
     async fn open_with_pool(
         pool: SqlitePool,
-        passphrase: Option<&str>,
+        secret: Option<Secret>,
     ) -> Result<Self, OpenStoreError> {
         let conn = pool.get().await?;
 
         let version = conn.db_version().await?;
         debug!("Opened sqlite store with version {}", version);
         run_migrations(&conn, version).await?;
 
-        let store_cipher = match passphrase {
-            Some(p) => Some(Arc::new(conn.get_or_create_store_cipher(p).await?)),
+        let store_cipher = match secret {
+            Some(s) => Some(Arc::new(conn.get_or_create_store_cipher(s).await?)),
             None => None,
         };
 
@@ -1871,7 +1880,7 @@ mod tests {
 
         SqliteCryptoStore::open(tmpdir_path.to_str().unwrap(), passphrase)
             .await
-            .expect("Can't create a passphrase protected store")
+            .expect("Can't create a secret protected store")
     }
 
     cryptostore_integration_tests!();
@@ -1903,7 +1912,7 @@ mod encrypted_tests {
 
         SqliteCryptoStore::open(tmpdir_path.to_str().unwrap(), Some(pass))
             .await
-            .expect("Can't create a passphrase protected store")
+            .expect("Can't create a secret protected store")
     }
 
     cryptostore_integration_tests!();

crates/matrix-sdk-sqlite/src/event_cache_store.rs

@@ -56,7 +56,7 @@ use crate::{
         repeat_vars, time_to_timestamp, EncryptableStore, Key, SqliteAsyncConnExt,
         SqliteKeyValueStoreAsyncConnExt, SqliteKeyValueStoreConnExt, SqliteTransactionExt,
     },
-    OpenStoreError, SqliteStoreConfig,
+    OpenStoreError, Secret, SqliteStoreConfig,
 };
 
 mod keys {
@@ -126,14 +126,23 @@ impl SqliteEventCacheStore {
         Self::open_with_config(SqliteStoreConfig::new(path).passphrase(passphrase)).await
     }
 
+    /// Open the SQLite-based event cache store at the given path using the
+    /// given key to encrypt private data.
+    pub async fn open_with_key(
+        path: impl AsRef<Path>,
+        key: Option<&[u8; 32]>,
+    ) -> Result<Self, OpenStoreError> {
+        Self::open_with_config(SqliteStoreConfig::new(path).key(key)).await
+    }
+
     /// Open the SQLite-based event cache store with the config open config.
     #[instrument(skip(config), fields(path = ?config.path))]
     pub async fn open_with_config(config: SqliteStoreConfig) -> Result<Self, OpenStoreError> {
         debug!(?config);
 
         let _timer = timer!("open_with_config");
 
-        let SqliteStoreConfig { path, passphrase, pool_config, runtime_config } = config;
+        let SqliteStoreConfig { path, pool_config, runtime_config, secret } = config;
 
         fs::create_dir_all(&path).await.map_err(OpenStoreError::CreateDir)?;
 
@@ -142,25 +151,25 @@ impl SqliteEventCacheStore {
 
         let pool = config.create_pool(Runtime::Tokio1)?;
 
-        let this = Self::open_with_pool(pool, passphrase.as_deref()).await?;
+        let this = Self::open_with_pool(pool, secret).await?;
         this.write().await?.apply_runtime_config(runtime_config).await?;
 
         Ok(this)
     }
 
     /// Open an SQLite-based event cache store using the given SQLite database
-    /// pool. The given passphrase will be used to encrypt private data.
+    /// pool. The given secret will be used to encrypt private data.
     async fn open_with_pool(
         pool: SqlitePool,
-        passphrase: Option<&str>,
+        secret: Option<Secret>,
     ) -> Result<Self, OpenStoreError> {
         let conn = pool.get().await?;
 
         let version = conn.db_version().await?;
         run_migrations(&conn, version).await?;
 
-        let store_cipher = match passphrase {
-            Some(p) => Some(Arc::new(conn.get_or_create_store_cipher(p).await?)),
+        let store_cipher = match secret {
+            Some(s) => Some(Arc::new(conn.get_or_create_store_cipher(s).await?)),
             None => None,
         };
 

crates/matrix-sdk-sqlite/src/lib.rs

@@ -31,6 +31,7 @@ use std::{
 };
 
 use deadpool_sqlite::PoolConfig;
+use zeroize::Zeroize;
 
 #[cfg(feature = "crypto-store")]
 pub use self::crypto_store::SqliteCryptoStore;
@@ -43,13 +44,21 @@ pub use self::state_store::{SqliteStateStore, DATABASE_NAME as STATE_STORE_DATAB
 #[cfg(test)]
 matrix_sdk_test_utils::init_tracing_for_tests!();
 
+#[derive(Clone, Debug, Eq, PartialEq, Zeroize)]
+pub enum Secret {
+    #[zeroize]
+    Key([u8; 32]),
+    #[zeroize]
+    PassPhrase(String),
+}
+
 /// A configuration structure used for opening a store.
 #[derive(Clone)]
 pub struct SqliteStoreConfig {
     /// Path to the database, without the file name.
     path: PathBuf,
-    /// Passphrase to open the store, if any.
-    passphrase: Option<String>,
+    /// Secret to open the store, if any
+    secret: Option<Secret>,
     /// The pool configuration for [`deadpool_sqlite`].
     pool_config: PoolConfig,
     /// The runtime configuration to apply when opening an SQLite connection.
@@ -82,9 +91,9 @@ impl SqliteStoreConfig {
     {
         Self {
             path: path.as_ref().to_path_buf(),
-            passphrase: None,
             pool_config: PoolConfig::new(max(POOL_MINIMUM_SIZE, num_cpus::get_physical() * 4)),
             runtime_config: RuntimeConfig::default(),
+            secret: None,
         }
     }
 
@@ -121,7 +130,13 @@ impl SqliteStoreConfig {
 
     /// Define the passphrase if the store is encoded.
     pub fn passphrase(mut self, passphrase: Option<&str>) -> Self {
-        self.passphrase = passphrase.map(|passphrase| passphrase.to_owned());
+        self.secret = passphrase.map(|passphrase| Secret::PassPhrase(passphrase.to_owned()));
+        self
+    }
+
+    /// Define the key if the store is encoded.
+    pub fn key(mut self, key: Option<&[u8; 32]>) -> Self {
+        self.secret = key.map(|key| Secret::Key(*key));
         self
     }
 
@@ -225,7 +240,7 @@ mod tests {
         path::{Path, PathBuf},
     };
 
-    use super::{SqliteStoreConfig, POOL_MINIMUM_SIZE};
+    use super::{Secret, SqliteStoreConfig, POOL_MINIMUM_SIZE};
 
     #[test]
     fn test_new() {
@@ -248,7 +263,7 @@ mod tests {
     }
 
     #[test]
-    fn test_store_config() {
+    fn test_store_config_when_passphrase() {
         let store_config = SqliteStoreConfig::new(Path::new("foo"))
             .passphrase(Some("bar"))
             .pool_max_size(42)
@@ -257,7 +272,36 @@ mod tests {
             .journal_size_limit(44);
 
         assert_eq!(store_config.path, PathBuf::from("foo"));
-        assert_eq!(store_config.passphrase, Some("bar".to_owned()));
+        assert_eq!(store_config.secret, Some(Secret::PassPhrase("bar".to_owned())));
+        assert_eq!(store_config.pool_config.max_size, 42);
+        assert!(store_config.runtime_config.optimize.not());
+        assert_eq!(store_config.runtime_config.cache_size, 43);
+        assert_eq!(store_config.runtime_config.journal_size_limit, 44);
+    }
+
+    #[test]
+    fn test_store_config_when_key() {
+        let store_config = SqliteStoreConfig::new(Path::new("foo"))
+            .key(Some(&[
+                143, 27, 202, 78, 96, 55, 13, 149, 247, 8, 33, 120, 204, 92, 171, 66, 19, 238, 61,
+                107, 132, 211, 40, 244, 71, 190, 99, 14, 173, 225, 6, 156,
+            ]))
+            .pool_max_size(42)
+            .optimize(false)
+            .cache_size(43)
+            .journal_size_limit(44);
+
+        assert_eq!(store_config.path, PathBuf::from("foo"));
+        assert_eq!(
+            store_config.secret,
+            Some(Secret::Key(
+                [
+                    143, 27, 202, 78, 96, 55, 13, 149, 247, 8, 33, 120, 204, 92, 171, 66, 19, 238,
+                    61, 107, 132, 211, 40, 244, 71, 190, 99, 14, 173, 225, 6, 156,
+                ]
+                .to_owned()
+            ))
+        );
         assert_eq!(store_config.pool_config.max_size, 42);
         assert!(store_config.runtime_config.optimize.not());
         assert_eq!(store_config.runtime_config.cache_size, 43);

crates/matrix-sdk-sqlite/src/state_store.rs

@@ -46,7 +46,7 @@ use crate::{
         repeat_vars, EncryptableStore, Key, SqliteAsyncConnExt, SqliteKeyValueStoreAsyncConnExt,
         SqliteKeyValueStoreConnExt,
     },
-    OpenStoreError, SqliteStoreConfig,
+    OpenStoreError, Secret, SqliteStoreConfig,
 };
 
 mod keys {
@@ -91,17 +91,26 @@ impl fmt::Debug for SqliteStateStore {
 
 impl SqliteStateStore {
     /// Open the SQLite-based state store at the given path using the given
-    /// passphrase to encrypt private data.
+    /// given passphrase to encrypt private data.
     pub async fn open(
         path: impl AsRef<Path>,
         passphrase: Option<&str>,
     ) -> Result<Self, OpenStoreError> {
         Self::open_with_config(SqliteStoreConfig::new(path).passphrase(passphrase)).await
     }
 
+    /// Open the SQLite-based state store at the given path using the given
+    /// key to encrypt private data.
+    pub async fn open_with_key(
+        path: impl AsRef<Path>,
+        key: Option<&[u8; 32]>,
+    ) -> Result<Self, OpenStoreError> {
+        Self::open_with_config(SqliteStoreConfig::new(path).key(key)).await
+    }
+
     /// Open the SQLite-based state store with the config open config.
     pub async fn open_with_config(config: SqliteStoreConfig) -> Result<Self, OpenStoreError> {
-        let SqliteStoreConfig { path, passphrase, pool_config, runtime_config } = config;
+        let SqliteStoreConfig { path, pool_config, runtime_config, secret } = config;
 
         fs::create_dir_all(&path).await.map_err(OpenStoreError::CreateDir)?;
 
@@ -110,17 +119,17 @@ impl SqliteStateStore {
 
         let pool = config.create_pool(Runtime::Tokio1)?;
 
-        let this = Self::open_with_pool(pool, passphrase.as_deref()).await?;
+        let this = Self::open_with_pool(pool, secret).await?;
         this.pool.get().await?.apply_runtime_config(runtime_config).await?;
 
         Ok(this)
     }
 
     /// Create an SQLite-based state store using the given SQLite database pool.
-    /// The given passphrase will be used to encrypt private data.
+    /// The given secret will be used to encrypt private data.
     pub async fn open_with_pool(
         pool: SqlitePool,
-        passphrase: Option<&str>,
+        secret: Option<Secret>,
     ) -> Result<Self, OpenStoreError> {
         let conn = pool.get().await?;
 
@@ -131,8 +140,8 @@ impl SqliteStateStore {
             version = 1;
         }
 
-        let store_cipher = match passphrase {
-            Some(p) => Some(Arc::new(conn.get_or_create_store_cipher(p).await?)),
+        let store_cipher = match secret {
+            Some(s) => Some(Arc::new(conn.get_or_create_store_cipher(s).await?)),
             None => None,
         };
         let this = Self { store_cipher, pool };
@@ -2317,7 +2326,7 @@ mod migration_tests {
     use crate::{
         error::{Error, Result},
         utils::{EncryptableStore as _, SqliteAsyncConnExt, SqliteKeyValueStoreAsyncConnExt},
-        OpenStoreError,
+        OpenStoreError, Secret,
     };
 
     static TMP_DIR: Lazy<TempDir> = Lazy::new(|| tempdir().unwrap());
@@ -2340,7 +2349,9 @@ mod migration_tests {
 
         init(&conn).await?;
 
-        let store_cipher = Some(Arc::new(conn.get_or_create_store_cipher(SECRET).await.unwrap()));
+        let store_cipher = Some(Arc::new(
+            conn.get_or_create_store_cipher(Secret::PassPhrase(SECRET.to_owned())).await.unwrap(),
+        ));
         let this = SqliteStateStore { store_cipher, pool };
         this.run_migrations(&conn, 1, Some(version)).await?;