Hi Keith, Thanks for your reply! And I totally agree with you. The first step should be secure the file system. Actually I should have provided more details on the situation. There are three levels of security we are trying to implement. Wouldn't it be nice if we don't just lock the door but also set some restrictions on the room/item access? So here is the plan. - file system level: as you mentioned, this is step one, and we are going to set the permissions. - database level: this is what's next and the original post is trying to mitigate this level, so we are seeking global settings such as blocking some PRAGMA commands. - table level: implement some integrity column or mechanics to prevent from unauthorized write. Still working on the last two levels, and the database level is toughest part at this time. After reading the specs, it seems the there is not such way to block the -wal file. We are trying to make additional security actions besides the file system security, so feasible sanity operations would be nice.