In principal, the VFS interface should be sufficient to implement your own encryption layer. However, the devil could be in the details - it heavily depends on the requirements of your encryption layer. Most likely, the main problem will be to reliably identify which database page is read or written, because the VFS interface is rather low-level and provides for example only information about offset and size of a chunk to be read or written, but no information about the page number (which most encryption extensions need to know, but maybe yours is an exception). Another critical issue could be the handling of attached database files. The `ATTACH` command had an undocumented additional keyword, namely `KEY`, for specifying the encryption key for the attached database. Most likely, support for this undocumented keyword has also gone. You are certainly not the only one affected by this change. For example, there is the [SQLCipher project](https://www.zetetic.net/sqlcipher/). Sooner or later they will have to tackle this problem, too. And if you are lucky, they will make their solution publicly available.