Y'all are making this way harder than it needs to be: 1. SQLite will happily open an empty file as if it were a database. There is no need to prefill it with valid content. 2. If you really need a temporary file (for any reason, not just for use by SQLite) then grab a bunch of high-quality randomness (like from /dev/random), take the hex value of that randomness (or some other encoding, like base-32) and use that for the filename, and you will be perfectly safe. Just make sure that you use plenty of quality randomness - the output of rand() function from libc is *not* quality randomness and will not get you a secure filename - but the randomblob() function in SQL is and will work fine.