Index: ext/zonefile/zonefile.c
==================================================================
--- ext/zonefile/zonefile.c
+++ ext/zonefile/zonefile.c
@@ -103,11 +103,12 @@
 ** application may append a more functional implementation of the following 
 ** type and functions to this file before compiling it with
 ** SQLITE_HAVE_ZONEFILE_CODEC defined.
 */
 typedef struct ZonefileCodec ZonefileCodec;
-static int zonefileCodecCreate(int,unsigned char*,int,ZonefileCodec**,char**);
+static int zonefileCodecCreate(
+    int,int,unsigned char*,int,ZonefileCodec**,char**);
 static int zonefileCodecNonceSize(ZonefileCodec*);
 static void zonefileCodecEncode(ZonefileCodec*, unsigned char*, int);
 static void zonefileCodecDecode(ZonefileCodec*, unsigned char*, int);
 static void zonefileCodecDestroy(ZonefileCodec*);
 
@@ -114,10 +115,11 @@
 #ifndef SQLITE_HAVE_ZONEFILE_CODEC
 typedef struct ZonefileCodec ZonefileCodec;
 
 struct ZonefileCodec {
   u8 aKey[16];
+  int bEncrypt;                   /* Second parameter passed to Create() */
 };
 
 /* Create a new encryption module instance using algorithm iAlg.
 **
 **   iAlg==1   AES128 CTR
@@ -131,10 +133,11 @@
 **
 ** Use zonefileCodecDestroy() to reclaim memory.
 */
 static int zonefileCodecCreate(
   int iAlg, 
+  int bEncrypt,                   /* True for encryption, zero for decryption */
   unsigned char *pKey, int nKey, 
   ZonefileCodec **pp, 
   char **pzErr
 ){
   ZonefileCodec *pRet;
@@ -150,10 +153,11 @@
     }else{
       int i;
       for(i=0; i<sizeof(pRet->aKey); i++){
         pRet->aKey[i] = pKey[i % nKey];
       }
+      pRet->bEncrypt = bEncrypt;
     }
   }
 
   return rc;
 }
@@ -174,10 +178,11 @@
   ZonefileCodec *pCodec, 
   unsigned char *pIn, int nIn
 ){
   int i;
   u8 *aNonce = &pIn[nIn];
+  assert( pCodec->bEncrypt );
   sqlite3_randomness(16, aNonce);
   for(i=0; i<nIn; i++){
     pIn[i] = pIn[i] ^ aNonce[i%16] ^ pCodec->aKey[i%16];
   }
 }
@@ -191,10 +196,11 @@
   ZonefileCodec *pCodec, 
   unsigned char *pIn, int nIn
 ){
   int i;
   u8 *aNonce = &pIn[nIn-16];
+  assert( pCodec->bEncrypt==0 );
   for(i=0; i<nIn-16; i++){
     pIn[i] = pIn[i] ^ aNonce[i%16] ^ pCodec->aKey[i%16];
   }
 }
 
@@ -1122,11 +1128,11 @@
   if( zonefileGetParams(pCtx, zJson, &sParam) ) return;
 
   if( sParam.encryptionType!=0 ){
     int n = strlen(sParam.encryptionKey);
     rc = zonefileCodecCreate(
-        sParam.encryptionType, (u8*)sParam.encryptionKey, n, &pCodec, &zErr
+        sParam.encryptionType, 1, (u8*)sParam.encryptionKey, n, &pCodec, &zErr
     );
     if( rc!=SQLITE_OK ){
       if( zErr ){
         sqlite3_result_error(pCtx, zErr, -1);
       }else{
@@ -2583,11 +2589,11 @@
       int n = zonefileKeyFind(pTab->pGlobal, pTab->zDb, pTab->zName, iFile, &z);
       if( n==0 ){
         zErr = sqlite3_mprintf("missing encryption key for file \"%s\"", zFile);
         rc = SQLITE_ERROR;
       }else{
-        rc = zonefileCodecCreate(hdr.encryptionType, (u8*)z, n, &pCodec, &zErr);
+        rc = zonefileCodecCreate(hdr.encryptionType, 0, (u8*)z,n,&pCodec,&zErr);
       }
     }
 
     /* Read some data into memory. */
     if( rc==SQLITE_OK ){

Index: ext/zonefile/zonefile1.test
==================================================================
--- ext/zonefile/zonefile1.test
+++ ext/zonefile/zonefile1.test
@@ -624,8 +624,14 @@
   do_execsql_test 11.1.$i {
     SELECT data.v=nm.v FROM data,nm WHERE data.k=$id AND nm.k=$id
   } 1
   incr i
 }
+
+if {[file exists /dev/null]} {
+  do_catchsql_test 11.2 {
+    INSERT INTO nm_files(filename) VALUES('/dev/null');
+  } {1 {failed to read zonefile header from file "/dev/null"}}
+}
 
 finish_test