diff --git a/native/android/app/src/cpp/AESCrypto.cpp b/native/android/app/src/cpp/AESCrypto.cpp
--- a/native/android/app/src/cpp/AESCrypto.cpp
+++ b/native/android/app/src/cpp/AESCrypto.cpp
@@ -5,26 +5,27 @@
 
 using namespace facebook::jni;
 
-class AESCryptoJavaClass : public JavaClass<AESCryptoJavaClass> {
+template <typename T>
+class AESCryptoJavaClass : public JavaClass<AESCryptoJavaClass<T>> {
 public:
   // app.comm.android.aescrypto.AESCryptoModuleCompat
   static auto constexpr kJavaDescriptor =
       "Lapp/comm/android/aescrypto/AESCryptoModuleCompat;";
 
-  static void generateKey(rust::Slice<uint8_t> buffer) {
+  using JavaClass<AESCryptoJavaClass<T>>::javaClassStatic;
+
+  static void generateKey(T buffer) {
     local_ref<JByteBuffer> byteBuffer =
         JByteBuffer::wrapBytes(buffer.data(), buffer.size());
 
     static const auto cls = javaClassStatic();
     static auto method =
-        cls->getStaticMethod<void(local_ref<JByteBuffer>)>("generateKey");
+        cls->template getStaticMethod<void(local_ref<JByteBuffer>)>(
+            "generateKey");
     method(cls, byteBuffer);
   }
 
-  static void encrypt(
-      rust::Slice<uint8_t> key,
-      rust::Slice<uint8_t> plaintext,
-      rust::Slice<uint8_t> sealedData) {
+  static void encrypt(T key, T plaintext, T sealedData) {
     local_ref<JByteBuffer> keyBuffer =
         JByteBuffer::wrapBytes(key.data(), key.size());
     local_ref<JByteBuffer> plaintextBuffer =
@@ -32,17 +33,14 @@
     local_ref<JByteBuffer> sealedDataBuffer =
         JByteBuffer::wrapBytes(sealedData.data(), sealedData.size());
     static const auto cls = javaClassStatic();
-    static auto method = cls->getStaticMethod<void(
+    static auto method = cls->template getStaticMethod<void(
         local_ref<JByteBuffer>,
         local_ref<JByteBuffer>,
         local_ref<JByteBuffer>)>("encrypt");
     method(cls, keyBuffer, plaintextBuffer, sealedDataBuffer);
   }
 
-  static void decrypt(
-      rust::Slice<uint8_t> key,
-      rust::Slice<uint8_t> sealedData,
-      rust::Slice<uint8_t> plaintext) {
+  static void decrypt(T key, T sealedData, T plaintext) {
     local_ref<JByteBuffer> keyBuffer =
         JByteBuffer::wrapBytes(key.data(), key.size());
     local_ref<JByteBuffer> sealedDataBuffer =
@@ -50,7 +48,7 @@
     local_ref<JByteBuffer> plaintextBuffer =
         JByteBuffer::wrapBytes(plaintext.data(), plaintext.size());
     static const auto cls = javaClassStatic();
-    static auto method = cls->getStaticMethod<void(
+    static auto method = cls->template getStaticMethod<void(
         local_ref<JByteBuffer>,
         local_ref<JByteBuffer>,
         local_ref<JByteBuffer>)>("decrypt");
@@ -60,25 +58,24 @@
 
 namespace comm {
 
-void AESCrypto::generateKey(rust::Slice<uint8_t> buffer) {
+template <typename T> void AESCrypto<T>::generateKey(T buffer) {
   NativeAndroidAccessProvider::runTask(
-      [&]() { AESCryptoJavaClass::generateKey(buffer); });
+      [&]() { AESCryptoJavaClass<T>::generateKey(buffer); });
 }
 
-void AESCrypto::encrypt(
-    rust::Slice<uint8_t> key,
-    rust::Slice<uint8_t> plaintext,
-    rust::Slice<uint8_t> sealedData) {
+template <typename T>
+void AESCrypto<T>::encrypt(T key, T plaintext, T sealedData) {
   NativeAndroidAccessProvider::runTask(
-      [&]() { AESCryptoJavaClass::encrypt(key, plaintext, sealedData); });
+      [&]() { AESCryptoJavaClass<T>::encrypt(key, plaintext, sealedData); });
 }
 
-void AESCrypto::decrypt(
-    rust::Slice<uint8_t> key,
-    rust::Slice<uint8_t> sealedData,
-    rust::Slice<uint8_t> plaintext) {
+template <typename T>
+void AESCrypto<T>::decrypt(T key, T sealedData, T plaintext) {
   NativeAndroidAccessProvider::runTask(
-      [&]() { AESCryptoJavaClass::decrypt(key, sealedData, plaintext); });
+      [&]() { AESCryptoJavaClass<T>::decrypt(key, sealedData, plaintext); });
 }
 
+template class AESCrypto<rust::Slice<uint8_t>>;
+template class AESCrypto<std::vector<std::uint8_t> &>;
+
 } // namespace comm
diff --git a/native/cpp/CommonCpp/DatabaseManagers/NativeSQLiteConnectionManager.h b/native/cpp/CommonCpp/DatabaseManagers/NativeSQLiteConnectionManager.h
--- a/native/cpp/CommonCpp/DatabaseManagers/NativeSQLiteConnectionManager.h
+++ b/native/cpp/CommonCpp/DatabaseManagers/NativeSQLiteConnectionManager.h
@@ -13,7 +13,8 @@
       std::string backupID,
       std::string logID,
       std::uint8_t *patchsetPtr,
-      int patchsetSize);
+      int patchsetSize,
+      std::string encryptionKey);
   std::vector<std::string>
   getAttachmentsFromLog(std::uint8_t *patchsetPtr, int patchsetSize);
 
@@ -25,6 +26,9 @@
       std::function<void(sqlite3 *)> on_db_open_callback) override;
   void closeConnection() override;
   ~NativeSQLiteConnectionManager();
-  bool captureLogs(std::string backupID, std::string logID);
+  bool captureLogs(
+      std::string backupID,
+      std::string logID,
+      std::string encryptionKey);
 };
 } // namespace comm
diff --git a/native/cpp/CommonCpp/DatabaseManagers/NativeSQLiteConnectionManager.cpp b/native/cpp/CommonCpp/DatabaseManagers/NativeSQLiteConnectionManager.cpp
--- a/native/cpp/CommonCpp/DatabaseManagers/NativeSQLiteConnectionManager.cpp
+++ b/native/cpp/CommonCpp/DatabaseManagers/NativeSQLiteConnectionManager.cpp
@@ -1,4 +1,5 @@
 #include "NativeSQLiteConnectionManager.h"
+#include "AESCrypto.h"
 #include "PlatformSpecificTools.h"
 
 #include <fstream>
@@ -11,6 +12,9 @@
 
 const std::string BLOB_SERVICE_PREFIX = "comm-blob-service://";
 
+const int IV_LENGTH = 12;
+const int TAG_LENGTH = 16;
+
 void NativeSQLiteConnectionManager::attachSession() {
   int sessionCreationResult =
       sqlite3session_create(dbConnection, "main", &backupLogsSession);
@@ -47,7 +51,8 @@
     std::string backupID,
     std::string logID,
     std::uint8_t *patchsetPtr,
-    int patchsetSize) {
+    int patchsetSize,
+    std::string encryptionKey) {
   std::string finalFilePath =
       PlatformSpecificTools::getBackupLogFilePath(backupID, logID, false);
   std::string tempFilePath = finalFilePath + "_tmp";
@@ -58,8 +63,22 @@
   if (!tempFile.is_open()) {
     throw std::runtime_error("Failed to open temporary log file.");
   }
-  tempFile.write(reinterpret_cast<const char *>(patchsetPtr), patchsetSize);
+
+  std::vector<std::uint8_t> logBytes(patchsetPtr, patchsetPtr + patchsetSize);
+
+  std::vector<std::uint8_t> encryptedLog;
+  encryptedLog.resize(logBytes.size() + IV_LENGTH + TAG_LENGTH);
+
+  std::vector<std::uint8_t> encryptionKeyBytes(
+      encryptionKey.begin(), encryptionKey.end());
+
+  AESCrypto<std::vector<std::uint8_t> &>::encrypt(
+      encryptionKeyBytes, logBytes, encryptedLog);
+
+  tempFile.write(
+      reinterpret_cast<const char *>(encryptedLog.data()), encryptedLog.size());
   tempFile.close();
+
   if (std::rename(tempFilePath.c_str(), finalFilePath.c_str())) {
     throw std::runtime_error(
         "Failed to rename complete log file from temporary path to target "
@@ -68,7 +87,7 @@
 
   std::vector<std::string> attachments =
       getAttachmentsFromLog(patchsetPtr, patchsetSize);
-  if (!attachments.size()) {
+  if (attachments.empty()) {
     return;
   }
 
@@ -185,7 +204,8 @@
 
 bool NativeSQLiteConnectionManager::captureLogs(
     std::string backupID,
-    std::string logID) {
+    std::string logID,
+    std::string encryptionKey) {
   int patchsetSize;
   std::uint8_t *patchsetPtr;
   int getPatchsetResult = sqlite3session_patchset(
@@ -201,7 +221,7 @@
     return false;
   }
 
-  persistLog(backupID, logID, patchsetPtr, patchsetSize);
+  persistLog(backupID, logID, patchsetPtr, patchsetSize, encryptionKey);
   sqlite3_free(patchsetPtr);
 
   // The session is not "zeroed" after capturing log.
diff --git a/native/cpp/CommonCpp/DatabaseManagers/SQLiteQueryExecutor.h b/native/cpp/CommonCpp/DatabaseManagers/SQLiteQueryExecutor.h
--- a/native/cpp/CommonCpp/DatabaseManagers/SQLiteQueryExecutor.h
+++ b/native/cpp/CommonCpp/DatabaseManagers/SQLiteQueryExecutor.h
@@ -20,6 +20,9 @@
   static std::once_flag initialized;
   static int sqlcipherEncryptionKeySize;
   static std::string secureStoreEncryptionKeyID;
+  static int backupLogsEncryptionKeySize;
+  static std::string secureStoreBackupLogsEncryptionKeyID;
+  static std::string backupLogsEncryptionKey;
 
 #ifndef EMSCRIPTEN
   static NativeSQLiteConnectionManager connectionManager;
diff --git a/native/cpp/CommonCpp/DatabaseManagers/SQLiteQueryExecutor.cpp b/native/cpp/CommonCpp/DatabaseManagers/SQLiteQueryExecutor.cpp
--- a/native/cpp/CommonCpp/DatabaseManagers/SQLiteQueryExecutor.cpp
+++ b/native/cpp/CommonCpp/DatabaseManagers/SQLiteQueryExecutor.cpp
@@ -25,6 +25,10 @@
 int SQLiteQueryExecutor::sqlcipherEncryptionKeySize = 64;
 std::string SQLiteQueryExecutor::secureStoreEncryptionKeyID =
     "comm.encryptionKey";
+int SQLiteQueryExecutor::backupLogsEncryptionKeySize = 32;
+std::string SQLiteQueryExecutor::secureStoreBackupLogsEncryptionKeyID =
+    "comm.backupLogsEncryptionKey";
+std::string SQLiteQueryExecutor::backupLogsEncryptionKey;
 
 #ifndef EMSCRIPTEN
 NativeSQLiteConnectionManager SQLiteQueryExecutor::connectionManager;
@@ -1654,9 +1658,15 @@
     SQLiteQueryExecutor::sqliteFilePath = databasePath;
     folly::Optional<std::string> maybeEncryptionKey =
         CommSecureStore::get(SQLiteQueryExecutor::secureStoreEncryptionKeyID);
+    folly::Optional<std::string> maybeBackupLogsEncryptionKey =
+        CommSecureStore::get(
+            SQLiteQueryExecutor::secureStoreBackupLogsEncryptionKeyID);
 
-    if (file_exists(databasePath) && maybeEncryptionKey) {
+    if (file_exists(databasePath) && maybeEncryptionKey &&
+        maybeBackupLogsEncryptionKey) {
       SQLiteQueryExecutor::encryptionKey = maybeEncryptionKey.value();
+      SQLiteQueryExecutor::backupLogsEncryptionKey =
+          maybeBackupLogsEncryptionKey.value();
       return;
     }
     SQLiteQueryExecutor::assign_encryption_key();
@@ -1760,9 +1770,16 @@
 void SQLiteQueryExecutor::assign_encryption_key() {
   std::string encryptionKey = comm::crypto::Tools::generateRandomHexString(
       SQLiteQueryExecutor::sqlcipherEncryptionKeySize);
+  std::string backupLogsEncryptionKey =
+      comm::crypto::Tools::generateRandomHexString(
+          SQLiteQueryExecutor::backupLogsEncryptionKeySize);
   CommSecureStore::set(
       SQLiteQueryExecutor::secureStoreEncryptionKeyID, encryptionKey);
+  CommSecureStore::set(
+      SQLiteQueryExecutor::secureStoreBackupLogsEncryptionKeyID,
+      backupLogsEncryptionKey);
   SQLiteQueryExecutor::encryptionKey = encryptionKey;
+  SQLiteQueryExecutor::backupLogsEncryptionKey = backupLogsEncryptionKey;
 }
 
 void SQLiteQueryExecutor::captureBackupLogs() const {
@@ -1776,8 +1793,8 @@
     logID = "0";
   }
 
-  bool newLogCreated =
-      SQLiteQueryExecutor::connectionManager.captureLogs(backupID, logID);
+  bool newLogCreated = SQLiteQueryExecutor::connectionManager.captureLogs(
+      backupID, logID, SQLiteQueryExecutor::backupLogsEncryptionKey);
   if (!newLogCreated) {
     return;
   }
diff --git a/native/cpp/CommonCpp/Tools/AESCrypto.h b/native/cpp/CommonCpp/Tools/AESCrypto.h
--- a/native/cpp/CommonCpp/Tools/AESCrypto.h
+++ b/native/cpp/CommonCpp/Tools/AESCrypto.h
@@ -4,17 +4,11 @@
 
 namespace comm {
 
-class AESCrypto {
+template <typename T> class AESCrypto {
 public:
-  static void generateKey(rust::Slice<uint8_t> buffer);
-  static void encrypt(
-      rust::Slice<uint8_t> key,
-      rust::Slice<uint8_t> plaintext,
-      rust::Slice<uint8_t> sealedData);
-  static void decrypt(
-      rust::Slice<uint8_t> key,
-      rust::Slice<uint8_t> sealedData,
-      rust::Slice<uint8_t> plaintext);
+  static void generateKey(T buffer);
+  static void encrypt(T key, T plaintext, T sealedData);
+  static void decrypt(T key, T sealedData, T plaintext);
 };
 
 } // namespace comm
diff --git a/native/ios/Comm/AESCrypto.mm b/native/ios/Comm/AESCrypto.mm
--- a/native/ios/Comm/AESCrypto.mm
+++ b/native/ios/Comm/AESCrypto.mm
@@ -4,7 +4,7 @@
 
 namespace comm {
 
-void AESCrypto::generateKey(rust::Slice<uint8_t> buffer) {
+template <typename T> void AESCrypto<T>::generateKey(T buffer) {
   NSError *keyGenerationError = nil;
   [AESCryptoModuleObjCCompat generateKey:buffer.data()
                        destinationLength:buffer.size()
@@ -15,10 +15,8 @@
   }
 }
 
-void AESCrypto::encrypt(
-    rust::Slice<uint8_t> key,
-    rust::Slice<uint8_t> plaintext,
-    rust::Slice<uint8_t> sealedData) {
+template <typename T>
+void AESCrypto<T>::encrypt(T key, T plaintext, T sealedData) {
   NSData *keyBuffer = [NSData dataWithBytesNoCopy:key.data()
                                            length:key.size()
                                      freeWhenDone:NO];
@@ -37,10 +35,8 @@
   }
 }
 
-void AESCrypto::decrypt(
-    rust::Slice<uint8_t> key,
-    rust::Slice<uint8_t> sealedData,
-    rust::Slice<uint8_t> plaintext) {
+template <typename T>
+void AESCrypto<T>::decrypt(T key, T sealedData, T plaintext) {
   NSData *keyBuffer = [NSData dataWithBytesNoCopy:key.data()
                                            length:key.size()
                                      freeWhenDone:NO];
@@ -59,4 +55,7 @@
   }
 }
 
+template class AESCrypto<rust::Slice<uint8_t>>;
+template class AESCrypto<std::vector<std::uint8_t> &>;
+
 } // namespace comm
diff --git a/native/native_rust_library/RustAESCrypto.cpp b/native/native_rust_library/RustAESCrypto.cpp
--- a/native/native_rust_library/RustAESCrypto.cpp
+++ b/native/native_rust_library/RustAESCrypto.cpp
@@ -4,21 +4,21 @@
 namespace comm {
 
 void aesGenerateKey(rust::Slice<uint8_t> buffer) {
-  AESCrypto::generateKey(buffer);
+  AESCrypto<rust::Slice<uint8_t>>::generateKey(buffer);
 }
 
 void aesEncrypt(
     rust::Slice<uint8_t> key,
     rust::Slice<uint8_t> plaintext,
     rust::Slice<uint8_t> sealedData) {
-  AESCrypto::encrypt(key, plaintext, sealedData);
+  AESCrypto<rust::Slice<uint8_t>>::encrypt(key, plaintext, sealedData);
 }
 
 void aesDecrypt(
     rust::Slice<uint8_t> key,
     rust::Slice<uint8_t> sealedData,
     rust::Slice<uint8_t> plaintext) {
-  AESCrypto::decrypt(key, sealedData, plaintext);
+  AESCrypto<rust::Slice<uint8_t>>::decrypt(key, sealedData, plaintext);
 }
 
 } // namespace comm
diff --git a/web/database/_generated/comm_query_executor.wasm b/web/database/_generated/comm_query_executor.wasm
index 0000000000000000000000000000000000000000..0000000000000000000000000000000000000000
GIT binary patch
literal 0
Hc$@<O00001

literal 0
Hc$@<O00001