Skip to content

Releases: omnilium/go-sqlcipher

Hardening the Encryption Boundary — v0.3.0

Choose a tag to compare

@devpikachu devpikachu released this 14 Jun 08:16
Immutable release. Only release title and notes can be modified.
17bd477

A reliability- and security-focused release. No API changes — it stays drop-in; just upgrade your pin.

🐛 Fixed

  • No more process crashes from your callbacks. A panic inside a custom SQL function, aggregator, or unlock-notify handler is now caught and returned as a normal query error instead of taking down the whole process across the cgo boundary. Out-of-memory conditions in aggregates and Deserialize are reported as errors too, rather than crashing.
  • Connection and memory leaks closed. Failed Open calls no longer leak the underlying SQLite handle or its OS file lock, virtual-table cursors are released as queries finish instead of piling up for the life of a connection, and GetFilename/LoadExtension no longer leak C memory. Long-lived, high-throughput, and virtual-table-heavy apps benefit most.

🛡️ Security

  • Encryption keys stay out of SQLite's internal state. When opening a file: DSN, the driver's parameters — including _key — were previously handed to SQLite's URI parser and retained on the connection, where a loaded extension, custom VFS, or authorizer could read the key back via sqlite3_uri_parameter. Those _-prefixed parameters are now stripped before the database is opened. Standard SQLite URI options (cache, mode, vfs, immutable, …) are untouched, so nothing about normal DSN usage changes.

Stability Pass: Keys & Aggregators — v0.2.0

Choose a tag to compare

@devpikachu devpikachu released this 12 Jun 09:35
Immutable release. Only release title and notes can be modified.
b2c55bf

A focused fix release for go-sqlcipher.

🐛 Fixed

  • Raw hex keys now open databases. Passing a raw key as _key=x'' previously failed with a SQLCipher syntax error — the documented raw-key form never actually worked. It now opens encrypted databases as intended. If you'd been forced to use a passphrase key as a workaround, you can switch to raw keys.
  • Custom aggregators no longer panic. A custom aggregate function whose constructor returned an error or a nil value would later panic in Done(). Constructor failures are now handled cleanly.

The Fork Goes Encrypted: SQLCipher Lands — v0.1.0

Choose a tag to compare

@devpikachu devpikachu released this 12 Jun 09:26
Immutable release. Only release title and notes can be modified.
284b779

The first release of github.com/omnilium/go-sqlcipher — Omnilium's fork of mattn/go-sqlite3, now backed by SQLCipher 4.14.0 for whole-database at-rest encryption.

⚠️ Breaking changes

  • Import under the new path: github.com/omnilium/go-sqlcipher. The driver name (sqlite3) and the public API are unchanged, so it's a drop-in swap — just update the import.
  • OpenSSL libcrypto is now required at build and run time (dynamically linked). Make sure the dev headers and library are present.
  • Platform support narrowed to Linux (x86-64 / ARM64) and Apple Silicon macOS. Intel macOS and Windows are not supported.
  • Go 1.26+ is now the minimum.

✨ New

  • Encrypt a database with one DSN parameter. Pass _key — a passphrase or a raw x'' key — and the entire database is encrypted at rest. The key is applied before the first page read, so write → close → reopen round-trips work cleanly.
  • Cipher tuning for interop. The cipher* / _kdf_iter DSN family lets you open databases created with non-default settings or by the sqlcipher CLI.

🐛 Fixed

  • Hardened the opt-in salted SHA1 crypt encoders against a latent input-slice aliasing bug.