tool

SQLCipher

created 2026-04-22 sqlite · encryption · security

SQLCipher

SQLite extension that provides transparent AES-256 encryption at rest. Used by Signal, 1Password, and other security-focused apps.

How It Works

  • Full database encryption using AES-256-CBC
  • Passphrase set via PRAGMA key = 'passphrase' on open
  • Transparent — all SQLite operations work normally after unlock
  • Wrong passphrase results in read errors (not decrypted garbage)

Usage in Kulify

Used in Vault for the encrypted secrets database at ~/.kulify/vault.db.

Go library: github.com/mutecomm/go-sqlcipher/v4 (wraps mattn/go-sqlite3 with SQLCipher).

Key Details

  • Cipher: AES-256 in CBC mode
  • Key derivation: PBKDF2-HMAC-SHA512
  • Each page encrypted independently (random access works)
  • HMAC per page for tamper detection