tool
SQLCipher
created 2026-04-22 sqlite · encryption · security
SQLCipher
SQLite extension that provides transparent AES-256 encryption at rest. Used by Signal, 1Password, and other security-focused apps.
How It Works
- Full database encryption using AES-256-CBC
- Passphrase set via
PRAGMA key = 'passphrase'on open - Transparent — all SQLite operations work normally after unlock
- Wrong passphrase results in read errors (not decrypted garbage)
Usage in Kulify
Used in Vault for the encrypted secrets database at ~/.kulify/vault.db.
Go library: github.com/mutecomm/go-sqlcipher/v4 (wraps mattn/go-sqlite3 with SQLCipher).
Key Details
- Cipher: AES-256 in CBC mode
- Key derivation: PBKDF2-HMAC-SHA512
- Each page encrypted independently (random access works)
- HMAC per page for tamper detection