SQLCipher 4.5.0 Release

2021-10-28 08:00:00 -0400

We are pleased to announce that SQLCipher 4.5.0 is now available. It includes the following important changes:

SQLCipher Core

  • Updates baseline to use SQLite 3.36.0
  • Changes the enhanced memory security feature to be DISABLED by default; once enabled by PRAGMA cipher_memory_security = ON, it can’t be turned off for the lifetime of the process
  • Changes PRAGMA cipher_migrate to permanently enter an error state if a migration fails
  • Fixes memory locking/unlocking issue with realloc implementation on hardened runtimes when memory security is enabled
  • Fixes cipher_migrate to cleanup the temporary database if a migration fails
  • Removes logging of non-string pointers when compiling with trace level logging

Important Upgrade Considerations

SQLCipher 4.5.0 contains two important changes that alter the fundamental behavior of SQLCipher.

Memory Security: SQLCipher 4.0 introduced a new enhanced memory security feature. While SQLCipher had previously implemented memory sanitization and locking for internal allocations related directly to SQLCipher’s cryptographic implementation, the new memory security feature extended to ALL memory allocated by the library (i.e. by SQLite internal logic outside of SQLCipher). Initially this feature was enabled by default. However, after reviewing feedback from customers and the community, we have decided to disable this feature by default, but still allow it to be enabled on demand. This will allow developers to selectively turn on this feature when dictated by their security requirements without impacting performance for all use cases. Note that if your application requires the memory security feature, it must call PRAGMA cipher_memory_security = ON early in the application life-cycle to enable the feature. Once memory security is enabled it can’t be disabled for the lifetime of the process.

Migration: Previous versions of SQLCipher’s PRAGMA cipher_migrate could leave a database connection usable after a failed upgrade. While an error would be reported in the result set, if an application ignored the return it could continue to use the database at the older version’s security setting. The most common cause of this issue would be inadequate drive space to perform the migration or an attempt to migrate on a read only connection. In SQLCipher 4.5.0 the database connection will be rendered unusable (causing an exception to be thrown or a hard error reported). Applications that use cipher_migrate and upgrade to 4.5.0 should ensure they check the result set from the PRAGMA and handle any migration exceptions.

SQLCipher Commercial and Enterprise

The following changes and enhancements are available for Commercial and Enterprise packages:

  • The SQLCipher Statistics feature now includes detailed memory usage information. The sqlcipher_stats virtual table will now return current library memory use, high memory use, memory allocation, reallocation, and free times and counts. These statistics are inclusive of memory sanitization time, allowing for detailed profiling of the enhanced memory security feature.
  • Packages now use in-memory temporary storage by default, but allow an application to override that setting using PRAGMA temp_store = FILE;. Using FILE temporary storage may be necessary in certain circumstances, like performing a VACUUM on a very large database.
  • SQLite’s snapshot feature is now enabled.
  • Java and .NET library wrappers have been updated to the latest available versions.
  • non-FIPS packages using OpenSSL now include the latest release of 1.1.1l.

SQLCipher for Android Refresh Upcoming

Zetetic is actively developing a new SQLCipher for Android library that is completely rebuilt with an updated Java API, more closely tied to the current Android android.database.sqlite implementation. This new library is seprate from, and being developed in parallel with, the current SQLCipher For Android library. It natively supports connection pooling and other advanced features providing vastly improved performance, concurrency, and developer experience.

This new SQLCipher for Android will initially be available on GitHub and will require developer build integration for dependencies. Community and Commercial build artifacts will be available once we begin to transition to the new library after thorough testing. The existing SQLCipher for Android packages (android-database-sqlcipher) will continue to be maintained in parallel during a transition period, before the old library is eventually deprecated. Keep an eye out for future details about the availability of the new library!

Availability

Commercial and Enterprise - On-demand access to new releases of SQLCipher packages are available to all licensees with an active support subscription from the Customer Downloads fulfillment site. Licensees will also receive a separate email notification regarding the update and can contact us at any time for private support directly from the SQLCipher development team.

Community Edition - SQLCipher Community Edition source code is available on GitHub, via AAR packaging for Android, and CocoaPods for iOS.

Codebook 4.4 Released - Adds Support for Image and PDF Storage

2021-10-07 20:00:00 -0400

Codebook 4.4, the latest release of our password manager, is now available. In this version we’ve added support for storing image and PDF files as attachments to Entry records, along with support for large databases (e.g. > 1GB), an improved sync feature, and a ton of other adjustments and improvements. A new Help page is available for the attachments feature, and we’ve got a getting started tutorial for it as well. Get the full run-down of changes in this version, and update to the latest version to check it out!

Codebook 2 for iOS 14.5 Migration Help

2021-05-05 08:00:00 -0400

We’ve just posted some information on our discussion forum about Codebook 2 no longer running on iOS 14.5. If you’re unable to access your data we’ve got migration steps available.

SQLCipher 4.4.3 Release

2021-03-02 07:00:00 -0500

We are pleased to announce that SQLCipher 4.4.3 is now available. It includes the following important changes:

SQLCipher Core

  • Updates baseline to use SQLite SQLite 3.34.1
  • Fixes bug in sqlcipher_export() handling of NULL parameters
  • Removes randomization from several tests to avoid spurious failures
  • Changes internal usage of sqlite_master to sqlite_schema
  • Omits unusued profiling function under certain defines to avoid compiler warnings

SQLCipher Commercial and Enterprise

The following changes and enhancements are available for Commercial and Enterprise packages:

  • Improves SQLCipher for iOS to include static libraries packaged in an .xcframework supporting Simulator on Apple Silicon
  • Updates packaging for SQLCipher for iOS to use a notarized DMG to avoid security warnings on Big Sur
  • Increases minimum supported Java version for the SQLCipher JDBC package to Java 8
  • non-FIPS packages using OpenSSL now include the latest release of 1.1.1j

Availability

Commercial and Enterprise - On-demand access to new releases of SQLCipher packages are available to all licensees with an active support subscription from the Customer Downloads fulfillment site. Licensees will also receive a separate email notification regarding the update and can contact us at any time for private support directly from the SQLCipher development team.

Community Edition - SQLCipher Community Edition source code is available on GitHub, via AAR packaging for Android, and CocoaPods for iOS.

Codebook Development Notes, Dec 2020

2020-12-21 10:03:00 -0500

New About window in Codebook for macOS

We’ve got another Codebook development update post available for the month, this time over on the discussion forum, in case anybody wants to leave feedback directly. Like the last one in November, it has news about our current efforts, what we’ll be working on next, and how we’ve been responding to feedback and bug reports. We have a few point release updates on the way, but we’ll be holding off until after the holidays so we can provide proper customer support should anything arise.

Happy holidays from all of us here at Zetetic!