microdb_secure

Transparent AES-128-CBC + HMAC-SHA256 encryption wrapper for microdb.

microdb_secure encrypts KV values, TS samples, and REL rows before they reach storage. Stored records use the layout [IV | tag | ciphertext].

Features

• Encrypts all persisted payloads before they reach microdb
• Uses separate derived keys for encryption, MAC, and IV generation
• Detects tampering with truncated HMAC-SHA256 tags
• Keeps the implementation allocation-free in src/

Build

Linux / Ninja / Makefiles

cmake -B build -DCMAKE_BUILD_TYPE=Debug
cmake --build build
ctest --test-dir build --output-on-failure

Windows / Visual Studio

cmake -B build
cmake --build build --config Debug
ctest --test-dir build -C Debug --output-on-failure

Test Suites

• secure_kv: encrypted key-value operations, TTL, overwrite, tamper detection
• secure_ts: encrypted time-series registration, insert, query, tamper handling
• secure_rel: encrypted relational rows, shadow tables, iteration and deletes
• secure_integration: clean reinit, wrong-key detection, WAL recovery, multi-handle use, db_id variations, and raw ciphertext checks

Current local suite count:

• 25 KV tests
• 20 TS tests
• 20 REL tests
• 16 integration tests

Current local total: 81 tests.

Public API

The public entry points live in include/microdb_secure.h:

• microdb_secure_init, microdb_secure_deinit, microdb_secure_rotate_key
• microdb_secure_kv_*
• microdb_secure_ts_*
• microdb_secure_table_* and microdb_secure_rel_*
• microdb_secure_store_db_id, microdb_secure_load_db_id
• microdb_secure_lock, microdb_secure_unlock

Notes

• CI is defined in .github/workflows/ci.yml for Linux, Windows, and macOS.
• Tagged pushes like v1.0.0 trigger .github/workflows/release.yml, which rebuilds, retests, packages static libraries, and publishes a GitHub Release with per-platform zip assets.
• Wiki sync is defined in .github/workflows/wiki.yml; after GitHub Wiki is enabled in repository settings, pushes to master/main publish docs/wiki/ automatically.