-
Notifications
You must be signed in to change notification settings - Fork 0
Architecture
github-actions[bot] edited this page Mar 31, 2026
·
1 revision
The public API is declared in include/microdb_secure.h, while the implementation lives in src/microdb_secure.c.
The master key is expanded into three domain-separated keys:
- encryption key
- MAC key
- IV derivation key
Each stored payload is encoded as:
[IV | tag | ciphertext]
The MAC covers:
- database ID
- optional engine-specific metadata
- IV
- ciphertext
Protected payloads:
- KV values
- TS samples
- REL row blobs
Not protected:
- key names
- table names
- schema metadata outside encrypted row payloads
When microdb storage is backed by the POSIX port, the secure wrapper rides on top of the upstream WAL and recovery flow. The integration suite covers both:
- clean flush and reopen
- simulated power loss with replay on next open