We’re pleased to announce the immediate availability of SQLCipher 4.10.0. This release includes a number of enhancements and security updates.

SQLCipher Core

• Updates baseline to latest SQLite 3.50.4
• Allows compile time override of default log level via SQLCIPHER_LOG_LEVEL_DEFAULT macro
• Fixes detection of CommonCrypto version on macOS
• Improves CommonCrypto version detection on iOS
• Fixes issue with using -fsanitize=address on macOS

Note that the new SQLite 3.50.4 contains several security fixes. Applications that use SQLCipher and allow untrusted schema modification are advised to upgrade.

Important Note: Applications upgrading from versions of SQLCipher 4.6.1 or earlier should be aware that this version of SQLCipher incorporates several potential breaking changes from SQLCipher 4.7.0. Please carefully review the 4.7.0 release notes before upgrading.

Swift Package Manager Support

SQLCipher 4.10.0 introduces support for integration via Swift Package Manager with Xcode for Apple platforms like iOS and macOS. Please consider updating your projects to use Swift Package Manager today according the appropriate documentation:

1. Swift Package Manager for Community Edition
2. Swift Package Manager for Commercial & Enterprise
3. Swift Package Manager for Library Integrations

Swift Package Manager is replacing CocoaPods support. This is the last release where we will be publishing a Podspec for SQLCipher.

SQLCipher Commercial and Enterprise

• Fixes error handling KDF_NONE in sqlcipher_vle_pbkdf2 function
• Adds additional options for setting License Codes (see below)
• Improves FIPS module resolution logic for macOS bundles
• Significant improvements to virtually all integration example programs included with SQLCipher packages
• Remove deprecated example programs from packages
• Removes redundant zetetic- prefix from NuGet packages for .NET (see below)
• Consolidates iOS and macOS into a single Apple integration package

License Code Changes

SQLCipher Commercial and Enterprise Editions require integrating applications to unlock the software by providing the license code using PRAGMA cipher_license. This approach works well for most applications, but requires modification of the application code. Starting in this release, SQLCipher now supports several additional options for providing the license code. The license code value may now be set in:

• The environmental variable CIPHER_LICENSE
• A file named cipher_license in the same directory as the SQLCipher library
• A file named cipher_license in the same directory as the current executable
• A file named cipher_license in the same directory as the current working directory
• A file named cipher_license in the Resources directory next to the main library in a macOS bundle
• An arbitrary file path set using the CIPHER_LICENSE_FILE environmental variable

NuGet Package Name Changes

Commercial and Enterprise NuGet packages have been renamed in this release to remove the redundant zetetic- prefix. For example, the package previously named zetetic-sqlcipher-ios is now simply sqlcipher-ios. Similarly the package previously named zetetic-sqlite-net-base is now named sqlcipher-sqlite-net-base. Applications using SQLCipher NuGet packages can simply remove the references from the old packages, and add a new reference to the current package. Alternately, the value of the <PackageReference> tags can be modified in the application .csproj directly.

This is a packaging naming change only, so no code changes are required. The following is a complete list of package renames for reference:

• zetetic-sqlcipher-android => sqlcipher-android
• zetetic-sqlcipher-ios => sqlcipher-ios
• zetetic-sqlcipher-linux-fips => sqlcipher-linux-fips
• zetetic-sqlcipher-linux => sqlcipher-linux
• zetetic-sqlcipher-macos-fips => sqlcipher-macos-fips
• zetetic-sqlcipher-macos => sqlcipher-macos
• zetetic-sqlcipher-uwp => sqlcipher-uwp
• zetetic-sqlcipher-windows-fips => sqlcipher-windows-fips
• zetetic-sqlcipher-windows => sqlcipher-windows
• zetetic-sqlcipher-windows-system-data-sqlite => sqlcipher-windows-system-data-sqlite
• zetetic-sqlcipher-windows-vcrtforwarders => sqlcipher-windows-vcrtforwarders
• zetetic-sqlite-net-base => sqlcipher-sqlite-net-base

Apple Consolidation

SQLCipher Commercial and Enterprise packages for iOS and macOS are now consolidated into a single downloadable package. Integration is now simplified by requring on a single SQLCipher.xcframework package to be added, and the each platform will be unlocked with an appropriate License Code. As a result of this change packages previously available as separate sqlcipher-ios-X.X.X.zip and sqlcipher-macos-X.X.X.zip are now replaced by a sqlcipher-apple-X.X.X.zip for delivery.

Upgrading and Availability

SQLCipher 4.10.0 is available for download now. We strongly recommend testing your applications thoroughly with the new version before deploying to production.

Commercial and Enterprise - On-demand access to new releases of SQLCipher packages are available to all licensees with an active CipherCare support subscription from the Customer Downloads fulfillment site. Subscribers will also receive a separate email notification regarding the update and can contact us at any time for private support directly from the SQLCipher development team. Commercial and Enterprise edition upgrades require a new license code from the SQLCipher fulfillment site for each version. Don’t forget to change the license code in your application(s) when you upgrade.

Community Edition - SQLCipher Community Edition source code is available on GitHub, via AAR packaging for Android, and Swift Package Manager for Apple platforms.

For feedback and questions, please visit our Community Forum or private support channels. Thank you for using SQLCipher!

Google is now making 16KB page compatibility required for applications in the Play Store. To support this requirement, native libraries for Android must be specifically built to support 16KB page sizes.

While the modern SQLCipher for Android library has fully supported 16KB page sizes since version 4.6.1, the legacy Community Edition of android-database-sqlcipher is no longer supported or receiving published updates. It was deprecated in 2022 and reached end-of-life in 2023. As a result, applications still using the android-database-sqlcipher Community Edition package will not be able to meet Google’s new requirement.

There are two supported options for affected applications:

1. Upgrade to the new sqlcipher-android library - As the official replacement library, it has been already updated for 16KB page size support. There are steps involved in migrating, but most applications should only require minor modifications. As a bonus, applications will see improved stability and better performance from the new library.

2. License SQLCipher for Android Commercial Edition - We continue to provide limited, post-end-of-life, support for the legacy library to commercial customers. This includes an android-database-sqlcipher compatibility package with 16KB page size support. It will meet Google’s new mandate. If you are interested, please contact us to discuss options, or license directly online.

We recommend that applications address these requirements as a priority, as Android 15 is now rolling out to devices.

We’re pleased to announce the immediate availability of SQLCipher 4.9.0. This is a patch release and security update that:

1. Updates the SQLite baseline to SQLite 3.49.2 to address a security issue in the upstream SQLite library.
2. Fixes a small resource leak related to library cleanup when compiling with SQLITE_OMIT_AUTOINIT defined.

The SQLite 3.49.2 update fixes a bug that could allow someone with access to run arbitrary CREATE TABLE statements to trigger a memory error and process crash. The issue was introduced along with NOT NULL optimizations in SQLite 3.40.0 and subsequently incorporated into SQLCipher 4.5.4.

Since it is extremely unusual for secured applications to allow untrusted schema modifications, this may be classified as a moderate-severity issue. Applications that use SQLCipher 4.5.4 through 4.8.0 and allow untrusted schema modification are strongly advised to upgrade.

Important Note: Applications upgrading from versions of SQLCipher 4.6.1 or earlier should be aware that this version of SQLCipher incorporates several potential breaking changes from SQLCipher 4.7.0. Please carefully review the 4.7.0 release notes before upgrading.

Upgrading and Availability

SQLCipher 4.9.0 is available for download now. We strongly recommend testing your applications thoroughly with the new version before deploying to production.

Commercial and Enterprise - On-demand access to new releases of SQLCipher packages are available to all licensees with an active CipherCare support subscription from the Customer Downloads fulfillment site. Subscribers will also receive a separate email notification regarding the update and can contact us at any time for private support directly from the SQLCipher development team. Commercial and Enterprise edition upgrades require a new license code from the SQLCipher fulfillment site for each version. Don’t forget to change the license code in your application(s) when you upgrade.

Community Edition - SQLCipher Community Edition source code is available on GitHub, via AAR packaging for Android, and CocoaPods for iOS.

For feedback and questions, please visit our Community Forum or private support channels. Thank you for using SQLCipher!

We’re pleased to announce SQLCipher 4.8.0, which is a minor update that builds on the recent 4.7.0 release and incorporates several incremental fixes and improvements.

Important Note: Applications upgrading from versions of SQLCipher 4.6.1 or earlier should be aware that this version of SQLCipher incorporates several potential breaking changes from SQLCipher 4.7.0. Please carefully review the 4.7.0 release notes before upgrading.

SQLCipher Core

The following changes are included in SQLCipher core:

• Fixes regression in PRAGMA cipher_migrate which would raise an error when migrate was called on a current version database (i.e. migration was not necessary). This restores the old behavior where the spurious operation would be ignored.
• Improves selective locking for shared cache mode connections (note: use of shared cache is strongly discouraged)
• Reduces initial memory allocation requirement for private heap
• Add tracking and debug logging of private heap usage statistics
• Removes invasive changes to process working set size on Windows
• sqlcipher-android allows custom logging targets via the Logger class (uses logcat for compatibility by default)

Commercial and Enterprise Editions

The following changes are included in noted SQLCipher Commercial or Enterprise packages:

• Updates .NET references to Microsoft.EntityFrameworkCore.Sqlite.Core and Microsoft.Data.Sqlite.Core references to 9.0.4 to eliminate NuGet vulnerability warnings related to earlier version’s dependencies on System.Text.Json.
• Allows reference WinUI project to automatically use SQLCipher Windows .NET FIPS packages when present
• Removes the now unnecessary slf4j-api dependency from the SQLCipher for JDBC example project
• Improves the SQLCipher for Linux FIPS examples related to ARM 32-bit builds
• Improves the SQLCipher for Linux examples for multi-architecture compilation

Upgrading and Availability

SQLCipher 4.8.0 is available for download now. We strongly recommend testing your applications thoroughly with the new version before deploying to production.

Commercial and Enterprise - On-demand access to new releases of SQLCipher packages are available to all licensees with an active CipherCare support subscription from the Customer Downloads fulfillment site. Subscribers will also receive a separate email notification regarding the update and can contact us at any time for private support directly from the SQLCipher development team. Commercial and Enterprise edition upgrades require a new license code from the SQLCipher fulfillment site for each version. Don’t forget to change the license code in your application(s) when you upgrade.

Community Edition - SQLCipher Community Edition source code is available on GitHub, via AAR packaging for Android, and CocoaPods for iOS.

For feedback and questions, please visit our Community Forum or private support channels.

We’re pleased to announce SQLCipher 4.7.0, which updates the baseline to SQLite 3.49.1 and includes several major improvements to memory management, library initialization, and cryptographic operations. This release represents the largest set of improvements since SQLCipher 4 and it should prove to be much faster and more efficient for most integrating applications.

Core Improvements and Breaking Changes

The new version of SQLCipher incorporates a major build system change introduced by upstream SQLite’s transition to use autosetup in version 3.48.0. This restructuring required corresponding changes to SQLCipher that substantially diverge from the historical build process. This resulted in several “breaking changes” to build flags and file output naming. We’ve taken advantage of this opportunity to introduce additional optimizations and security enhancements that also required major changes.

Since these changes mainly affect the library and executable build steps, they should primary affect integrators that are building from source (i.e. the Open Source Community Edition of SQLCipher). We have worked hard to minimize impact for Commercial and Enterprise customers; our official packages abstract away most of the underlying build system changes.

One notable inherited change from SQLite could affect all SQLCipher packages: the behavior of SELECT statements on encrypted databases prior to keying. SQLCipher’s documentation has always stated that applications should provide a key to the database via sqlite3_key(), sqlite3_key_v2(), or PRAGMA key as the first operation on a database connection. However, in previous versions of SQLCipher, it was technically possible to invoke schema-less statements (those that would not read from the database, e.g. SELECT 1) prior to keying. That is no longer possible in this release. Applications now MUST set the key prior to executing these types of statements as they do read the database file. This new requirement stems from a change to SQLite’s internal query parsing logic. Note that this change should not affect well-behaved applications that previously adhered to SQLCipher integration guidelines, but it still presents potential as a breaking change in some limited cases.

The following summarizes the breaking changes required for alignment with upstream SQLite and other improvements:

All packages:

• SELECT statements (including schema independent queries like SELECT 1) cannot be executed prior to setting the database key on encrypted database

Build system only:

• Renamed configure flag --enable-tempstore=yes to --with-tempstore=yes for alignment with SQLite
• Renamed default executable and library build outputs from sqlcipher and libsqlcipher to sqlite3 and libsqlite3
• Removed configure flag --with-crypto-lib (replace with appropriate -DSQLCIPHER_CRYPTO_* CFLAG)
• Required defining SQLITE_EXTRA_INIT=sqlcipher_extra_init and SQLITE_EXTRA_SHUTDOWN=sqlcipher_extra_shutdown at compile time
• Enforced thread safe mode (i.e. SQLITE_THREADSAFE of 1 or 2) and temporary storage (i.e. SQLITE_TEMP_STORE of 2 or 3) settings at compile time

This release also includes a substantial change to the library initialization and cleanup to reduce overhead and improve performance. As part of this change, SQLCipher now allocates most required memory at startup. This approach is more efficient, improves memory locking on constrained platforms while reducing memory fragmentation. It should reduce or eliminate mlock and VirtualLock warnings on Android and Windows respectively.

Additional core changes and improvements include:

• Fast random overwrite of freed memory segments
• Dynamic on-demand generation of keyspecs
• Expanded keyspec/raw key format to accept key, HMAC key, and salt values
• Basic obfuscation of context key material
• Expanded sqlcipher_provider interface with init and shutdown functions
• Support for .recover shell command on corrupt databases with a full plaintext first page
• Improved error handling in sqlcipher_export() and PRAGMA cipher_migrate
• Custom compile-time default cryptographic provider via the SQLCIPHER_CRYPTO_CUSTOM macro
• Removed support for OpenSSL versions older than 3.0

SQLCipher for Android

SQLCipher for Android includes two major library changes:

1. A new Cursor Window implementation makes fetching data much faster by avoiding round trips through Java and JNI layers. It also makes more efficient use of memory for objects of different sizes.
2. Adjustments to connection pool initialization during startup improves first-statement execution time for WAL-based Room databases by using the primary connection first and deferring pool expansion until it is strictly required.

Applications using SQLCipher for Android can expect to see measurable performance improvements with this upgrade, as evidenced by the following benchmarks:

UPDATE 2025-03-31: A 4.7.2 patch release is now available for the following: SQLCipher for Android (All Editions), SQLCipher for Android FIPS (Enterprise), and SQLCipher for React Native (Enterprise). It fixes two unpredictable defects in SQLCipher for Android 4.7.0’s new Cursor Window implementation that could cause a crash when a large query result set triggers a window resize with a fragmented heap. Applications using affected 4.7.0 packages should upgrade. Earlier versions of SQLCipher for Android below 4.7.0 are unaffected.

Commercial and Enterprise Editions

Most notably, the new version of SQLCipher Commercial and Enterprise packages include a massive performance improvement for multi-connection workloads. Applications with connection-heavy use cases that use multiple database handles to the same databases can expect to see a 100%+ speedup when establishing new connections. This can greatly enhance throughput for applications, especially with numerous concurrent connections or when using connection pools (e.g. on Java, Android, ADO.NET, EntityFrameworkCore, etc). These performance improvements are exclusive to Commercial and Enterprise builds.

For example, the following benchmarks show single and multi-threaded scenarios between 4.6.1 and 4.7.0, where each test executes 100 iterations, split up across threads, using a mixed set of operations. Numbers in parentheses reflect the number of threads and iterations per thread. While these were measured using EntityFrameworkCore in .NET, similar performance improvements are seen across all 4.7.0 packages.

In addition to the speed boost, there are a number of other improvements available solely to Commercial and Enterprise:

• ARM64 support in Windows FIPS packages
• ARM and ARM64 Linux FIPS packages
• Support for 16K page sizes in the Android FIPS package
• Updated Linux FIPS build for glibc 2.28 compatibility
• Support for code signing and embedded app bundles in macOS FIPS packages
• Improved error handling for FIPS module initialization
• Updated FIPS package cryptographic provider versions
• Excluded cryptographic symbols in the exposed API from libraries
• Modernized Android example project
• Updated System.Data.SQLite to version 1.0.119.0
• Changed .NET RIDs from win10 to win for improved compatibility
• Updated NuGet package dependencies to SQLitePCLRaw 2.1.11
• Enabled URI Filename processing
• Added WinUI sample project for .NET and removal of deprecated / legacy sample project
• Updated OpenSSL packages to 3.0.16 LTS
• Improved sample projects for .NET Microsoft.Data.Sqlite and EntityFramework Core

Important Note: Official SQLCipher packages shield customers from most of the breaking changes in the community edition, but there are two changes that customers must be aware of:

• Commercial and Enterprise edition upgrades now require a new license code from the SQLCipher fulfillment site for each version release. Going forward, when you upgrade your SQLCipher package, you should also update the license code in your application.
• As noted above, SELECT statements (including schema independent queries like SELECT 1) should not be executed on encrypted databases prior to setting the database key

Upgrading and Availability

SQLCipher 4.7.0 is available for download now. Due to the potentially breaking changes, we recommend testing your applications thoroughly with the new version before deploying to production.

Commercial and Enterprise - On-demand access to new releases of SQLCipher packages are available to all licensees with an active CipherCare support subscription from the Customer Downloads fulfillment site. Subscribers will also receive a separate email notification regarding the update and can contact us at any time for private support directly from the SQLCipher development team. Don’t forget to update your license code with this upgrade.

Community Edition - SQLCipher Community Edition source code is available on GitHub, via AAR packaging for Android, and CocoaPods for iOS.

For feedback and questions, please visit our Community Forum or private support channels.