Graphorin API reference v0.7.0
Graphorin API reference / @graphorin/store-sqlite / encryption
encryption
Encryption-at-rest interface hooks.
Phase 05 declares the surface; the cipher path itself ships in the optional @graphorin/store-sqlite-encrypted subpackage in Phase 16 (DEC-129 / ADR-030). Default behaviour is encryption disabled.
If the caller passes encryption.enabled: true and the cipher peer (better-sqlite3-multiple-ciphers) is missing, the connection layer fails fast with CipherPeerMissingError rather than silently degrading to an unencrypted DB.
Classes
| Class | Description |
|---|---|
| CipherPeerMissingError | Raised when the operator opts in to encryption-at-rest but the cipher peer (better-sqlite3-multiple-ciphers) is missing. The Phase 05 acceptance criteria require this to be a fatal startup error - never silently downgrade to an unencrypted DB. |
Type Aliases
| Type Alias | Description |
|---|---|
| EncryptionCipher | Cipher selection, validated against the real sqlite3mc vocabulary (CS-13 - 'wxsqlite3' is the library's name, not a cipher; the peer rejects it with "Cipher 'wxsqlite3' unknown"). 'sqlcipher' is the Graphorin default (SQLCipher v4 compatible); 'chacha20' is the peer's own default cipher. |
| EncryptionConfig | Encryption-at-rest configuration. Default { enabled: false }. |
| PassphraseResolver | Passphrase resolver shape. Implementations live in @graphorin/security ('env:GRAPHORIN_DB_PASSPHRASE', 'keyring:graphorin/db', …). The resolver may return Buffer for binary-keyed cipher variants. |
Functions
| Function | Description |
|---|---|
| cipherSelectionPragmas | The cipher-selection PRAGMAs that must run before PRAGMA key on a freshly opened connection (CS-7). sqlite3mc defaults to chacha20, so opening a SQLCipher-v4 database with key alone reads garbage - every keyed open must pin the cipher first. |
| loadCipherDriver | Loads the cipher peer (better-sqlite3-multiple-ciphers). Lazy by design - the import only fires when encryption-at-rest is enabled. |
| resolvePassphrase | Resolves the configured passphrase to a SQL-literal-ready value suitable for PRAGMA key = <literal>. UTF-8 passphrases are returned as a single-quoted SQL string with internal ' doubled; binary keys are returned in the cipher peer's hex form (x'<hex>'). |