HeliosDB Lite v3.5.0 Release Notes
HeliosDB Lite v3.5.0 Release Notes
Release Date: 2026-01 (estimated, per source docs/releases/v3.5/)
Theme: Zero-Knowledge Encryption — client-side keys, server never sees plaintext
Highlights
Most database encryption-at-rest schemes still trust the server to hold the data-encryption key. v3.5.0 adds Zero-Knowledge Encryption (ZKE) — keys are derived and held client-side, attached per-request, and zeroed from memory after use. The server can read ciphertext, validate the key hash, but never sees the plaintext key.
Three operational modes (Full, Hybrid, PerRequest) let you choose how much metadata stays visible while preserving payload secrecy.
What’s New
Client-Side Key Derivation (Argon2)
Authentication and encryption keys are derived separately on the client using Argon2id. Server stores the auth-key hash; the encryption key never touches the wire.
use heliosdb_lite::crypto::{ZkeKeyDerivation, ZkeMode};
let derivation = ZkeKeyDerivation::new("user-password", &salt)?;let auth_key = derivation.auth_key();let enc_key = derivation.encryption_key();// Send auth_key.hash() during signup; keep enc_key client-side.Per-Request Keys
Each request carries the key in the request payload. Server uses it to decrypt for the duration of the request, then drops the reference.
Key Hash Validation (SHA-256)
The server validates the supplied key against a stored SHA-256 of the key, never the key itself. Invalid keys reject before any decryption attempt.
Nonce-Based Replay Protection
Every encrypted request carries a unique nonce. The server rejects nonces it has already seen within the replay window. Stops captured-and-replayed packets cold.
Memory Zeroization
The zeroize crate ensures key buffers are scrubbed from memory after use:
{ let mut session = ZeroKnowledgeSession::open(enc_key)?; session.execute("INSERT INTO docs VALUES ($1)", &[encrypted_payload])?;}// session is dropped here; enc_key memory is zeroed by Drop impl.Three ZKE Modes
| Mode | Encrypts | Use Case |
|---|---|---|
| Full | All data + metadata + index keys | Maximum privacy; opaque to server |
| Hybrid | Data only; metadata + index keys plaintext | Balance: server can plan queries, payloads stay private |
| PerRequest | Data only, decryption per request | Server can serve plain SQL; client opts-in for sensitive payloads |
How To Enable
use heliosdb_lite::{EmbeddedDatabase, crypto::ZkeMode};
let db = EmbeddedDatabase::new("./data.helio")?;db.set_zke_mode(ZkeMode::Hybrid)?;db.create_zke_user("alice", "user-password", &salt)?;For wire-protocol clients, the ZKE handshake is a Postgres-protocol extension; psql clients see the upgrade in pg_zke_status system view.
Migration
Additive feature. Existing TDE (Transparent Data Encryption) deployments keep working unchanged; ZKE is layered on top for users who opt in.
Compatibility
| Component | Version |
|---|---|
| PostgreSQL wire | 14, 15, 16, 17 |
| Argon2 (RustCrypto) | latest stable |
| zeroize | 1.x |
See Also
- ZKE_TUTORIAL — hands-on walkthrough
- features/encryption.md — TDE + ZKE reference
- v3.4.0 release notes — array operations + json_agg