Version 2.0.3

• Fixes an issue with PHP 8

Version 2.0.2

• Added PHP 8 to version constraint in composer.json
• #52 - Prevent stream corruption when checking if a file is encrypted by specifying a rb flag.
• #53 - Rewind streams after encrypting or decrypting.
• #54 - New transformation (AlphaNumeric).

Version 2.0.1

• The documentation now exists in a standalone website, since CipherSweet is now cross-platform.
• Bumped sodium_compat minimum to 1.11.0.

Version 2.0.0

Backwards compatibility breaks!

CipherSweet v2.x is mostly but not completely backwards compatible with the v1.x branch. Many of the BC breaks were introduced by @mcordingley in #42:

• I removed all mention of the back-end from the key provider. The key providers had no reason to know about the back-end in use, but its presence meant an additional method on the interface and somewhat more complicated instantiation logic. This change made the back-end a required parameter to the CipherSweet constructor, but the additional effort of providing it there is (more than) offset by no longer having to provide it to a key provider.
• I removed getDefaultBackend(), as a change in the environment could cause a change in back-end, thereby rendering indexes and encrypted values "invalid". Different environments with the same code could nonetheless try to run different back-ends. 🪲
• I updated the CipherSweet constructor to make the back-end again an optional parameter. If not provided, we fall back to a default back-end. Unlike the removed factory method, this will always choose the same back-end implementation. Unless the user has specific reason otherwise, this is the back-end they will want. If the environment is unable to accommodate ModernCrypto, attempting to use it should throw an error and prompt either a code change or the installation of libsodium. Either way, the choice made will be explicit and intentional.

... snip ...

• Removed ArrayProvider. It doesn't seem to add anything beyond what StringProvider already gives, but is less direct about it.

Additionally, some changes made by Paragon Initiative Enterprises to make the library easier to use and cleaner:

• Invert the logic of "flat indexes" introduced in v1.10.0. The default are now "flat", and you can specify if you want typed indexes. This makes the default case slightly faster and simpler.
• We now only support Psalm v3.x and disable these tests on PHP 7.0 and below.

Version 1.10.0

You can now call setFlatIndexes(true); if you don't need ["type" => "foo", "value" => "bar"] and only want "bar".

Version 1.9.0

• New: EncryptedFile for encrypting files and PHP streams with authenticated encryption.
• Fixed: #37 -- EncryptedRow::getBlindIndex() was not behaving as expected.
• For anyone who wrote their own backend, the BackendInterface has several new methods added:
  • deriveKeyFromPassword(string $password, string $salt) should return a string.
  • doStreamEncrypt(resource $in, resource $out, SymmetricKey $key, int $chunkSize = 8192, string $salt = Constants::DUMMY_SALT) should return a boolean value.
  • doStreamDecrypt(resource $in, resource $out, SymmetricKey $key, int $chunkSize = 8192) should return a boolean value.
  • getFileEncryptionSaltOffset() should return an integer.

Version 1.8.0

• Feature: API to make data migration between different backends or key providers seamless.
  • FieldRotator
  • RowRotator
  • MultiRowsRotator
• The BackendInterface interface now requires a method called getPrefix() that returns a string.

Version 1.7.0

• Added a blind index planner so developers can quickly determine how big to make additional blind indexes on an encrypted field.
• The documentation has been updated to support this new feature.
• The minimum supported version of paragonie/sodium_compat has been increased to 1.8.0.

Version 1.6.0

• CipherSweet now exposes an AEAD API, not just an AE API.
  • This means you can now include additional authenticated data in each encrypted message.
  • Additionally, for EncryptedRows, you can specify that the AAD will come from a specific field (e.g. a primary key or foreign key).
• New API: EncryptedMultiRows
  • Abstracts multiple EncryptedRow instances to allow quick and easy encrypted field management for heavily normalized databases.
• We now have a formal security specification, which explains CipherSweet's threat model, security properties, and design rationale; complete with an informal security analysis (which is roughly 20 pages of LaTEX markup removed from being a formal security proof).
  • Pay special attention to the section on information leaks from blind indexes.

Version 1.5.0

• CompoundIndex has been updated to allow "row transformations" which are more arbitrary than the standard Compound transformation, but ultimately, combine multiple columns into a single output string.
  • If you elect to use a custom row transformation and it returns a string, it will omit the typical Compound transform. To continue using Compound after-the-fact, return an array instead.
• New interface: RowTransformationInterface which extends the standard TransformationInterface
• New Transformations added:
  • AlphaCharactersOnly
  • FirstCharacter
• To improve efficiency, EncryptedRow now allows you to just call getBlindIndex($name) to calculate the values for a single desired index.
• The documentation has been improved to address repeat sources of end user confusion about the features and limitations of this library.