Tupi-Guarani for “small”
mirim
An embedded SQL database, encrypted at rest, with post-quantum sealed exports.
~3.4k lines of safe Rust under #![forbid(unsafe_code)]. No RSA and no elliptic-curve cryptography in any file it writes — nothing for a future quantum computer to unwind later.
secrets
access_log
7bd0 228a
1655 e27f
key wrapped per recipient · outsiders cannot open it
What it does
Small data, kept private and durable.
mirim holds data that should stay in memory, encrypted on disk, and recoverable after a crash — keys, credentials, capability records, configuration.
Encrypted at rest
Every vault is XChaCha20-Poly1305 over the snapshot. The key comes from Argon2id (RFC 9106) or a 32-byte key you hold. Saves are atomic.
Post-quantum sealed exports
Seal a database to one or many recipients with ML-KEM-768 (FIPS 203). Each recipient opens it with their own key; an outsider cannot.
Crash-safe durability
An encrypted write-ahead log. An acknowledged write survives kill -9 and power loss — checked by a SIGKILL harness with zero acknowledged commits lost.
Signed releases
Detached ML-DSA-87 (FIPS 204) signatures via mirim-sign, with monotonic-counter rollback rejection. mirim signs its own releases.
SQL with an index
CREATE / INSERT / SELECT / UPDATE / DELETE with parameter binding. PRIMARY KEY and UNIQUE columns are indexed: O(1) duplicate checks and point lookups.
Embed from C
A C ABI (mirim-ffi) with a single header, every panic caught at the boundary. Tested under AddressSanitizer and UBSan.
Measured
Every number here is reproducible.
No adjectives. Figures are Criterion medians on x86-64, in-memory, against SQLite (rusqlite, bundled). Where mirim is slower, it says so.
Reproduce: cargo bench --bench core · fsync figures vary on real disks.
Cryptography
Named primitives, with their standards.
No homemade ciphers and no protocol invented in-house. Primitives are vetted implementations, exercised against the official test vectors.
Assurance
Checked more than once.
The same behavior is verified by independent methods, so a bug has to evade all of them.
- +Differential model — the engine versus an independent oracle over generated programs.
- +Property tests — round-trip and replay invariants under proptest.
- +5 fuzz targets — every decoder hardened against hostile bytes.
- +Miri on the logic suites; ASan + UBSan on the C FFI.
- +Reproducible builds — two builds, bit-identical.
- +SBOM — CycloneDX inventory; cargo audit / deny in CI.
# clone, build, open an encrypted vault $ git clone https://git.securityops.co/cristiancmoises/mirim $ cargo build --release --features cli,sign $ ./target/release/mirim notes.mrm mirim 1.0.0 — .help for commands mirim> CREATE TABLE keys (id INTEGER PRIMARY KEY, label TEXT UNIQUE); mirim> INSERT INTO keys VALUES (1, 'signing'); mirim> SELECT label FROM keys WHERE id = 1; signing mirim>
License
Dual-licensed. Pick the one that fits.
Open by default under AGPL-3.0-only; a commercial license is available when the AGPL's terms don't suit your deployment.
AGPL-3.0-only open source
Use, modify, and distribute freely. The network-use clause (section 13) applies: a modified mirim offered as a network service must share its source with that service's users. Declared as license = "AGPL-3.0-only".
Commercial on request
Lifts the copyleft and network-use obligations under negotiated terms — for closed-source embedding, or running a modified service without publishing source. Contact Security Ops via securityops.co.
Full terms in LICENSE and LICENSING.md.
Stable · 1.0.0
Read the source. The formats are frozen.
The vault, log, sealed-export, and manifest layouts are fixed and will stay readable.