Skip to content

Releases: cossacklabs/acra

0.95.0, March 06rd 2023

06 Mar 20:42
Choose a tag to compare

0.95.0, March 3rd 2023


  • AcraServer:

    • Changed default tokenization settings: consistent_tokenization is now used by default for tokenization #614
    • Improved processing of packets related to transparent encryption/tokenization #628, #630, #637
    • Improved searchable encryption:
      • Added support of NotEqual/Like/ILike operators #605 , #606, #607, #609
      • Improved handling of the response_on_fail option for error cases #612
      • Added the response_on_fail option in encryptor config #618
    • Improved SQL parser:
      • Added support of non-aliased columns with aliased queries #602
      • Improved support of limit/offset for PostgreSQL #603
      • Added support of RETURNING statement for INSERT/UPDATE/DELETE #610
      • Added support of RESET packets for MySQL binary protocol #611
      • Added support of schema() functions, thanks to the new contributor @jercheng #634
    • Added new and deprecated some of existing prometheus metrics #632
      • Added the acra_decryptions_total with labels: {"status": [ "success", "fail"], "type": [ "acrastruct", "acrablock", "acrablock_searchable", "acrastruct_searchable"]}
      • Added the acra_encryptions_total with labels: {"status": [ "success", "fail"], "type": [ "acrastruct", "acrablock", "acrablock_searchable", "acrastruct_searchable"]]}
      • Added the acra_tokenizations_total with labels: {"status": [ "success", "fail"], "token_type": "{token_type}"}
      • Added the acra_detokenizations_total with labels: {"status": [ "success", "fail"], "token_type": "{token_type}"}
      • Deprecated the acra_acrastruct_decryptions_total
      • Deprecated the acra_api_encryptions_total
    • Removed building and testing Acra binaries for old golang versions: now Acra supports only the latest version of golang #624
  • AcraTranslator:

    • Changed default HTTP API settings: --http_api_enable is now true by default starting from 0.96.0 #627
  • AcraServer, AcraTranslator, AcraKeys:

    • Improved support of tls_ocsp_*/tls_crl_* options if the options tls_ocsp_[client|database]_*/tls_crl_[client|database]_* were not specified #617
  • AcraRollback, AcraRotate:

    • Added support of TLS configuration options for connections to the database #623
    • Improved parsing of connection strings with complicated usernames #642, #643
  • AcraTokens:

    • Added support of TLS configuration options for Redis storage #619
  • AcraKeys:

    • acra-keys destroy command supports destroying poison record symmetric keys and keypairs, searchable and storage keypairs and symmetric keys #625
    • acra-keys destroy command supports destroying rotated key with the new flag --index=<index:int> #641. You can find examples on the documentation page
    • acra-keys import/acra-keys export supports keystore v1 #629
    • acra-keys list lists the rotated keys for keystore v1 & v2 with the new flag --rotated-keys #636. The formats of listed keys are updated. You can find examples on the documentation page/

0.94.0, November 17th 2022

16 Nov 23:04
Choose a tag to compare

0.94.0, November 17th 2022


In this release we deprecated Zones functionality and all flags and CLI parameters related to it. These flags will be removed in the next versions. Acra will warn about deprecations.

Acra Community Edition supports separate encryption keys linked to the ClientIDs and allows to manage key switching via TLS certificates.

Acra Enterprise Edition supports more flexible mapping between users/apps and encryption keys via SQL variables.

  • AcraServer, AcraTranslator, AcraKeymaker, AcraKeys, AcraRotate, AcraAddZone, AcraBackup, AcraLogVerifier, AcraPoisonRecordMaker, AcraRollback:
    • Added new CLI flags for better KMS support (documentation page, #552, #553, #554):
      • --kms_credentials_path=<filepath> - path to configuration file specific for KMS type
      • --kms_type=[aws] - type of KMS provider
    • Added support of encrypting the Acra Master Key using AWS KMS key (key wrapping technique). AWS KMS documentation page, #552.
    • Added support of the several encryption strategies for keys in the keystore (#556) and added new CLI flag:
      • --keystore_encryption_type - specifies type of keys encryption for keystore. Accepts env_master_key, vault_master_key, kms_encrypted_master_key, kms_per_client. Read description of types on documentation pages of appropriate tools, for example AcraKeymaker.
    • Extended configuration of TLS options when storing ACRA_MASTER_KEY in HashiCorp Vault. #578
    • Added 12 flags related to OCSP/CRL support. You can find all of these flags in documentation on pages related to appropriate tool, for example AcraKeymaker.
  • AcraServer, AcraTranslator, AcraKeymaker, AcraKeys, AcraRotate, AcraAddZone, AcraTokens:
    • Added TLS support for Redis storage for Keystore. Added new 15 CLI flags related to TLS configuration. Read more on appropriate tool's page, for example AcraKeymaker. #566, #565
  • AcraServer, AcraTranslator, AcraKeymaker, AcraKeys, AcraRotate, AcraAddZone, AcraRollback:
    • Deprecated all Zones related CLI flags and API descriptions #577
  • AcraServer, AcraTranslator:
    • Improved resistance against memory leakage: in-memory cache for keystore now uses randomly generated symmetric key for key encryption instead of ACRA_MASTER_KEY. #555
    • Improved reloading on SIGHUP signals. #557
  • AcraServer:
    • Added support of HashiCorp Consul as a configuration source for encryptor config. Acra can load configuration from the Consul instead of file. Added new CLI flag (--encryptor_config_storage_type=[filesystem|consul]) to switch source and Consul specific flags. Read more on documentation page about encryptor config and acra-server's configuration description. #568
    • Improved support of searchable tokenization. AcraServer captures SELECT queries and update WHERE clauses to add support of filtering with consistent tokenization. #581
    • Improved searchable encryption with more complex queries. #586, #592, #598, #599, #594.
    • Improved SQL parser (better compatibility across different SQL databases):
      • Added support of NULLS FIRST/NULLS LAST ordering clauses, joins with subqueries #547
      • Added support of RETURNING clauses. #584
    • Improved processing prepared statement. #580, #593
    • Added new section to encryptor config called database_settings. #532, #590
      • Contains subsections mysql and postgresql
      • Currently mysql subsection has one option, case_sensitive_table_identifiers, boolean, to configure whether table names should be considered case-sensitive when comparing with names in encryptor config
    • Table/column matching now works like this:
      • For PostgreSQL:
        • Raw identifiers are case-insensitive
        • Identifiers wrapped with double quotes are case-sensitive
      • MySQL:
        • Column identifiers are always case-insensitive
        • Table names are case-insensitive by default, could be changed with case_sensitive_table_identifiers option mentioned above
          Case-insensitive means the identifier is converted to lowercase before comparing with values from encryptor config, encryptor config should contain lowercase version of column/table name.
          Case-sensitive means identifiers are compared with values from encryptor config "as is", encryptor config should contain exactly the same identifier as in database schema.
    • Removed deprecated --tls_db_sni flag. Now only --tls_database_sni is available. #564
    • Added support of separate configuration and specifying of CRL/OCSP settings for connections from database and applications. Added flags: --tls_ocsp_[database|client]_required, --tls_[ocsp|crl]_[database|client]_check_only_leaf_certificate, --tls_[ocsp|crl]_[database|client]_from_cert, --tls_[ocsp|crl]_[database|client}_cache_size, --tls_[ocsp|crl]_[database|client}_cache_time, --tls_[ocsp|crl]_[database|client}_cache_size. You can find all of these flags in documentation on pages related to appropriate tool, for example AcraServer. #564.
  • AcraTranslator:
    • Improved HTTP API performance. Refactored HTTP processing core. Now AcraTranslator uses golang's HTTP server with gin router #550. Added support of:
      • HTTP 2.0 connections additionally to HTTP 1.1
      • Keep alive connections
    • Added TLS support for HTTP API:
      • --http_api_tls_transport_enable=[true|false] new flag added to turn on accepting TLS connections instead of raw TCP. Works only together with --http_api_enable=true. #550

Example projects and demos:

0.93.0, May 27th 2022

27 May 13:00
Choose a tag to compare

0.93.0, May 27th 2022

This release brings type awareness which improves transparent encryption on AcraServer. Type awareness means that it's possible to tell AcraServer what are the original data types for fields. During decryption, AcraServer will convert decrypted fields to their original data types. No need to change client application code to work with "binary data".

It's also possible to choose a default value for each data field if its decryption failed. AcraServer can send a a default value like "<encrypted data>" instead of decryption errors, making developers' and users' life easier.


  • AcraServer:
    • Added type awareness and ability to map binary data to a certain data type when sending decrypted data back to the application. Extended encryptor_config which allow configure mapping application data type to proper database's type. #515, #517, #523, #519, #520
    • Extended encryptor_config with new parameters:
      • data_type - specify data type expected by application. Accept str, bytes, int64, int32 values. #515, #517
      • default_data_value - specify a placeholder (default value) to replace data that couldn't be decrypted. #515, #517
      • response_on_fail - specify action on decryption failure. Accepts ciphertext (returns encrypted data as is), default_value (returns values from default_data_value parameter), error (returns error as DB error with message like encoding error in column {column_name}). #521, #533
    • Deprecated tokenize parameter in encryptor_config and changed focus on token_type parameter. Now is enough to specify token_type parameter without tokenize: true to turn on tokenization. Read more in the documentation. #527
    • Removed auto-generation poison record's keys but leaved for acra-poisonrecordmaker. It improves decryption due to omitting extra key generation and poison record recognition. #516
    • Improvements in handling error cases on DB protocol layer. #511, #515, #517, #520, #528, #535, #537
    • Improved sql parser and support of set command. #534
    • Ignored legacy keys on startup loading to cache. #510, #522
    • Improved PostgreSQL/MySQL protocol support. #525, #526, #539, #540, #541, #542, #543, #544
  • AcraCensor:
    • Removed legacy IsForbidden field from acra-censor’s logs. Read more here in notes. #508
  • AcraKeys:
    • Removed duplicate entries in list command. #530
  • Other:
    • Makefile target install_dev_deps install required golang's dependencies for development and code generation. #531


  • Improved description of AcraServer's encryptor_config, adding details and examples about data processing options: encryption, searchable encryption, masking, tokenization, type awareness, etc.
  • Updated "Debugging and troubleshooting" section with more tips and tricks.

Example projects and demos:

0.92.0, March 1st 2022

01 Mar 16:15
Choose a tag to compare

0.92.0, March 1st 2022

This release brings stability and performance fixes to AcraServer and AcraTranslator. It officially deprecates usage
of AcraConnector in favour of TLS everywhere. Some default configuration params are changed in favour of more secure &
better performance settings.


  • AcraServer, AcraTranslator:
    • Improved TLS certificate validation performance with CRL. #482
    • Poison record detection turned off by default. Flag --poison_detect_enable changed default value from true to false. #484
    • Removed SecureSession and AcraConnector support as transport encryption. #481
    • Improved and clarified log messages. Removed messages with error level for success cases (not detected poison record),
      clarified context of messages. #487
    • Added suggestions in log messages how to solve issues with TLS connections. #493
    • Improved in-memory caching keys:
      • Added caching symmetric keys like asymmetric #489
      • Added caching metadata about rotated keys #498
      • Added new flag --keystore_cache_on_start_enable that turns on loading all keys into in-memory cache on startup. #497
      • Changed default value for --keystore_cache_size parameter from -1 (which means no limits for cache) to 1000 (cache items). #497
  • AcraServer:
    • The default CryptoEnvelope has changed from acrastruct to acrablock in the encryptor_config. Now AcraServer
      will use faster encryption by default. You can select which CryptoEnvelope to use in encryptor_config.
      See AcraStructs vs AcraBlocks documentation, #485
    • Extended PostgreSQL's SQL syntax support with null::<type> type casts. #479
    • Changed the default values for next CLI parameters:
      • --tls_client_id_from_cert changed from false to true. Now AcraServer require app's TLS certificates and map them to keys. #481
    • Improved performance for:
      • querycapture handler in AcraCensor. #483
      • transparent encryption and poison record detection. #487, #496
      • searchable encryption. #490
    • Removed next CLI parameters due to removed AcraConnector support:
      • --securesession_id, --acraconnector_tls_transport_enable, --acraconnector_transport_encryption_disable. #481
  • AcraTranslator:
    Now AcraTranslator works with TLS by default, it doesn't support AcraConnector anymore. #481
    • Removed next CLI parameters due to removed AcraConnector support:
      • --securesession_id, --acratranslator_tls_transport_enable, --acraconnector_transport_encryption_disable. #481
  • AcraKeymaker:
    • Now handle correctly generation symmetric keys into not existing folders. #486
    • Removed next CLI parameters due to removed AcraConnector support:
      • --generate_acraconnector_keys, --generate_acraserver_keys, --generate_acratranslator_keys. #481
  • AcraKeys:
    • Removed next key types for all commands (generate, read, destroy): transport-connector, transport-server, transport-translator. #481
  • AcraConnector:

Example projects and demos:

0.91.0, December 16th 2021

16 Dec 07:27
Choose a tag to compare

0.91.0, December 16th 2021


  • AcraWebConfig, AcraAuthManager:
    • Have been deprecated and not supported anymore #456. The following changes have been made:
      • removed docker/acra-authmanager.dockerfile, docker/acra-webconfig.dockerfile files.
      • removed acra-webconfig and acra-authmanager from docker/acra-build.dockerfile file that is base image for all
        other service's images.
      • removed acra-webconfig and acra-authmanager from all docker/docker-compose.*.yml files.
      • reserved event codes for log entries in range [550, 558] related to AcraWebConfig.
  • AcraConnector:
    • Has been deprecated and will be removed in the next releases. AcraServer and AcraTranslator will accept only direct TLS. See Transport security/TLS.
      connections from applications.
    • Removed mentions and usage from acra-engineering-demos.
  • AcraKeymaker:
    • Some keys can be configured without ClientID #454.
    • Removed --generate_acrawebconfig_keys flag according to AcraWebConfig/AcraAuthManager deprecation #456.
  • AcraKeys:
    • read command supports symmetric encryption keys with ClientID and ZoneID #472.
    • generate command:
      • supports rotation for symmetric encryption keys with ZoneID #472.
      • deprecates next flags: --acraconnector_transport_key, --acraserver_transport_key, --acratranslator_transport_key.
      • removed --acrawebconfig_symmetric_key flag according to AcraWebConfig/AcraAuthManager deprecation #456.
    • Improved handling CLI parameters related to Redis #459.
  • AcraServer:
    • Removed --auth_keys parameter according to AcraWebConfig/AcraAuthManager deprecation #456.
    • Removed /loadAuthData, /getConfig, /setConfig endpoints from HTTP API according to AcraWebConfig/AcraAuthManager deprecation #456.
  • AcraTranslator:
    • Accepts POST HTTP request method additionally to GET for v2 API. Method GET marked as deprecated and warns with log message.
      Deprecated HTTP GET method was used. Please use HTTP POST method instead. if was used #466.


  • Build binaries with -tags netgo flag, that forces usage of Go resolver to solve issues related to resolving hostnames.
    between Docker containers. Updated acra-build.dockerfile used as base image for all cossacklabs/acra-* images (#452).
  • Added missing parameter --keystore=v1 for existing docker-compose files that caused errors (#452).


Example projects and demos:

  • Python examples: now work with TLS connections to
    AcraServer/Database. Also has been updated sqlalchemy version and binary column type from Binary to LargeBinary #463.
  • acra-engineering-demos don't illustrate AcraConnector usage anymore. All applications and services connect to AcraServer directly.

0.90.0, November 09th 2021

09 Nov 12:17
Choose a tag to compare

0.90.0, November 09th 2021


Updated documentation

Acra's documentation is now open-source and updated for this release. Please find use cases, usage scenarios, data flows, descriptions of security controls, cryptography deep dive, scaling and load balancing, optimisations and many more.

Check out the updated documentation.

Searchable encryption

Two components can provide searchable encryption functionality:

  • AcraServer — transparent searchable encryption of fields marked as searchable in encryptor_config for INSERT and
    UPDATE queries, calculating hash and searching by hash for SELECT queries, with per column configuration.
  • AcraTranslator — provides gRPC and HTTP API calls to encrypt data field into searchable form, and to generate
    searchable hash from the plaintext search query.

Read more details in the Acra documentation section dedicated to Searchable encryption.


  • AcraServer – provides masking functionality. It is transparent masking for INSERT and UPDATE queries, and transparent demasking for SELECT queries, with per column configuration.
    Read more details in the Acra documentation section dedicated to Masking.

Tokenization (Pseudonymisation)

Two components can provide tokenization functionality:

  • AcraServer — transparent tokenization for INSERT and UPDATE queries, and transparent detokenization for SELECT queries, with per column configuration.
  • AcraTranslator — provides gRPC and HTTP API to tokenize or detokenize the field.

Read more details in the Acra documentation section dedicated to Tokenization.


AcraBlock is a symmetric cryptographic container and is faster and more compact than AcraStruct. It used on AcraServer side in transparent encryption, masking, tokenization, searchable encryption.

AcraTranslator supports AcraBlocks in encryption, searchable encryption and tokenization via gRPC and HTTP API.

Read more details in the Acra documentation section dedicated to AcraBlock.

KeyStore v2

Added new storage format for keys in KeyStore that cryptographically strong key integrity checks, additional tracking metadata simplifying key management, KMS integrations.

Read more details in the Acra documentation about difference between two versions.

HashiCorp Vault integration

All Acra services that work with encryption/intermediate keys can load master key ACRA_MASTER_KEY from HashiCorp Vault.
Previously was supported only environment variables.

Read more details on our KMS integration page in the documentation.



  • We recommend using AcraServer in transparent encryption mode, connecting to it via TLS from application side. Use AcraServer with AcraBlocks for faster & more efficient configuration. AcraConnector and AcraWriter are optional components, and can be omitted.

Read more details on our Integrating AcraServer into infrastructure.

  • Added prepared statements support for MySQL. Now all transparent operations over the data works with prepared statements too.

  • Extended and refactored TLS related CLI parameters.

    • tls_client_id_from_cert - switching to new mode with clientID extraction from certificates instead of handshakes with AcraConnector or static mode with --client_id parameter.
    • OCSP-related:
      • tls_ocsp_url, tls_ocsp_client_url, tls_ocsp_database_url - URL of OCSP server to use, for acra-server may be configured separately for both directions.
      • tls_ocsp_required - whether to allow "unknown" responses, whether to query all known OCSP servers (including those from certificate).
      • tls_ocsp_from_cert - how to treat URL listed in certificate (use or ignore, whether to prioritize over configured URL).
      • tls_ocsp_check_only_leaf_certificate - whether to stop validation after checking first certificate in chain (the one used for TLS handshake).
    • CRL-related:
      • tls_crl_url, tls_crl_client_url, tls_crl_database_url - URL of CRL distribution point to use, for acra-server may be configured separately for both directions.
      • tls_crl_from_cert - how to treat URL listed in certificate (use or ignore, whether to prioritize over configured URL).
      • tls_crl_check_only_leaf_certificate - whether to stop validation after checking first certificate in chain (the one used for TLS handshake).
      • tls_crl_cache_size - how many CRLs to cache in memory.
      • tls_crl_cache_time - how long cached CRL is considered valid and won't be re-fetched.

    Separated parameters for connections accepted from application/AcraConnector or established to database with TLS:

    • acra-server's certificate: tls_client_cert and tls_database_cert (overrides tls_cert).
    • acra-server's key: tls_client_key and tls_database_key (overrides tls_key).
    • CA certificate path: tls_client_ca and tls_database_ca (overrides tls_ca).
    • TLS authentication: tls_client_auth and tls_database_auth (overrides tls_auth).
  • Supports RETURNING syntax in SQL queries with proper decryption data in the response.

  • --sql_parse_on_error_exit_enable new flag that force acra-server to stop query execution if can't parse SQL query.
    By default, it is false.

  • Improved encryptor config validation.

  • Deprecated --acrastruct_wholecell_enable and --acrastruct_injectedcell_enable flags and will be ignored.
    Now acra-server works as in InjectedCell mode.

  • Deprecated --tls_db_sni parameter and replaced with tls_database_sni.


  • We recommend using AcraTranslator as gRPC or HTTP API, connecting to it via TLS from application side. Use AcraTranslator with AcraBlocks for faster & more efficient configuration.

Read more details on our Integrating AcraTranslator into infrastructure.

  • --acratranslator_client_id_from_connection_enable flag turns on mapping TLS certificates to encryption keys with .
  • Extended HTTP API as version 2 and gRPC API with supporting all new features like Searchable encryption, Tokenization, symmetric key encryption with AcraBLock and synchronized with gRPC API.
  • HTTP API version 2 with OpenAPI and Swagger support.

AcraServer, AcraTranslator

  • audit_log_enable - new parameter turns on cryptographically signed audit logging. Read more in the Acra documentation.
  • Support direct TLS connections from applications without AcraConnector. acra-server and acra-translator will map client's certificates to proper encryption keys in KeyStore.
  • tls_identifier_extractor_type - new parameter that configures strategy of extraction metadata from certificates for mapping to clientID (default: distinguished_name, another option: serial_number).

AcraServer, AcraTranslator, AcraConnector

  • TLS certificate validation using OCSP and CRL. All services and tools that accepts incoming connections can be configured with new rules of connection validation.
    Read more details in the Acra documentation section dedicated to TLS configuration.
  • --log_to_console - parameter turns on\off logging to stderr.
  • --log_to_file - parameter specify path to file for logs. May be used together with logging to stderr.


New flags to generate new kind of keys for new features:

  • --generate_hmac_key - flag turns on generation symmetric key for HMAC used in searchable encryption.
  • --generate_log_key - flag turns on generation symmetric key for cryptographically signed audit logging.
  • --generate_symmetric_storage_key - flag turns on generation symmetric key for encryption with AcraBlocks.
  • --keystore - specify version of KeyStore. Now supported v1 (default) and v2 (new) versions.

New flags to generate encryption keys for TLS certificates:

  • --tls_cert - specify client's TLS certificate to generate encryption keys. Should be used instead --client_id flag.
  • --tls_identifier_extractor_type - switch type of ClientID extraction from TLS certificate. Supports distinguished_name (default) and serial_number values.


  • --fs_keystore_enable now is deprecated and ignored.


acra-tokens is a new command-line utility used for managing generated tokens with turned on tokenization. Tokens may be stored in BoltDB or Redis for now.
Read more details in the Acra documentation.


acra-backup is a command-line utility used for storing and managing the keystore backups. Also, it helps to migrate keys from one KeyStore to another one by export + import operations.

Read more details in the Acra documentation on [acra-backup page](

Read more

0.85.0, March 15th 2019

15 Mar 13:34
Choose a tag to compare

0.85.0, March 15th 2019


  • Breaking changes:

    Introducing a new more flexible configuration format for AcraCensor rules. AcraCensor doesn't support the old format, all users should migrate (don't worry, it's a simple procedure).

  • Search through encrypted data

    You now can run SQL queries over encrypted AcraStructs allowing users to search through sensitive data without exposing it. This feature is only available in Acra Enterprise version.

  • Transparent proxy mode

    TLDR: Transparent proxy mode allows you to configure AcraServer to encrypt records in specific database columns without altering the application code.

    The application flow doesn't need to change: application sends SQL requests through AcraConnector and AcraServer to the database. AcraServer parses each request, encrypts the desired values into AcraStructs, and passes the modified requests to the database. To retrieve the decrypted data, your application talks to AcraServer again: upon receiving the database response, AcraServer tries to detect AcraStructs, decrypts them, and returns the decrypted data to the application.

    Transparent proxy mode is useful for large distributed applications where updating the source code of each client app separately would be complicated.

    To enable this mode, you need to create a separate encryptor configuration file (acra-encryptor.yaml) that describes which columns to encrypt and provide a path to it in the AcraServer configuration file (or via CLI params --encryptor_config_file=acra-encryptor.yaml).

    Read more details in the Readme and in the Acra documentation section dedicated to Transparent encryption.

    (#285, #309, #314).

  • AcraCensor – SQL firewall to prevent SQL injections

    TLDR: Improved stability of AcraCensor, switched to more flexible rules' configuration.

    Breaking changes: Introducing a new format for configuration files, the previous format is no longer supported, you should migrate to the new one.

    • New configuration file format allows configuring the allowlist and the denylist separately or simultaneously.

      The allow handler allows something specific and restricts/forbids everything else. The allowall handler should be a final statement as that means that all the other queries will be allowed.

      The deny handler allows everything and forbids something specific. The denyall means "block all queries!" (that haven't been allowed or ignored before).

      For each handler, there are settings that regulate queries, tables, and patterns. The order of priority for the lists is defined by their position in the configuration file. The processing priority for each list is as follows: queries, followed by tables, followed by patterns.

      (#298, #297, #304, #306).

      Read more in AcraCensor docs.

    • Added version to the configuration file. This allows detecting an outdated configuration easily. From now on, AcraCensor supports explicit configuration version and logs errors if the configuration is not valid (#321).

    • Improved parsing of SQL queries with prepared statements (#303, #283).

    • Improved error handling for queries that AcraCensor can't parse (#291, #284).

    • Added ability to log unparsed queries to a separate log file for the debugging and configuration purposes. Sometimes AcraCensor can't parse all of the incoming queries and it is useful to have a separate log for them.

      How to use it: Provide the path to the unparsed queries log file in the configuration file parse_errors_log: unparsed_queries.log (#295).

    • Improved support of PostgreSQL queries ("RETURNING" clause) and quoted identifiers (now you can use "tablename" and WHERE "column"=1) (#296).

    • Fixed the bug in QueryCapture log that caused duplicated of records in the log to appear (#318).

  • AcraServer

    • Fixed handling of null-size packets in PostgreSQL protocol (#286).

    • Fixed handling of setting a custom connection API port (#294).

    • Fixed handling of the plain text data response: if the database returns a plain text response, it is redirected "as is" (#305).

    • Fixed handling of casted placeholders in expressions like SELECT $1::type1::type2 FROM table1 WHERE column1=$2::type3::type4 (#328).

    • Improved code quality (some refactoring here and there) (#302, #301).

  • AcraServer, AcraTranslator, AcraConnector

    • Refactored logs and error messages got even more descriptive and user-friendly (#312, #299, #317).

    • Added on-start version logging to make it easier to understand which version is running (#319).

    • Added versioning for configuration files of each service (#322).

    • Added exporting version to metrics (#330, #320).

    • Updated some configuration parameters descriptions for better user-friendliness (please see our docs of AcraConnector and AcraServer for detailed descriptions of each parameter and usage examples) (#329).

  • AcraWriter

    • Updated AcraWriter for ActiveRecord (Ruby), fixed dependencies, added support of mysql2 adapter (#287).

    • Updated AcraWriter for Django (Python), fixed potential encoding issues (#293, #292).

    • Updated AcraWriter for C++, improved cpp codec usage (#290, #289).

    • Added bitcode for AcraWriter iOS and added Swift example project (#327, #326, #325, #324, #323, #323, #307).

    • Improved distribution of AcraWriter for Android, now it's available via Maven (#310).

  • Other

    • Added more tests and then — added even more tests. We just love automating things! (#331, #311, #308, #292).

    • Updated the version of pyyaml used in the tests due to CVE-2017-18342. This change doesn't affect the users of Acra, it only affects our test suite (#300).


  • Updated Docker files, added more comments, and updated Go version (#313, #288).

Example projects and demos:

Read more


19 Feb 15:43
Choose a tag to compare

0.84.2, February 19th 2019


Fixed an issue in communication of AcraServer and PostgreSQL that causes AcraServer to stop processing connection due to an unexpected error in parsing packets. The issue occurred when last data in data row column from PostgreSQL comes with empty data (0 bytes).

Details: #315


24 Jan 22:21
Choose a tag to compare

0.84.1, January 25th 2019


Fixed an issue in communication of AcraServer with some specific ORMs (xorm precisely) with MySQL database. In some cases, when database has plaintext data, AcraServer can't decrypt it (which is ok), but propagates decryption error and closes connection (which is wrong, it's fixed).

Details: #305


09 Nov 11:34
Choose a tag to compare

0.84.0, November 9th 2018


  • Key management

    • Improved LRU cache: fixed concurrent access to LRU cache by adding mutex. LRU cache is used for quick access to in-memory keys (private keys are stored encrypted) in AcraServer and AcraTranslator (#272).

    AcraServer documentation, AcraTranslator documentation.

    • Improved AcraRotate utility: added "dry-run" mode for testing AcraRotate before it is used for real. In the "dry-run" mode AcraRotate doesn't rotate keys: it fetches AcraStructs (from files or database), decrypts, rotates in-memory keys, encrypts the data with new public keys and prints the resulting JSON with new public keys without actually saving the rotated keys and AcraStructs. As key rotation might be tricky, we want users to make sure that AcraRotate has all the required permissions and access right before actually re-encrypting the data (#269).

    AcraRotate documentation.

  • AcraWriter

    • Added C++ AcraWriter library, added examples and tests. The library itself is a single header-only file acrawriter.hpp with dependency on Themis, placed in wrappers/cpp.
      Read the usage guide and examples in examples/cpp folder (#270).

    AcraWriter C++ documentation.

  • Logging

    • Improved logs of AcraConnector and AcraServer: use Debug log level for all network errors (closed connection, unavailable network, etc) and use Error log level only for cases of certainly unexpected behavior (#275).

    • Improved startup logs: log process PID on start of AcraServer, AcraConnector, AcraTranslator, and AcraWebConfig (#275).

    • Fixed timestamps: do not overwrite logs' timestamps (#273).

  • Tracing with OpenCensus

    • Added tracing with OpenCensus: AcraServer, AcraConnector, and AcraTranslator track every request from client application to the database and back. Each client request has a unique traceID that helps measure how much time it needs to perform a certain data processing functions (i.e. checking requests via AcraCensor, encrypting data, decrypting AcraStructs, etc.). Traces can be exported to Jaeger (#279, #276, #274).

    You can read more about tracing in our documentation in Tracing in Acra.

    A blogpost about technical details, profits, and pitfalls during the implementation of traces is coming soon.

  • Other

    • Improved AcraServer's connection handling: stop accepting connections after error and stop AcraServer instead of trying to accept connections after the listening socket was closed (#275).

    • Improved AcraCensor's handling of prepared statements for PostgreSQL binary protocol (#280).

    • Improved handling of terminating packets (COM_QUIT for PostgreSQL and TerminatePacket for MySQL) to correctly handle the closing connections from clients (#275).

    • Refactored inner logic of AcraCensor: improved code quality and stability, added more tests that use more patterns (#268).


  • Ceased testing and supporting Go versions below 1.9. This will only affect the users who build Acra manually from sources.
    You can install the pre-built Acra components shipped for various Ubuntu, Debian, and CentOS distributives using Installation guide. Alternatively, you can check out our Docker images and Docker-compose files in docker folder (#277).

  • Tested Acra suite with PostgreSQL v11 and MariaDB v10.3 and updated docker compose examples and Acra Engineering Demo to use it (#278).

  • Published Acra load balancing demo: it illustrates some of the many possible variants of building high availability and balanced infrastructure based on Acra data protection suite components, PostgreSQL, and Python web application. In these examples we used HAProxy – one of the most popular high availability balancers today.

  • Updated AcraStruct Validator – an online tool that can decrypt your AcraStructs. AcraStruct Validator is useful for developers who build their own AcraWriters (to validate AcraStruct binary structure).

Features coming soon:

  • Running SQL queries over encrypted data: perform AcraServer-side lookups (search) over protected data.

  • Pseudonymisation: early version of pseudonymisation library/plugin for Acra for transparent data pseudonymisation.

  • Cryptographically protected audit log: protection for logs against tampering.


  • AcraWriter C++ has a short guide for installing and using AcraWriter for C++.

  • AcraRotate: added description and notes about "dry-run" mode.

  • Updated documentation for logging, collecting metrics, and tracing in Acra.

  • Many small fixes here and there to make your overall experience of using Acra's docs on a new platform distinctive and smooth ;)