Firebird Documentation Index → Firebird 3.0.6 Release Notes → Security → Database Encryption |
With Firebird 3 comes the ability to encrypt data stored in database. Not all of the database file is encrypted: just data, index and blob pages.
To make it possible to encrypt a database you need to obtain or write a database crypt plug-in.
The sample crypt plug-in in examples/dbcrypt
does not perform real
encryption, it is merely a sample of how to go about it.
The main problem with database encryption is how to store the secret key. Firebird provides a helper to transfer that key from the client but that does not imply that storing the key on a client is the best way: it is no more than a possible alternative. A very bad option is to keep the key on the same disk as the database.
To separate encryption and key access efficiently, a database crypt plug-in is split into two parts: encryption itself and the secret key holder. This may be an efficient approach for third-party plug-ins when you want to use some good encryption algorithm but you have your own secret way to store a key.
Once you have decided on a crypt plug-in and a key, you can encrypt the database with:
ALTER DATABASE ENCRYPT WITH <PLUGIN_NAME> [ KEY <key-name> ]
The optional KEY argument allows the key name to be passed in the command, if the plug-in requires it.
Encryption will start right after this statement commits and will be performed in background. Normal database activity is not disturbed during encryption.
During encryption, progress can be monitored using the field MON$CRYPT_PAGE in the pseudo-table MON$DATABASE. For example:
select MON$CRYPT_PAGE * 100 / MON$PAGES from MON$DATABASE
The example query will output the percentage of encryption completed so far.
You can also watch the database header page using repeated calls to
gstat -e
.If the database has been encrypted, gstat -h
can
also provide limited information about encryption state.
Firebird Documentation Index → Firebird 3.0.6 Release Notes → Security → Database Encryption |