Firebird Documentation IndexFirebird 3.0.6 Release NotesSecurity → Database Encryption
Firebird Home Firebird Home Prev: SecurityFirebird Documentation IndexUp: SecurityNext: New Authentication Method in Firebird 3

Database Encryption

Alex Peshkov

Secret Key
Encryption Tasks

CORE-657

With Firebird 3 comes the ability to encrypt data stored in database. Not all of the database file is encrypted: just data, index and blob pages.

To make it possible to encrypt a database you need to obtain or write a database crypt plug-in.

Note

The sample crypt plug-in in examples/dbcrypt does not perform real encryption, it is merely a sample of how to go about it.

Secret Key

The main problem with database encryption is how to store the secret key. Firebird provides a helper to transfer that key from the client but that does not imply that storing the key on a client is the best way: it is no more than a possible alternative. A very bad option is to keep the key on the same disk as the database.

Encryption Tasks

To separate encryption and key access efficiently, a database crypt plug-in is split into two parts: encryption itself and the secret key holder. This may be an efficient approach for third-party plug-ins when you want to use some good encryption algorithm but you have your own secret way to store a key.

Encrypting a Database

Once you have decided on a crypt plug-in and a key, you can encrypt the database with:

  ALTER DATABASE ENCRYPT WITH <PLUGIN_NAME> [ KEY <key-name> ]
        

The optional KEY argument allows the key name to be passed in the command, if the plug-in requires it.

Encryption will start right after this statement commits and will be performed in background. Normal database activity is not disturbed during encryption.

Monitoring Encryption

During encryption, progress can be monitored using the field MON$CRYPT_PAGE in the pseudo-table MON$DATABASE. For example:

select MON$CRYPT_PAGE * 100 / MON$PAGES
  from MON$DATABASE
            

The example query will output the percentage of encryption completed so far.

You can also watch the database header page using repeated calls to gstat -e.If the database has been encrypted, gstat -h can also provide limited information about encryption state.

Decrypting a Database

To decrypt the database do:

  ALTER DATABASE DECRYPT
        

For Linux, an example plug-in named libDbCrypt_example.so can be found in the /plugins/ sub-directory.

Prev: SecurityFirebird Documentation IndexUp: SecurityNext: New Authentication Method in Firebird 3
Firebird Documentation IndexFirebird 3.0.6 Release NotesSecurity → Database Encryption