FirebirdSQL logo
 Mapping of Users to ObjectsSQL Security 

Firebird provides a plugin mechanism to encrypt the data stored in the database. This mechanism does not encrypt the entire database, but only data pages, index pages, and blob pages.

To make database encryption possible, you need to obtain or write a database encryption plugin.

Note

Out of the box, Firebird does not include a database encryption plugin.

The encryption plugin example in examples/dbcrypt does not perform real encryption, it is only intended as an example how such a plugin can be written.

On Linux, an example plugin named libDbCrypt_example.so can be found in plugins/.

The main problem with database encryption is how to store the secret key. Firebird provides support for transferring the key from the client, but this does not mean that storing the key on the client is the best way; it is one of several alternatives. However, keeping encryption keys on the same disk as the database is an insecure option.

For efficient separation of encryption and key access, the database encryption plugin data is divided into two parts, the encryption itself and the holder of the secret key. This can be an efficient approach when you want to use a good encryption algorithm, but you have your own custom method of storing the keys.

Once you have decided on the plugin and key-holder, you can perform the encryption.

Encrypting a Database

Encrypts the database using the specified encryption plugin

Syntax
ALTER {DATABASE | SCHEMA}
  ENCRYPT WITH plugin_name [KEY key_name]
Table 1. ALTER DATABASE ENCRYPT Statement Parameters
Parameter Description

plugin_name

The name of the encryption plugin

key_name

The name of the encryption key

Encryption starts immediately after this statement completes, and will be performed in the background. Normal operations of the database are not disturbed during encryption.

The optional KEY clause specifies the name of the key for the encryption plugin. The plugin decides what to do with this key name.

Note

The encryption process can be monitored using the MON$CRYPT_PAGE field in the MON$DATABASE virtual table, or viewed in the database header page using gstat -e. gstat -h will also provide limited information about the encryption status.

For example, the following query will display the progress of the encryption process as a percentage.

select MON$CRYPT_PAGE * 100 / MON$PAGES
  from MON$DATABASE;
Note

SCHEMA is currently a synonym for DATABASE; this may change in a future version, so we recommend to always use DATABASE
See also

[fblangref50-security-dbcrypt-decrypt], ALTER DATABASE

Decrypting a Database

Decrypts the database using the configured plugin and key

Syntax
ALTER {DATABASE | SCHEMA} DECRYPT

Decryption starts immediately after this statement completes, and will be performed in the background. Normal operations of the database are not disturbed during decryption.

Note

SCHEMA is currently a synonym for DATABASE; this may change in a future version, so we recommend to always use DATABASE
See also

[fblangref50-security-dbcrypt-encrypt], ALTER DATABASE