13.8 Database Encryption

Firebird provides a plugin mechanism to encrypt the data stored in the database. This mechanism does not encrypt the entire database, but only data pages, index pages, and blob pages.

In order to make database encryption possible, you need to obtain or write a database encryption plugin.

Note

Out of the box, Firebird does not include a database encryption plugin.

The encryption plugin example in examples/dbcrypt does not perform real encryption, it is only intended as an example how such a plugin can be written.

On Linux, an example plugin named libDbCrypt_example.so can be found in plugins/.

The main problem with database encryption is how to store the secret key. Firebird provides support for transferring the key from the client, but this does not mean that storing the key on the client is the best way; it is just one of the possible alternatives. However, keeping encryption keys on the same disk as the database is an insecure option.

For efficient separation of encryption and key access, the database encryption plugin data is divided into two parts, the encryption itself and the holder of the secret key. This can be an efficient approach when you want to use some good encryption algorithm, but you have your own custom method of storing the keys.

Once you have decided on the plugin and key holder, you can perform the encryption.

13.8.1 Encrypting a Database

Syntax

  1. ALTER {DATABASE | SCHEMA}
  2. ENCRYPT WITH plugin_name [KEY key_name]

Table 13.8.1.1 ALTER DATABASE ENCRYPT Statement Parameters

ParameterDescription

plugin_name

The name of the encryption plugin

key_name

The name of the encryption key

Encrypts the database using the specified encryption plugin. Encryption starts immediately after this statement completes, and will be performed in the background. Normal operations of the database are not disturbed during encryption.

The optional KEY clause specifies the name of the key for the encryption plugin. The plugin decides what to do with this key name.

Note

The encryption process can be monitored using the MON$CRYPT_PAGE field in the MON$DATABASE virtual table, or viewed in the database header page using gstat -e. gstat -h will also provide limited information about the encryption status.

For example, the following query will display the progress of the encryption process as a percentage.

  1. select MON$CRYPT_PAGE * 100 / MON$PAGES
  2. from MON$DATABASE;

Note

SCHEMA is currently a synonym for DATABASE; this may change in a future version, so we recommend to always use DATABASE

See alsoSection 13.8.2, Decrypting a Database, ALTER DATABASE

13.8.2 Decrypting a Database

Syntax

  1. ALTER {DATABASE | SCHEMA} DECRYPT

Decrypts the database using the configured plugin and key. Decryption starts immediately after this statement completes, and will be performed in the background. Normal operations of the database are not disturbed during decryption.

Note

SCHEMA is currently a synonym for DATABASE; this may change in a future version, so we recommend to always use DATABASE

See alsoSection 13.8.1, Encrypting a Database, ALTER DATABASE