13.8. Database Encryption
Firebird provides a plugin mechanism to encrypt the data stored in the database. This mechanism does not encrypt the entire database, but only data pages, index pages, and blob pages.
In order to make database encryption possible, you need to obtain or write a database encryption plugin.
Out of the box, Firebird does not include a database encryption plugin.
The encryption plugin example in examples/dbcrypt
does not perform real encryption, it is only intended as an example how such a plugin can be written.
On Linux, an example plugin named libDbCrypt_example.so
can be found in plugins/
.
The main problem with database encryption is how to store the secret key. Firebird provides support for transferring the key from the client, but this does not mean that storing the key on the client is the best way; it is just one of the possible alternatives. However, keeping encryption keys on the same disk as the database is an insecure option.
For efficient separation of encryption and key access, the database encryption plugin data is divided into two parts, the encryption itself and the holder of the secret key. This can be an efficient approach when you want to use some good encryption algorithm, but you have your own custom method of storing the keys.
Once you have decided on the plugin and key holder, you can perform the encryption.
13.8.1. Encrypting a Database
Syntax
|
ALTER {DATABASE | SCHEMA}
| ENCRYPT WITH plugin_name [KEY key_name]
ALTER DATABASE ENCRYPT
Statement ParametersParameter | Description |
---|---|
plugin_name | The name of the encryption plugin |
key_name | The name of the encryption key |
Encrypts the database using the specified encryption plugin. Encryption starts immediately after this statement completes, and will be performed in the background. Normal operations of the database are not disturbed during encryption.
The optional KEY
clause specifies the name of the key for the encryption plugin.
The plugin decides what to do with this key name.
The encryption process can be monitored using the MON$CRYPT_PAGE
field in the MON$DATABASE
virtual table, or viewed in the database header page using gstat -e
.
gstat -h
will also provide limited information about the encryption status.
For example, the following query will display the progress of the encryption process as a percentage.
|select MON$CRYPT_PAGE * 100 / MON$PAGES
|from MON$DATABASE;
SCHEMA
is currently a synonym for DATABASE
;
this may change in a future version, so we recommend to always use DATABASE
See alsoSection 13.8.2, “Decrypting a Database”, ALTER DATABASE
13.8.2. Decrypting a Database
Syntax
|
ALTER {DATABASE | SCHEMA} DECRYPT
Decrypts the database using the configured plugin and key. Decryption starts immediately after this statement completes, and will be performed in the background. Normal operations of the database are not disturbed during decryption.
SCHEMA
is currently a synonym for DATABASE
;
this may change in a future version, so we recommend to always use DATABASE
See alsoSection 13.8.1, “Encrypting a Database”, ALTER DATABASE