14.8. Database Encryption
Firebird provides a plugin mechanism to encrypt the data stored in the database. This mechanism does not encrypt the entire database, but only data pages, index pages, and blob pages.
To make database encryption possible, you need to obtain or write a database encryption plugin.
Out of the box, Firebird does not include a database encryption plugin.
The encryption plugin example in examples/dbcrypt does not perform real encryption, it is only intended as an example how such a plugin can be written.
On Linux, an example plugin named libDbCrypt_example.so can be found in plugins/.
The main problem with database encryption is how to store the secret key. Firebird provides support for transferring the key from the client, but this does not mean that storing the key on the client is the best way; it is one of several alternatives. However, keeping encryption keys on the same disk as the database is an insecure option.
For efficient separation of encryption and key access, the database encryption plugin data is divided into two parts, the encryption itself and the holder of the secret key. This can be an efficient approach when you want to use a good encryption algorithm, but you have your own custom method of storing the keys.
Once you have decided on the plugin and key-holder, you can perform the encryption.
14.8.1. Encrypting a Database
Encrypts the database using the specified encryption plugin
Syntax
|
ALTER {DATABASE | SCHEMA}
| ENCRYPT WITH plugin_name [KEY key_name]
ALTER DATABASE ENCRYPT Statement Parameters| Parameter | Description |
|---|---|
plugin_name | The name of the encryption plugin |
key_name | The name of the encryption key |
Encryption starts immediately after this statement completes, and will be performed in the background. Normal operations of the database are not disturbed during encryption.
The optional KEY clause specifies the name of the key for the encryption plugin.
The plugin decides what to do with this key name.
The encryption process can be monitored using the MON$CRYPT_PAGE field in the MON$DATABASE virtual table, or viewed in the database header page using gstat -e.
gstat -h will also provide limited information about the encryption status.
For example, the following query will display the progress of the encryption process as a percentage.
|select MON$CRYPT_PAGE * 100 / MON$PAGES|from MON$DATABASE;
SCHEMA is currently a synonym for DATABASE;
this may change in a future version, so we recommend to always use DATABASE
See alsoSection 14.8.2, “Decrypting a Database”, ALTER DATABASE
14.8.2. Decrypting a Database
Decrypts the database using the configured plugin and key
Syntax
|ALTER {DATABASE | SCHEMA} DECRYPT
Decryption starts immediately after this statement completes, and will be performed in the background. Normal operations of the database are not disturbed during decryption.
SCHEMA is currently a synonym for DATABASE;
this may change in a future version, so we recommend to always use DATABASE
See alsoSection 14.8.1, “Encrypting a Database”, ALTER DATABASE