In order to make database encryption possible, you need to obtain or write a database encryption plugin.

    Note

    Out of the box, Firebird does not include a database encryption plugin.

    The encryption plugin example in does not perform real encryption, it is only intended as an example how such a plugin can be written.

    On Linux, an example plugin named libDbCrypt_example.so can be found in plugins/.

    The main problem with database encryption is how to store the secret key. Firebird provides support for transferring the key from the client, but this does not mean that storing the key on the client is the best way; it is just one of the possible alternatives. However, keeping encryption keys on the same disk as the database is an insecure option.

    For efficient separation of encryption and key access, the database encryption plugin data is divided into two parts, the encryption itself and the holder of the secret key. This can be an efficient approach when you want to use some good encryption algorithm, but you have your own custom method of storing the keys.

    Once you have decided on the plugin and key holder, you can perform the encryption.

    Table 13.8.1.1 ALTER DATABASE ENCRYPT Statement Parameters

    Encrypts the database using the specified encryption plugin. Encryption starts immediately after this statement completes, and will be performed in the background. Normal operations of the database are not disturbed during encryption.

    The optional KEY clause specifies the name of the key for the encryption plugin. The plugin decides what to do with this key name.

    Note

    For example, the following query will display the progress of the encryption process as a percentage.

    Note

    SCHEMA is currently a synonym for ; this may change in a future version, so we recommend to always use DATABASE

    See also, ALTER DATABASE

    13.8.2 Decrypting a Database

    Syntax

    Decrypts the database using the configured plugin and key. Decryption starts immediately after this statement completes, and will be performed in the background. Normal operations of the database are not disturbed during decryption.

    Note

    SCHEMA is currently a synonym for DATABASE; this may change in a future version, so we recommend to always use DATABASE