How to encrypt database with IBSurgeon demo version of Firebird encryption plugin
In this short guide, we describe how to use the demo version of IBSurgeon Firebird Encryption Plugin to encrypt your database, implement network connection in the client application. As a result, you will have the fully functional plugin, with the only exception - it is limited till April 1, 2017.
To try Firebird encryption, you need the following:
- Firebird 3.0.1 – to test demo plugin it is necessary to use official release 3.0.1 64bit, build number 32609. Other versions are not supported by the demo version of the plugin! Also, you can download this archive with Firebird 18.104.22.168609 with the already deployed plugin.
- Create SYSDBA user, if it is not created (stop Firebird service, run «gsec -user sysdba -add SYSDBA -pw masterkey», start Firebird service)
- Download archive with the demo version of Firebird Encryption Plugin and demo client application with sources.
Stage 1 – Initial encryption of the database
At the point, we suppose that you have some database to be encrypted. Put unencrypted database to some path, for example, into c:\temp\employee30\employee.fdb
1. Create the following alias in databases.conf
crypt = C:\Temp\EMPLOYEE30\EMPLOYEE30.FDB
KeyHolderPlugin = KeyHolder
2. Put the following files to server/plugins from the folder ServerPluginX64\Plugins
- KeyHolder.conf - file with keys, it is only for developer's usage, it should not be sent to end users
3. Put the following files into Firebird root from ServerPluginX64
4. Connect to the unencrypted database with isql and encrypt database
isql localhost:C:\Temp\EMPLOYEE30\EMPLOYEE30.FDB -user SYSDBA -pass masterkey
SQL>alter database encrypt with dbcrypt key red;
SQL> show database;
Number of DB pages allocated = 326
Number of DB pages used = 301
Number of DB pages free = 25
Sweep interval = 20000
Forced Writes are OFF
Transaction - oldest = 2881
Transaction - oldest active = 2905
Transaction - oldest snapshot = 2905
Transaction - Next = 2909
ODS = 12.0
Default Character set: NONE
At the point database is encrypted with server-side authentication: the keys are located in the file KeyHolder.conf.
Stage 2 – Deploy encrypted database
After the initial encryption, we suppose that database will be copied to the customer environment, where access to it will be done only through the application.
To imitate such environment, we need to remove the file with keys KeyHolder.conf from plugins folder of Firebird.
Without KeyHolder.conf the plugin will require receiving the key from the connected application. Download example of such application from our website – there is a compiled version and full sources for it on Delphi XE8.
The code to initialize encrypted connection is very simple – before the usual connection, several calls should be done to send appropriate key. After that, the client application works with Firebird as usual.
Run the demo applications (Delphi XE8 and Delphi 2007) to test the work with the encrypted database.
Run it from the folder ClientApplication\ClientExampleDelphiXE8_FireDAC, connect to the database, run the query, it shows the first row of the specified SELECT.
Please note: the test application can connect to the encrypted database only through TCP/IP, xnet is not supported in demo plugin.
Please contact us with any questions: [email protected]