Download demo Firebird Encryption Plugin

How to encrypt database with IBSurgeon demo version of encryption plugin


  • Firebird 3.0.1 – to run demo plugin it is necessary to use official release 3.0.1 64bit, build number. Other versions are not supported by demo version of the plugin!
  • Create SYSDBA user, if it is not created (stop Firebird service, run «gsec -user sysdba -add SYSDBA -pw masterkey», start Firebird service)

Stage 1 – Initial encryption of the database

At the point we suppose that you have some database to be encrypted. Put unencrypted database to some path, for example c:\temp\employee30\employee.fdb

1. Create the following alias in databases.conf

   KeyHolderPlugin = KeyHolder

2. Put the following files to server/plugins from the folder ServerPluginX64\Plugins

  • DbCrypt.dll
  • KeyHolder.dll
  • KeyHolder.conf - file with keys, it is only for developer's usage, it should not be sent to end users

3. Put the following files into Firebird root from ServerPluginX64

  • libeay32.dll
  • ucrtbased.dll
  • vcruntime140d.dll

4. Connect to the unencrypted database with isql and encrypt database

isql localhost:C:\Temp\EMPLOYEE30\EMPLOYEE30.FDB -user SYSDBA -pass masterkey
SQL>alter database encrypt with dbcrypt key red;
SQL> show database;
Database: localhost:C:\Temp\EMPLOYEE30\EMPLOYEE30.FDB
        Owner: ADMINISTRATOR
Number of DB pages allocated = 326
Number of DB pages used = 301
Number of DB pages free = 25
Sweep interval = 20000
Forced Writes are OFF
Transaction - oldest = 2881
Transaction - oldest active = 2905
Transaction - oldest snapshot = 2905
Transaction - Next = 2909
ODS = 12.0
Database encrypted
Default Character set: NONE
At the point database is encrypted with server-side authentication: the keys are located in the file KeyHolder.conf.

Stage 2 – Deploy encrypted database

After initial encryption we suppose that database will be copied to the customer environment, where access to it will be done only through the application.

To imitate such environment, we need to remove file with keys KeyHolder.conf from plugins folder of Firebird.

Without KeyHolder.conf plugin will require to receive key from the connected application. Download example of such application from our website – there is a complied version and full sources for it on Delphi XE8.

The code to initialize encrypted connection is very simple – before the usual connection several calls should be run, to send appropriate key. After that the client application works with Firebird as usual.

In the demo application – run it from the folder, connect to the database, run the query, it shows the first row of the specified SELECT.

Please note: the test application can connect to the encrypted database only through TCP/IP, xnet is not supported in demo plugin.