Firebird Encryption Plugin Framework

Purchase & Download


  • Firebird Encryption Plugin Framework (Unlimited License) €2499
Firebird Encryption Plugin Framework is the ready-to-use skeleton to create custom implementations of the encryption plugins and applications with encryption support for Firebird 3.0 databases.

Firebird Encryption Plugin

Firebird 3.0 has introduced the ability to encrypt databases to protect sensitive data from the unauthorized access and prevent the direct work with the databases: only designated applications should be able to work with encrypted databases. 
Download Firebird Encryption Plugin demo It also important to keep the ability to work with the encrypted Firebird databases in the trusted environment - i.e., developer and system administrator should have transparent access to the databases through their favorite development and administrator tools.
To provide the high level of the protection, each application should have the custom implementation of an encryption, and that's why we have created Firebird Encryption Plugin Framework – source code and implementation guidance to implement Firebird encryption. 
Firebird Encryption Plugin Framework (FEPF) uses RSA+AES cryptography to encrypt data on the page level. The plugin encrypts only users' data: records, BLOBs, indices keys, sources of stored procedures and triggers. Firebird system pages (pointer, transactions, etc) are not encrypted to increase performance. Encryption and decryption do not require an exclusive access to the database: end-user applications can work with the database while the database is encrypted or decrypted.

How to implement Firebird database encryption

There are 2 phases in implementation process: database phase and end-user application

Database phase

  1. Purchase Firebird Encryption Plugin Framework. It includes sources, complete guidance, examples for end-user applications and implementation support from IBSurgeon engineers.
  2. Generate public and private keys (OpenSSL is used for this purpose) and use them to modify plugin sources and create administrator access file KeyHolder.conf
  3. Build plugin from the provided sources and copy its binaries to Firebird folder
  4. Copy KeyHolder.conf to the test server, it is used to test database encryption
  5. Make backup copy of the database to be encrypted
  6. Modify databases.conf and specify plugin dll name there
  7. Run isql.exe and encrypt database with command «alter database encrypt with key »
  8. Check that gbak, gfix, isql work with the encrypted database.
After this phase the database is encrypted, all user and standard applications are working as usual, without modification, since Firebird retrieves keys from KeyHolder.conf.

Some customers can be satisfied with this implementation or amend plugin (KeyHolder.dll) to retrieve keys from the more secure place than KeyGolder.conf (for example, use DPAPI or other mechanisms).
The protection scheme should be individual, don't hesitate to contact our support to discuss various options.

End-user application

  1. Embed into the end-user application the code to initialize encrypted connection and transfer of keys. The keys generated at step 2 should be used in the end-user application.
  2. Remove KeyHolder.conf from the test server, and restart Firebird
  3. Test the following
    • end-user application is able to work with the encrypted database
    • standard Firebird tools and development tools do not have access to the encrypted database
  4. End-user and application are ready for deployment
More details are available in the FEPF user guide. Please contact us with any questions: [email protected]


The unlimited license allows unlimited redistribution of encryption plugins to third-party organizations. Firebird Encryption Plugin Framework includes full sources for plugins and implementation technical support for the single application.

Technical information.

Encryption Plugin Framework requires Firebird 3.0.1+. It supports Windows and Linux, 32bit and 64bit.

Subscribe to IBSurgeon news