How to protect data in Firebird database?


Short answer: use encryption

Long:

Firebird 3 supports encryption of data, indexes and blobs with encryption modules:

https://www.firebirdsql.org/file/documentation/release_notes/html/en/3_0/rnfb30-security-encryption.html

Older versions of Firebird have no encryption integrated, but there are various solutions you can add:

One is to encrypt all the data on the client before saving to database columns, and decrypt while reading. The only problem with this is stuff like indexing and searching. While indexing on foreign and primary keys will still be effective, searching the data with STARTING WITH or numeric operators (less then, more than, etc.) won't be able to use index as you would have to decrypt the data before you can compare it.


Second solution is to encrypt the filesystem where Firebird database is stored. There are various solutions like VeraCrypt, EncFS or BestCrypt that do this. Since the product pages contain only the advantages, we are listing their Wikipedia pages where you can find more reliable information about disadvantages and possible problems of each system:

https://en.wikipedia.org/wiki/VeraCrypt
https://en.wikipedia.org/wiki/CipherShed
https://en.wikipedia.org/wiki/EncFS
https://en.wikipedia.org/wiki/BestCrypt

If you only use Linux, there are various tools and libraries for this. Take a look at these articles for some examples:

http://www.redhatmagazine.com/2007/01/18/disk-encryption-in-fedora-past-present-and-future/
http://www.redhatmagazine.com/2007/06/13/dual-password-encryption-with-encfs/

A popular encryption system that comes pre-installed on Linux is DM Crypt, which is part of the kernel:
https://en.wikipedia.org/wiki/Dm-crypt

Possible problems with this approach are slower access to database and the fact that the unencrypted database is readable while your application is running.


Third, since Firebird is open source, you can alter the code that reads and writes pages to the disk to encrypt and decrypt them. Of course, you would have to find a suitable way for client to send the decryption key to the engine. Please note that this means that all users use the same key.


Do you find this FAQ incorrect or incomplete? Please e-mail us what needs to be changed. To ensure quality, each change is checked by our editors (and often tested on live Firebird databases), before it enters the main FAQ database. If you desire so, the changes will be credited to your name. To learn more, visit our add content page.



All contents are copyright © 2007-2024 FirebirdFAQ.org unless otherwise stated in the text.


Links   Firebird   News   FlameRobin   Powered by FB: Home Inventory   Euchre  
Add content   About  

Categories
 Newbies
 SQL
 Installation and setup
 Backup and restore
 Performance
 Security
 Connectivity and API
 HOWTOs
 Errors and error codes
 Miscellaneous