Encryption Plugin for Firebird 3.0

IBPhoenix have developed an encyption plugin for Firebird 3.0 that is compatible with AES128. The plugin is available for Windows (32/64bit) and Linux (32/64bit) currently. The plugin is currently in use at a number of sites and shows no problems with performance or reliability. However if you would like to test it, please contact us directly and an appropriate download will be made available.


To use this plugin you need to have CPU that supports the SSE2 instruction set. The AES instruction set is desirable, but optional. For Linux also make sure that the libtommath libraries are installed.

To install

Unzip the encryption libraries into $(root_dir)/plugins

create a keyfile somewhere e.g:

C:\MyKey.txt or on Linux /opt/firebird/MyKey.txt

Now insert your key into it e.g. TestKey

Then in the file pluginsAES128KeyFile.conf or plugins/AES128KeyFile.conf you can set a server wide key using the parameter:

KeyFile = C:\MyKey.txt or /opt/firebird/MyKey.txt.

Alternatively entries for database dedicated key files can be specified for each database individually using the format <key name> = <key file>. For example suppose you have two databases testa.fdb and testb.fdb that you want to encrypt and decrypt with a separate key. Make a name up for each key and point each key name to the file holding the relevant key:

Key4TestA = C:\Key4TestA.jpg
Key4TestB = C:\Key4TestB.txt

If dedicated key names are configured the name of the key must be supplied in the optional KEY parameter of the encrypt and decrypt statements.

Another alternative is to configure the keyfile so the plugin will send a request to the user application for the file path (Keyfile = ?).

Perhaps the securest and simplest way to manage this is to put the key file onto a secure USB stick inserted into database server)

In firebird conf set the parameter:

KeyHolderPlugin = AES128KeyFile

(or alternatively you can set the parameter in databases.conf for a particular database).

Restart the Firebird server


isql> connect 'C:\test\firebird\test.fdb' user 'SYSDBA' password 'whatever';
isql> alter database encrypt with AES128;
isql> commit;

or on Linux:

isql>connect 'localhost:/opt/firebird/test.fdb' user 'SYSDBA' password 'whatever';
isql>alter database encrypt with AES128;

If using individual keys:

isql> connect 'C:\test\firebird\test.fdb' user 'SYSDBA' password 'whatever';
isql> alter database encrypt with AES128 key TestKey;
isql> commit;

On Linux:

isql>connect 'localhost:/opt/firebird/test.fdb' user 'SYSDBA' password 'whatever';
isql>alter database encrypt with AES128 key TestKey;

If the encryption library fails to load then this error will be seen:

Statement failed, SQLSTATE = HY024
unsuccessful metadata update
-Crypt plugin AES128 failed to load

There are three ways to verify encryption.

Via isql show db:

Database: test
Database encrypted, crypt thread not complete

By querying the monitoring tables:

select MON$CRYPT_PAGE * 100 / MON$PAGES as ENCRYPTED_PAGES from mon$database;


If ZERO is returned then encryption has completed. Otherwise the value represents the percentage of total pages encrypted.

Or by using gstat (you can use shell to run gstat from isql), With the default -h option the Attributes field and the Key Hash fields will indicate encryption.

Or you can use:

/opt/firebird3/bin/gstat -e test.fdb

Database "/data_store/ssd/ods120/test.fdb"
Database header page information:
        Flags                   0
        Generation              2990307
        System Change Number    0
        Page size               16384
        ODS version             12.0
        Creation date           May 24, 2016 12:18:12
        Attributes              force write, encrypted, plugin AES128

    Variable header data:
       Key hash:       X2ZorqRShODg1mhSg5yQhpFxtjk=
       Sweep interval:         0
     Data pages: total 159004, encrypted 159004, non-crypted 0
     Index pages: total 16409, encrypted 16409, non-crypted 0
     Blob pages: total 0, encrypted 0, non-crypted 0

Should show that the database has been encrypted

To decrypt use:

isql> alter database decrypt;


isql> alter database decrypt key TestKey;

Application Key

Rather than providing the decryption key in a file, it is possible to provide the decryption key directly within your application using the relevant Firebird API calls. Currently we have examples for Delphi, Free Pascal, C++ and .NET.

This code works using Delphi XE6 or XE7, However there does seem to be a problem with earlier versions of Delphi e.g. Delphi XE3.

C/C++ Code

.NET needs the ADO.NET provider, and then you can use this code.

In the configuration files Callback.conf and AES128KeyFile.conf it is now possible to use the parameter ShareKey. When set to false (default is true) it will requires a key for each database attachment.


On purchase of an appropriate server license a download of the software will be made available. A server license costs $250.00 and will allow you to encrypt multiple databases on that server. Should you wish to use the encryption plugin with an embedded application or for deployment to multiple servers you can purchase an unlimited use license for $2499.00.