Encryption Plugin for Firebird 3.0

IBPhoenix have developed an encyption plugin for Firebird 3.0 that is compatible with AES128. The plugin is available for Windows (32/64bit) and Linux (32/64bit) currently. The plugin is currently in use at a number of sites and shows no problems with performance or reliability. However if you would like to test it, please contact us directly and an appropriate download will be made available.


To use this plugin you need to have CPU that supports the SSE2 instruction set. The AES instruction set is desirable, but optional. For Linux also make sure that the libtommath libraries are installed.

To install

Unzip the encryption libraries into $(root_dir)/plugins

create a keyfile somewhere e.g:

C:\MyKey.txt or on Linux /opt/firebird/MyKey.txt

Now insert your key into it e.g. Thi51sAL!ne_0f-MoreThanSixteenCharacters

Then in pluginsAES128KeyFile.conf or plugins/AES128KeyFile.conf, you can set a server wide key using the parameter:

KeyFile = C:MyKey.txt or /opt/firebird/MyKey.txt.

Perhaps the securest and simplest way to manage this is to put the key file onto a secure USB stick inserted into database server)

In firebird conf set the parameter:

KeyHolderPlugin = AES128KeyFile

(or alternatively you can set the parameter in databases.conf for a particular database).

Add the following to plugins.conf:

Plugin = AES128 {
Module = $(dir_plugins)/AES128
ConfigFile = $(dir_plugins)/AES128/AES128KeyFile.conf

Restart the Firebird server


isql> connect 'C:\test\firebird\test.fdb' user 'SYSDBA' password 'whatever';
isql> alter database encrypt with AES128;
isql> commit;

or on Linux:

isql>connect 'localhost:/opt/firebird/test.fdb' user 'SYSDBA' password 'whatever';
isql>alter database encrypt with AES128;

If the encryption library fails to load then this error will be seen:

Statement failed, SQLSTATE = HY024
unsuccessful metadata update
-Crypt plugin AES128 failed to load

There are three ways to verify encryption.

Via isql show db:

Database: bench010_ssd_16_crypt
Database encrypted, crypt thread not complete

By querying the monitoring tables:

select MON$CRYPT_PAGE * 100 / MON$PAGES as ENCRYPTED_PAGES from mon$database;


If ZERO is returned then encryption has completed. Otherwise the value represents the percentage of total pages encrypted.

Or by using gstat, With the default -h option the Attributes field and the Key Hash fields will indicate encryption.

Or you can use:

/opt/firebird3/bin/gstat -e bench010_ssd_16_crypt

Database "/data_store/ssd/ods120/bench010_seq_16_crypt.fdb"
Database header page information:
        Flags                   0
        Generation              2990307
        System Change Number    0
        Page size               16384
        ODS version             12.0
        Creation date           May 24, 2016 12:18:12
        Attributes              force write, encrypted, plugin AES128

    Variable header data:
       Key hash:       X2ZorqRShODg1mhSg5yQhpFxtjk=
       Sweep interval:         0
     Data pages: total 159004, encrypted 159004, non-crypted 0
     Index pages: total 16409, encrypted 16409, non-crypted 0
     Blob pages: total 0, encrypted 0, non-crypted 0

Should show that the database has been encrypted

To decrypt use:

isql> alter database decrypt;

Application Key

Rather than providing the decryption key in a file, it is possible to provide the decryption key directly within your application using the relevant Firebird API calls. Currently we can provide examples for Delphi, Free Pascal, or C++.


On purchase of an appropriate server license a download of the software will be made available. A server license costs $250.00 and will allow you to encrypt multiple databases on that server. Should you wish to use the encryption plugin with an embedded application or for deployment to multiple servers you can purchase an unlimited use license for $2499.00.