High-level encryption is a vital feature of any reliable database, and Embarcadero’s signature database, InterBase, handles it very well. But how exactly does InterBase restrict access to data, both at rest and in transit, through encryption? In the article we are taking a closer look.
Table of Contents
Introduction
The Encryption Engine is natively available as part of the Desktop, Server and ToGo editions of the InterBase database. InterBase enables you to encrypt information at one or both of the following levels:
- Database Level Encryption (InterBase encrypts all of the database pages that contain user information).
- Column Level Encryption (Column-level encryption is more flexible and specific to the selected data columns).
Using Encryption Engine you can also encrypt Database Backup Files. For more information about encrypting your data with InterBase, see Data Definition Guide.
Getting Started With InterBase Encryption Engine
To create specific encryption tasks in InterBase, you need to create the System Data Security Owner (SYSDSO) user. Both users, the SYSDSO and the SYSDBA (the database owner), have responsibilities for InterBase Encryption. The table below shows the differences between the user’s tasks:
Permissions | Database Owner | SYSDSO |
Create Encryption Keys | NO | YES |
Set the SEP | NO | YES |
Grant Encrypt Privileges | NO | YES |
Encrypt Database | YES | NO |
Encrypt Columns | YES | NO |
Grant Decrypt Privileges | YES | NO |
Also, encryption tasks can be performed by any individual table owner who is given permission to encrypt columns in a table.
Encrypting a Database with IBConsole
There are two ways to encrypt an InterBase database. You can enable and implement encryption using the isql tool, or you can encrypt a database using the IBConsole. For this specific topic, we use the second option – Encrypting a Database with IBConsole.
To perform encryption when creating a new database, follow these steps:
- Open IBConsole.
- Select Server > Login from the menu.
- Login as a SYSDBA or as a database owner.
- Select Database > Create Database from the menu.
- In the Save In field, select the folder where you want to save the database.
- Specify a file name, click Save, and the dialog closes.
- Change the value in the Embedded User Authentication field to Yes. (The Use Encryption field is now visible).
- Change the value in the Use Encryption field to Yes.
- Click OK to create a database. The database is created and the Encryption Wizard opens.
- Enter your connection information and click the Connect button.
- The database is created and the Encryption Wizard opens; click Next.
- Type the SYSDSO password and click the Next button.
- Type the SEP password and click the Next button.
Note: The External option makes it more difficult for unauthorized users to access an encrypted database on a mobile device such as a laptop computer, or on a poorly secured desktop computer.
- Type a name for the Encryption Key.
- Select one of the Cipher options.
- Click the OK button.
- Type the BackupKey Name and password.
Note: To maintain the security and confidentiality of encrypted databases, you must also encrypt database backup files.
Using the System Encryption Password parameter
When a database is encrypted in InterBase, the SEP can be set internal (the default, no keyword used) or external (keyword used).
- The internal SEP allows the database to be accessed by the database users when someone has used the database once with the SEP on the machine. Subsequent connections or a connection after a machine reboot do not need to provide the SEP value. If the RAD Studio application is deployed to Mac or to a mobile device then the first connection requires the SEP parameter value.
- The database set with external SEP requires the first connection to have the SEP parameter value. After you reboot the machine, the application needs to provide the SEP at the first connection. The external System Encryption Password is safer for mobile devices.
Note: To set the external SEP, check the External option in the Encryption wizard or you can use the alter database set system encryption password <255-character string> [external] command.
System Encryption Password in FireDAC
With FireDAC, you can set the SEPassword parameter in the TFDConnection connection definition parameters, or programmatically as well:
1 2 3 4 5 6 7 8 9 10 |
procedure TForm10.BtnConnectClick(Sender: TObject); begin try FDConnection1.Params.Values['SEPasword']:='password'; FDConnection1.Connected:=true; except on E:Exception do ShowMessage(E.ClassName + ' ' + E.Message); end; end; |
System Encryption Password in dbExpress
With dbExpress, you can set the SEP value in the TSQLConnection Params collection, or you can set the SEP value programmatically.
1 2 3 4 5 6 7 8 9 10 |
procedure TForm10.BtnConnectClick(Sender: TObject); begin try SQLConnection1.Params.Values['SEP']:='password'; SQLConnection1.Connected:=true; except on E:Exception do ShowMessage(E.ClassName + ' ' + E.Message); end; end; |
System Encryption Password in InterBase Express
With InterBase Express (IBX), the SysEncryptPassword TIBDatabase parameter is set programmatically:
1 2 3 4 5 6 7 8 9 10 |
procedure TForm10.BtnConnectClick(Sender: TObject); begin try IBDatabase1.SysEncryptPassword:='password'; IBDatabase1.Open; except on E:Exception do ShowMessage(E.ClassName + ' ' + E.Message); end; end; |
Curious About InterBase?
Design. Code. Compile. Deploy.
Start Free Trial Upgrade Today
Free Delphi Community Edition Free C++Builder Community Edition