Setting the System Encryption Password (SEP)

From InterBase
Jump to: navigation, search

Go Up to Using isql to Enable and Implement Encryption


InterBase uses a System Encryption Password (SEP) to protect the encryption keys that are used to encrypt the database and/or database columns. If you are managing multiple databases that use InterBase encryption, it is recommended that you create a different SEP for each database.


Altering the Database to Create the SEP

The SYSDSO uses the ALTER DATABASE command to create the SEP.

To create a SEP, use the following syntax:

alter database set system encryption password <255-character string>

The string can be up to 255 characters long and can include spaces. The system encryption password is encrypted with a key derived from machine specific information and stored in the database. This effectively node locks the database to the machine but allows the database to be attached without a user having to pass the system encryption password in plaintext. Thus, subsequent connections on the same machine need not provide the SEP.

However, if the database file is copied and installed on a different machine, the node-lock feature disallows direct loading of the database without the user providing the SEP. After moving a database with a node-locked SEP to another machine, you must login as SYSDSO with the current SEP set via the SEP environment variable or DPB. The SYSDSO can then perform ALTER DATABASE SET SYSTEM ENCRYPTION PASSWORD to create a new SEP.

Just “setting” the SEP to connect to the database does not redefine or re-node-lock the SEP. You can continue to provide the SEP externally though you may want to alter the sep command to re-node-lock it to the new machine.


Using External Option when Creating a SEP

Though an unauthorized person would not have decrypt permission for any encrypted columns, he or she might be able to bit edit the database file to artificially grant decrypt permission. The password attribute of an encryption key can mitigate this risk because the user needs the passwords as well as decrypt permission. For database-level encryption, the data would be visible immediately because only the SEP is needed to see it.

Adding the external setting to a SEP statement can make it more difficult for unauthorized users to access an encrypted database on a mobile device such as a laptop computer, or on an a poorly secured desktop computer.

alter database set system encryption password <255-character string> [external]

The external form of setting the SEP requires the first database attach to pass the isc_dpb_sys_encrypt_password parameter with the value of the password, or to set the environment variable isc_system_encrypt_password. Subsequent database attachments are not required to pass the SEP as the database server already has it in memory.

For security reasons, programs should not hardcode the SEP with isc_dpb_sys_encrypt_password but query the user, then generate this database attachment parameter dynamically. The ISC_SYSTEM_ENCRYPT_PASSWORD environment variable should never be hardcoded in scripts and if entered at the console should be unset as soon as possible.


Removing the System Encription Password (SEP)

The SYSDSO can remove the SEP when the database is no longer encrypted, and when there are no remaining column-level encryptions stored in the RDB$ENCRYPTIONS table.

To remove a SEP, use the following syntax:

alter database set no system encryption password


Advance To: