Additional Guidelines for Encrypting and Decrypting Database Backup Files

When preparing to encrypt or decrypt database backup files, keep the following information in mind:

The encryption chosen for a database backup must be custom password-protected and at least as strong, in terms of encryption key size, as the strongest encryption defined in the database.
An encrypted database backup file will be almost the same size as an unencrypted database backup. However, the time to encrypt and decrypt a backup file may be longer than a backup which is not encrypted.
GBAK retrieves all encrypted column data in plaintext form, so Over-the-Wire (OTW) encryption should be used if backing up and restoring over the network. Alternatively, the -se service manager switch can be used to backup and restore on the server to avoid network transmission. For more information about OTW, see the InterBase Operations Guide.
It is the user’s responsibility to remember the encryption password and system encryption password necessary to decrypt a set of database backup files as there is no means for InterBase to do so automatically.
Databases with AES encryption keys allow backup/restore activities only as a service. It was designed to facilitate discovering a "strong encryption" license mandate in the engine. Databases with DES encryption keys are allowed to be backed up (and restored) as a pure client. However, the encrypted data, now decrypted with proper authentication, could be visible in transit in the process space of GBAK (or other backup applications).

Backup/restore operations can be restricted on any encrypted database, whether DES or AES strength. An error message now displays the following when GBAK is not run as a service on encrypted databases:

gbak: ERROR: encrypted database: use -service switch

Advance To:

Data Definition Guide