Additional Guidelines for Encrypting and Decrypting Database Backup Files

Go Up to Encrypting Backup Files

When preparing to encrypt or decrypt database backup files, keep the following information in mind:

• The encryption chosen for a database backup must be custom password-protected and at least as strong, in terms of encryption key size, as the strongest encryption defined in the database.
• An encrypted database backup file will be almost the same size as an unencrypted database backup. However, the time to encrypt and decrypt a backup file may be longer than a backup which is not encrypted.
• GBAK retrieves all encrypted column data in plaintext form, so Over-the-Wire (OTW) encryption should be used if backing up and restoring over the network. Alternatively, the -se service manager switch can be used to backup and restore on the server to avoid network transmission. For more information about OTW, see the InterBase Operations Guide.
• It is the user’s responsibility to remember the encryption password and system encryption password necessary to decrypt a set of database backup files as there is no means for InterBase to do so automatically.
• Databases with AES encryption keys allow backup/restore activities only as a service. It was designed to facilitate discovering a "strong encryption" license mandate in the engine. Databases with DES encryption keys are allowed to be backed up (and restored) as a pure client. However, the encrypted data, now decrypted with proper authentication, could be visible in transit in the process space of GBAK (or other backup applications).

Backup/restore operations can be restricted on any encrypted database, whether DES or AES strength. An error message now displays the following when GBAK is not run as a service on encrypted databases:

gbak: ERROR: encrypted database: use -service switch