Firebird 3.0 Encryption with AES128 plugin - Unable to connect

Question

I'm using Firebird 3 with encryption via the AES128 plugin found here. https://www.ibphoenix.com/products/software/encryptionplugin

I have successfully encrypted the database, and I am able to connect and query it using isql however I am not able to connect from within my ColdFusion CFIDE - Data Sources area. I previously used the dbcrypt plugin and it worked fine, it was just tremendously slow compared to the un-encrypted database. With the AES128 plugin though, I get the error

Connection verification failed for data source: devBBL java.sql.SQLException: Unsupported operation code: 97 The root cause was that: java.sql.SQLException: Unsupported operation code: 97

My connection information in the CFIDE Data Sources window is the same as it's always been.

JDBC URL: jdbc:firebirdsql:localhost/3050:C:\fbdb\MASTER25.FDB
Driver Class: org.firebirdsql.jdbc.FBDriver
Driver Name: JayBird
Username: SYSDBA
Password: PASSWORD

Does anyone have any idea what is causing me to receive this error when trying to connect? Do I need to include some additional argument?

Answer 1

This happens if the database is encrypted and the plugin requires a callback to get the key (instead of using a server-local encryption key).

If configured to use a callback to obtain the encryption key, during the attach phase, Firebird will send a packet with operation code op_crypt_key_callback (= 97) (and plugin specific data) to the client, and the client in turn should respond to that with the encryption key (or at least, with plugin specific data that the plugin can use to derive the encryption key).

Jaybird versions before 3.0.4 do not support handling of encryption key callbacks (operation code 97), so this error occurs.

Basic support to pass a fixed response to an encryption key callback has been introduced in Jaybird 3.0.4. For earlier versions, if you can't upgrade, the workaround would be to use a server-local encryption key.

Solution

The solution is to upgrade Jaybird to Jaybird 3.0.4, which introduced support for database encryption callbacks. If the encryption plugin performs a callback, but doesn't actually need to use the content of the response, then it will work out of the box.

It the encryption plugin needs a reply with the key, you can set the key in the dbCryptConfig connection property. You can either use a base64 encoded value by prefixing it with base64: or a string key, which will be converted to bytes using UTF-8 encoding.

For example in a connection string:

jdbc:firebirdsql://localhost/appdbalias?dbCryptConfig=base64:dmVyeXNlY3JldGtleQ==

or

jdbc:firebirdsql://localhost/appdbalias?dbCryptConfig=verysecretkey

The implementation currently does not support more advanced callbacks.

Jaybird 3.0.4 (or higher) can be downloaded from https://www.firebirdsql.org/en/jdbc-driver/

See Jaybird 3.0.x release notes, section Database encryption support for more information.

Workaround

NOTE Only use this workaround if you can't yet upgrade to Jaybird 3.0.4 or higher.

According to the instructions on https://www.ibphoenix.com/products/software/encryptionplugin you can configure a server-local key by using KeyHolderPlugin = KeyFile instead of KeyHolderPlugin = Callback.

Unfortunately, this doesn't work. It looks like the plugin in question is unconditionally performing a callback to the client, even if it has the necessary data available locally. This is possibly a bug in this encryption plugin, or maybe a deliberate design decision.

IBPhoenix has released a new version of this plugin, version 1.2.1, which allows you to disable this callback with an explicit setting in plugins/KeyFile.conf with setting DisableCallback = true.