firebird icon indicating copy to clipboard operation
firebird copied to clipboard

Published 20 hours ago verified publisher icon FirebirdSQL

Backup should write encryption plugin and key name into backup file

Open aafemt opened this issue 1 year ago • 8 comments

When performing backup-restore of an encrypted database it is expected that by default the new database has all characteristics of source, including encryption flag, encryption plugin and key.

This issue is different from #6070 which is aimed to backup file only but related to #6660 which says that database encryption plugin and key must be applied to backup file automatically by default.

aafemt avatar Jan 02 '24 16:01 aafemt

May be I did not understand something - but looks like current behavior is described here as desired. At least key & plugin names are definitely stored in .gbak file.

AlexPeshkoff avatar Jan 04 '24 10:01 AlexPeshkoff

Plugin name and key used to encrypt backup file are stored now only if backup file is encrypted. Plugin name and key that used to encrypt source database - are not stored. May be this issue will be resolved automatically after implementation #6660 which will force backup file to be encrypted with the same plugin/key as the database was.

aafemt avatar Jan 04 '24 10:01 aafemt

Why you expect that database after restore will be encrypted ? And using the exactly same way ?

hvlad avatar Jan 04 '24 10:01 hvlad

Because I think that this is the purpose of database encryption. Backup-restore of an encrypted database must produce an encrypted database without any additional efforts. If resulting database is not encrypted - whole security by encryption is fake.

aafemt avatar Jan 04 '24 10:01 aafemt

It is too strong assumption. Think about test restore, for example. In any case - one who have encrypted backup and key for it, can produce not encrypted database without much efforts and it is impossible to prevent it.

hvlad avatar Jan 04 '24 11:01 hvlad

Yes, but keywords are "and key for it". If the key is hidden on server - one will have encrypted backup but not key. Restoring that backup will be fine if target server also has the key. Backup operator needs no key in this case and cannot produce not encrypted database.

aafemt avatar Jan 04 '24 11:01 aafemt

Currently gbak cannot (for foolproof reason) create unencrypted backup of encrypted database or restore encrypted backup as unencrypted database.

On the other hand it's possible for user to change encryption plugin or key at any step. Using different ways for encryption at different steps seems to be in general good idea. What about keeping information about original plugin/key - that's possible enhancement but IMO not critical.

AlexPeshkoff avatar Jan 04 '24 11:01 AlexPeshkoff

In v4 I see unencrypted backup created from encrypted database. When this change had been done?

aafemt avatar Jan 04 '24 11:01 aafemt