Changing encryption key on an encrypted database

[Ertan Küçükoglu]

Hello,

I'm using FirebirdSQL 5.0.3 Win64.

I'm trying to add a database encryption key change feature to my application programmatically. The process is as follows:
1- The FirebirdSQL server service is shut down and restarted (using the old key here).

2- Connect to the database
3- Execute the "alter database decrypt" command.

4- Disconnect from the database.

5- Check decryption state in intervals.
6- Checking is establishing a new connection to the database, starting a new transaction running the query "select mon$crypt_state from mon$database" expecting it to become 0. If not, commit the transaction and close the connection.

The problem is; after the 3rd step, All that I'm reading is mon$crypt_state=2 until the timeout (5 mins). I was expecting it to be first 3 and then 0.

This is an empty database with only about less than 100 tables and some domains in it. Just a couple of records for test purposes. Disk size is 21 MB

Encryption is almost immediately. It does not even take one second. Encryption key change process is triggered about 15 seconds later (for testing).

gstat output is as follows (long after running "alter database decrypt"):

Gstat execution time Sun Mar 29 11:39:32 2026

Database header page information:
        Flags                   0
        Generation              5708
        System Change Number    0
        Page size               32768
        ODS version             13.1
        Oldest transaction      3860
        Oldest active           3861
        Oldest snapshot         3861
        Next transaction        3861
        Sequence number         0
        Next attachment ID      7363
        Implementation          HW=AMD/Intel/x64 little-endian OS=Windows CC=MSVC
        Shadow count            0
        Page buffers            0
        Next header page        0
        Database dialect        3
        Creation date           Mar 29, 2026 8:19:05
        Attributes              force write, encrypted, crypt process, plugin cryptDb

    Variable header data:
        Crypt checksum: Gb18JLVsIyrg2fISiYPopK+lKOs=
        Key hash:       055hGJFYLwFp45g6OlwlxAgSDNg=
        Database GUID:  {7622529A-21E7-40B4-8E96-53879705E178}
        *END*
Gstat completion time Sun Mar 29 11:39:32 2026

"select MON$CRYPT_PAGE * 100 / MON$PAGES from MON$DATABASE" returns 0 (long after running "alter database decrypt")

I can't figure out what I'm doing wrong and wanted to ask.

Thanks & Regards,

Ertan

[Vlad Khorsun]

  When last user connection is closed, all service (worker) connections to the database (in the same Firebird process) 

also closed by the engine.

  Thus, the problem is you have no permanent connection to the database and encryption thread have almost no 

time to work. Instead of disconnect at step 4 and connect\disconnect at step 6 just use connection from step 2 at 

least until encryption finished.

Regards,

Vlad

[Ertan Küçükoglu]

Vlad Khorsun <fbv...@gmail.com>, 30 Mar 2026 Pzt, 12:41 tarihinde şunu yazdı:

That fixed it. Thank you.