> I don't think the key should be passed by the client, the client should
> have no idea that the database is encrypted. It's a server task only.
>
> Taking into account that the engine executable could be compromised, I
> think that this is up to the server administrator to verify the FB
> binaries before provide any password, comparing it to some signatures
> stored in a safe place (a USB stick is enough to hold a tiny application
> that compares to the expected SHA signatures). Any kind of built in
> protection could be easily bypassed by someone with a custom FB build.

If we talk about the server, I think there is definitely easier solution
with encryption than the one you propose - put the database file on the
encrypted file system (like TrueCrypt) and tell the server admin to
prevent anybody except Firebird process to access it.

But so far the discussion was about the embedded engine - the software
is distributed with the fbembed.dll and database.fdb, no control over
who has access to the files. And this approach does not work - it is
always possible to forge a version of Firebird that will dump the keys.

Roman