>> Or someone who has administrative privileges (=everyone who has physical
>> access to the machine) and knows that it is enough to replace the
>> security
>> database with his custom one.
>
> NTFS encryption, as outlined in my previous email, is "safe" from the
> administrator. The file is encrypted with the password of the user who
> owns
> the file so even if the administrator took ownership of the file, or
> changed
> the user's password the file would still be inaccessible. In fact, if the
> administrator changed the user's password, the file would be inaccessible
> to
> everybody!

Sure. The problem is that I described a completely different attack. Suppose
that you have Firebird running the way you described, with NTFS encrypted
database. What the attacker does is:

1) Stop Firebird
2) Delete the security database
3) Copy the default security database in Firebird's folders
4) Restart Firebird
5) Use GBAK with SYSDBA/masterkey to backup the "protected" database
6) Restore the backup on any other computer

Result: The data is completely copied. The attacker didn't even have to
bother with finding the encryption key (hell, he didn't even need to know
that the encryption is in place - the very same sequence would work for ANY
Firebird installation there is!) That's why we need an encryption where key
is supplied with each connection.

Pepak