> Not true. GBAK works through the Firebird server, so the Firebird server
> needs access to the database, not GBAK!

Yes, presumably my solution would require that you use the embedded server.
To run through the steps again:



At install time:

1. Create a new user with a randomly-generated password

2. Install your application as a service that runs under this
newly-created user account

3. Have your newly-created service take ownership of the database
file, and then encrypt it using NTFS encryption

4. Discard your randomly-generated password



So this service would then use the embedded server to actually "talk" to the
database, and it would only provide such APIs that are required to provide
whatever access you want (read-only, write-only, whatever)



Now, the administrator could simply write their own service executable and
overwrite your executable, thus being able to read the file themselves. But
I don't see how this would be any different to writing their own replacement
for the firebird service and logging the "per-connection" encryption keys
that you described (in fact, given that they would already have the source
code to the firebird server readily available it would be even easier). So
my solution is:



1. No worse, in terms of the provided amount of security, than a
"per-connection encryption key," and

2. Available today, without anything being added to firebird server.



Dean.



[Non-text portions of this message have been removed]