Secure Your FileMaker Database with Encryption at Rest

Claris’ FileMaker platform offers a number of great avenues for keeping your data secured. One of these avenues is to secure the database itself using Encryption At Rest. To be as un-technical as possible, this keeps your data in an unreadable form that can only be opened with a secure key. So, if the database is stolen, the thief would have no way of opening and reading or extracting your data without also have your secure key.

We recommend encrypting ALL FileMaker databases with sensitive data.

How to encrypt a database?

The first step is to get the database onto a local computer. If the database is currently hosted using FileMaker Server, it must be closed and then removed from the server. You will then Open the Developer Utilities. (If you do not see Developer Utilities, it means that you do not have advanced tools turned on. There is a checkbox in FileMaker Preferences to turn this on)

You will select the file you want to encrypt, what folder you would like the encrypted file to be saved to and then select Solution Options.

Here, you will select Enable Database Encryption, enter a shared ID (or just leave the default one), specify one of the database’s Full Access FileMaker accounts and then enter your encryption key. (Make sure to keep the key on file. Once a database is encrypted, the ONLY way it can be opened is by entering that key). You can then choose whether or not to keep Open Storage, which relates to FileMaker’s container data. There are some situations where you may want to keep the container data open even though the database is closed. This should be determined on a case-by-case basis.

Alright! You now have an encrypted file. You will notice when you try to open it, it first asks for the encryption key before it asks for your username and password.

How does it work with FileMaker Server?

Now, you will upload the database back to your server. When you do so, you will see this alert:

When you open up your admin console, you will notice that the file is indeed closed.

You can open the file through the admin console, and when entering the encryption key select “Save Password” or through the command line as shown below.

By saving the password, when you close and open the database, it will open the database without asking for your encryption key.

How does the new FileMaker Server 19.1.2 Update Relate to this?

With the new FileMaker Server 19.1.2 release, you can now run two new system-wide scripts automatically through FileMaker Server’s script schedule.

The first script, SYS_Default_PurgeTempDB, clears the temporary cache of the server. If your server is not restarted often, this temporary cache can become quite large and affect the performance of the server. Now with this script, it can be cleared weekly, daily, or even hourly if needed.

The second script, SYS_Default_VefiryAllDB, will verify all databases on the server to confirm that none are corrupted. During the process, the server will close each file, run the verification, and then open the file back up. The server, however, can only open an encrypted file if its key is saved to the server using the command line script. Because we want this schedule to be run automatically, it is necessary for the encryption key to be saved to the server in order to run this script.