dataEncryption=true attribute

The dataEncryption=true attribute specifies data encryption on disk for a new database or to configure an existing unencrypted database for encryption.

For information about data encryption, see "Configuring database encryption" in the Derby Security Guide.

After you encrypt a database, you can return it to the unencrypted state by specifying the decryptDatabase=true attribute.

Combining with other attributes

The dataEncryption=true attribute must be combined with either the bootPassword=key attribute or the encryptionKey=key attribute.

With either bootPassword=key or encryptionKey=key, you have the option of also specifying the encryptionProvider=providerName, encryptionAlgorithm=algorithm, and/or encryptionKeyLength=length attributes.

An encryption key and a boot password use different storage mechanisms, so if, for example, you create a database using a boot password, you must continue to specify a boot password when you boot the database; you cannot switch to an encryption key. You can change either the boot password or the encryption key by specifying newBootPassword=newPassword or newEncryptionKey=key.

For an existing, unencrypted database for which authentication and SQL authorization are both enabled, only the database owner can perform encryption. See "Configuring user authentication" and "Configuring user authorization" in the Derby Security Guide for more information.

After you encrypt an existing, unencrypted database, be sure to check for SQLWarnings. The encryption succeeded only if there were no SQLWarnings or SQLExceptions.


-- encrypt a new database
-- configure an existing unencrypted database for encryption