Encrypting databases with a new key

You can apply a new encryption key to a Derby database by specifying a new boot password or a new external key.

Encrypting a database with a new encryption key is a time-consuming process because it involves encrypting all of the existing data in the database with the new encryption key. If the process is interrupted before completion, all the changes are rolled back the next time the database is booted. If the interruption occurs immediately after the database is encrypted with the new encryption key but before the connection is returned to the application, you might not be able to boot the database with the old encryption key. In these rare circumstances, you should try to boot the database with the new encryption key.

Recommendation: Ensure that you have enough free disk space before you encrypt a database with a new key. In addition to the disk space required for the current size of the database, temporary disk space is required to store the old version of the data to restore the database back to its original state if the new encryption is interrupted or returns errors. All of the temporary disk space is released back to the operating system after the database is reconfigured to work with the new encryption key.

To encrypt a database with a new encryption key:

Use the type of encryption that is currently used to encrypt the database: If authentication and SQL authorization are both enabled, the credentials of the Database Owner must be supplied, since reencryption is a restricted operation.
Related concepts
Encrypting databases on creation
Creating a boot password
Booting an encrypted database
Decrypting an encrypted database
Related tasks
Encrypting an existing unencrypted database