Booting an encrypted database

If you create an encrypted database using the bootPassword=key attribute, you must specify the boot password to reboot the database. If you create an encrypted database using the encryptionKey=key attribute, you must specify the encryption key to reboot the database.

Encrypted databases cannot be booted automatically along with all other system databases on system startup (see "derby.system.bootAll" in the Derby Reference Manual). Instead, you boot an encrypted database when you first connect to the database.

Booting a database with the bootPassword=key attribute
To access an encrypted database called wombat that was created with the boot password clo760uds2caPe, use the following connection URL:
jdbc:derby:wombat;bootPassword=clo760uds2caPe
Booting a database with the encryptionKey=key attribute
To access an encrypted database called flintstone that was created with the attributes encryptionKey=c566bab9ee8b62a5ddb4d9229224c678 and encryptionAlgorithm=AES/CBC/NoPadding, use the following connection URL:
jdbc:derby:flintstone;encryptionKey=c566bab9ee8b62a5ddb4d9229224c678

After the database is booted, all connections can access the database without the boot password. Only a connection that boots the database requires the key.

For example, the following connections would boot the database and require the boot password or encryption key, depending on what mechanism was used to encrypt the database originally:
Note: The boot password and the encryption key are not meant to prevent unauthorized connections to the database after the database is booted. To protect a database after it has been booted, turn on user authentication (see Working with user authentication).
Related concepts
Encrypting databases on creation
Creating a boot password
Related tasks
Encrypting an existing unencrypted database
Encrypting databases with a new boot password
Encrypting databases with a new external encryption key