dataEncryption=true attribute

Function

Specifies data encryption on disk for a new database or to configure an existing unencrypted database for encryption. For information about data encryption, see "Encrypting databases on disk" in the Derby Developer's Guide.

After you encrypt a database, you can return it to the unencrypted state by specifying the decryptDatabase=true attribute.

Combining with other attributes

The dataEncryption=true attribute must be combined with either the bootPassword=key attribute or the encryptionKey=key attribute.

With either bootPassword=key or encryptionKey=key, you have the option of also specifying the encryptionProvider=providerName, encryptionAlgorithm=algorithm, and/or encryptionKeyLength=length attributes.

An encryption key and a boot password use different storage mechanisms, so if, for example, you create a database using a boot password, you must continue to specify a boot password when you boot the database; you cannot switch to an encryption key. You can change either the boot password or the encryption key by specifying newBootPassword=newPassword or newEncryptionKey=key.

For an existing, unencrypted database for which authentication and SQL authorization are both enabled, only the database owner can perform encryption. See also "Enabling user authentication" and "Setting the SQL standard authorization mode" in the Derby Developer's Guide for more information.

After you encrypt an existing, unencrypted database, be sure to check for SQLWarnings. The encryption succeeded only if there were no SQLWarnings or SQLExceptions.

Examples

-- encrypt a new database
jdbc:derby:encryptedDB;create=true;dataEncryption=true;
    bootPassword=cLo4u922sc23aPe
-- configure an existing unencrypted database for encryption 
jdbc:derby:salesdb;dataEncryption=true;bootPassword=cLo4u922sc23aPe