Encrypting databases with a new external encryption key

You can apply a new external encryption key to a Derby database by specifying the newEncryptionKey=key attribute on the connection URL when you boot the database.

If the database is configured with log archival for roll-forward recovery, you must disable log archival and perform a shutdown before you can encrypt the database with a new external encryption key.
If any global transaction are in the prepared state after recovery, the database cannot be encrypted with a new encryption key.
If the database is currently encrypted with a boot password, use the newBootPassword=newPassword attribute to encrypt the database.

To encrypt a database with a new external encryption key:

Specify the newEncryptionKey=key attribute in a URL and reboot the database. For example, if you use the following URL to reboot the salesdb database, the database is encrypted with the new encryption key 6862636465666768:

jdbc:derby:salesdb;encryptionKey=6162636465666768;
newEncryptionKey=6862636465666768'

If authentication and SQL authorization are both enabled, the credentials of the Database Owner must be supplied as well, since encryption is a restricted operation.

After you change the encryption key, be sure to check for SQLWarnings. The change succeeded only if there were no SQLWarnings or SQLExceptions.

If you disabled log archival before you applied the new encryption key, create a new backup of the database after the database is reconfigured with the new encryption key. For more information, see the section "Backing up and restoring databases" in the Derby Server and Administration Guide, particularly "Roll-forward recovery".