Encrypting databases with a new external encryption key
You can apply a new external encryption key to a Derby database
by specifying the newEncryptionKey attribute on the connection URL
when you boot the database.
- If the database is configured with log archival for roll-forward recovery,
you must disable log archival and perform a shutdown before you can encrypt
the database with a new external encryption key.
- If there are any global transaction that are in the prepared state after
recovery, the database cannot be encrypted with a new encryption key.
- If the database is currently encrypted with a boot password , you should
use the newBootPassword attribute
to encrypt the database.
To encrypt a database with a new external encryption key:
Specify the newEncryptionKey attribute in a URL and reboot
For example, when the following URL is used when
database is rebooted, the database is encrypted
with the new encryption key 6862636465666768:
If you disabled log archival before you applied the new encryption
key, create a new backup of the database after the database is reconfigured
with new the encryption key.