When creating a new database, you must combine the encryptionKey attribute with the create=true and dataEncryption=true attributes.
When you configure an existing unencrypted database for encryption, the encryptionKey attribute must be combined with the dataEncryption=true attribute. For an existing, unencrypted database for which authentication and SQL authorization are both enabled, only the database owner can perform encryption. Please see "Enabling user authentication" and "Setting the SQL standard authorization mode" in the Derby Developer's Guide for more information.
When booting an existing encrypted database, you must also specify the encryptionAlgorithm attribute if the algorithm that was used when the database was created is not the default algorithm.
The default encryption algorithm used by Derby is DES/CBC/NoPadding.
Example of a JDBC URL that creates a new encrypted database: