You can apply a new boot password to a Derby database by specifying the newBootPassword attribute on the connection URL when you boot the database.
When you use the newBootPassword attribute, a new encryption key is generated internally by the engine and the key is protected using the new boot password. The newly generated encryption key encrypts the database, including the existing data. You cannot change the encryption provider or encryption algorithm when you apply a new boot password.
To encrypt a database with a new boot password:
If you disabled log archival before you applied the new boot password, create a new backup of the database after the database is reconfigured with the new boot password.