Specifying an alternate encryption algorithm

Derby supports the following encryption algorithms.

• DES (the default)
• DESede (also known as triple DES)
• Any encryption algorithm that fulfills the following requirements:
  • It is symmetric
  • It is a block cipher, with a block size of 8 bytes
  • It uses the NoPadding padding scheme
  • Its secret key can be represented as an arbitrary byte array
  • It requires exactly one initialization parameter, an initialization vector of type javax.crypto.spec.IvParameterSpec
  • It can use javax.crypto.spec.SecretKeySpec to represent its key

  For example, the algorithm Blowfish implemented in the Java Cryptography Extension (JCE) packages (javax.crypto.*) fulfills these requirements.

By Java convention, an encryption algorithm is specified like this:

algorithmName/feedbackMode/padding

The only feedback modes allowed are:

• CBC
• CFB
• ECB
• OFB

The only padding mode allowed is NoPadding.

By default, Derby uses the DES algorithm of DES/CBC/NoPadding.

To specify an alternate encryption algorithm when you create a database, use the encryptionAlgorithm=algorithm attribute. If the algorithm you specify is not supported by the provider you have specified, Derby throws an exception.

To specify the AES encryption algorithm with a key length other than the default of 128, specify the encryptionKeyLength=length attribute. For example, you might specify the following connection attributes:

jdbc:derby:encdbcbc_192;create=true;dataEncryption=true;
encryptionKeyLength=192;encryptionAlgorithm=AES/CBC/NoPadding;
bootPassword=Thursday

To use the AES algorithm with a key length of 192 or 256, you must use unrestricted policy jar files for your JRE. You can obtain these files from your Java provider. They might have a name like "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files." If you specify a non-default key length using the default policy jar files, a Java exception occurs.