Creating a boot password

When you encrypt a database you usually specify a boot password, which is an alphanumeric string used to generate the encryption key. (You can also specify an encryption key directly.)

The length of the encryption key depends on the algorithm used:

AES (128, 192, and 256 bits)
DES (the default) (56 bits)
DESede (168 bits)
All other algorithms (128 bits)

Note: The boot password should have at least as many characters as number of bytes in the encryption key (56 bits=8 bytes, 168 bits=24 bytes, 128 bits=16 bytes). The minimum number of characters for the boot password allowed by Derby is eight.

It is a good idea not to use words that would be easily guessed, such as a login name or simple words or numbers. A boot password, like any password, should be a mix of numbers and uppercase and lowercase letters.

You turn on and configure encryption and specify the corresponding boot password on the connection URL for a database when you create it:

jdbc:derby:encryptionDB1;create=true;dataEncryption=true;
bootPassword=clo760uds2caPe

Note: If you lose the boot password and the database is not currently booted, you will not be able to connect to the database anymore. (If you know the current boot password, you can change it. See Encrypting databases with a new key.)

Specifying an alternate encryption provider
You can specify an alternate provider when you create the database with the encryptionProvider=providerName attribute.
Specifying an alternate encryption algorithm
Derby supports the following encryption algorithms.

Parent topic: Working with encryption

Related concepts

Encrypting databases on creation

Booting an encrypted database