Decrypting an encrypted database

You can return an encrypted database to an unencrypted state by specifying attributes on the connection URL.

To decrypt an encrypted database, specify the decryptDatabase=true attribute in conjunction with either the bootPassword=key attribute or the encryptionKey=key attribute.

See the Derby Reference Manual for details on the connection URL attributes.

Recommendation: Ensure that you have enough free disk space before you decrypt a database. In addition to the disk space required for the unencrypted size of the database, temporary disk space is required to store the encrypted version of the data to restore the database to its encrypted state if the decryption is interrupted or returns errors. All of the temporary disk space is released back to the operating system after the database is decrypted.

You must shut down the database before you decrypt it. An attempt to decrypt a booted database has no effect.

If the database is configured with log archival, you must disable log archival in addition to shutting down the database before you can decrypt the database. You should also create a new backup of the database before you decrypt it, and create another after you decrypt it. For more information, see the section "Backing up and restoring databases" in the Derby Server and Administration Guide, particularly "Roll-forward recovery".

If any global transactions are in the prepared state after recovery, the database cannot be decrypted.

If authentication and SQL authorization are both enabled, the credentials of the database owner must be supplied as well, since decryption is a restricted operation.

After you decrypt the database, be sure to check for SQLWarnings. The decryption succeeded only if there were no SQLWarnings or SQLExceptions.

Parent topic: Working with encryption
Related concepts
Encrypting databases on creation
Related tasks
Encrypting an existing unencrypted database