Encrypting an existing unencrypted database

You can encrypt an unencrypted Derby database by specifying attributes on the connection URL when you boot the database. The attributes that you specify depend on how you want the database encrypted.

If the database is configured with log archival, you must disable log archival and perform a shutdown before you can encrypt the database.
If any global transactions are in the prepared state after recovery, the database cannot be encrypted.

When you encrypt an existing, unencrypted database, you can specify whether the database should be encrypted using a boot password (bootPassword=key) or an external encryption key (encryptionKey=key). You can also specify the encryptionProvider=providerName attribute and the encryptionAlgorithm=algorithm attribute on the connection URL. The database is configured with the specified encryption attributes, and all of the existing data in the database is encrypted.

See the Derby Reference Manual for details on the connection URL attributes.

Encrypting a database is a time-consuming process because it involves encrypting all of the existing data in the database. If the process is interrupted before completion, all the changes are rolled back the next time the database is booted. If the interruption occurs immediately after the database is encrypted but before the connection is returned to the application, you might not be able to boot the database without the boot password or external encryption key. In these rare circumstances, you should try to boot the database with the boot password or the external encryption key.

Recommendation: Ensure that you have enough free disk space before you encrypt a database. In addition to the disk space required for the current size of the database, temporary disk space is required to store the old version of the data to restore the database back to its original state if the encryption is interrupted or returns errors. All of the temporary disk space is released back to the operating system after the database is encrypted.

To encrypt an existing unencrypted database:

Specify the dataEncryption=true attribute and either the encryptionKey=key attribute or the bootPassword=key attribute in a connection URL and boot the database. For example, to encrypt the salesdb database with the boot password abc1234xyz, specify the following attributes in the URL:

jdbc:derby:salesdb;dataEncryption=true;bootPassword=abc1234xyz

If authentication and SQL authorization are both enabled, the credentials of the database owner must be supplied as well, since encryption is a restricted operation.

After you encrypt an existing, unencrypted database, be sure to check for SQLWarnings. The encryption succeeded only if there were no SQLWarnings or SQLExceptions.

If you disabled log archival before you encrypted the database, create a new backup of the database after the database is encrypted. For more information, see the section "Backing up and restoring databases" in the Derby Server and Administration Guide, particularly "Roll-forward recovery".