If you create an encrypted database using the
bootPassword=key attribute, you must specify the boot
password to reboot the database. If you create an encrypted database using the
encryptionKey=key attribute, you must specify the
encryption key to reboot the database.
Encrypted databases cannot be booted automatically along with all other
system databases on system startup (see "derby.system.bootAll"
in the Derby Reference Manual). Instead, you boot an
encrypted database when you first connect to the database.
- Booting a database with the bootPassword=key
attribute
- To access an encrypted database called wombat that was
created with the boot password clo760uds2caPe, use the
following connection URL:
jdbc:derby:wombat;bootPassword=clo760uds2caPe
- Booting a database with the encryptionKey=key
attribute
- To access an encrypted database called flintstone that
was created with the attributes
encryptionKey=c566bab9ee8b62a5ddb4d9229224c678 and
encryptionAlgorithm=AES/CBC/NoPadding, use the following
connection URL:
jdbc:derby:flintstone;encryptionKey=c566bab9ee8b62a5ddb4d9229224c678
After the database is booted, all connections can access the database without
the boot password. Only a connection that boots the database requires the
key.
For example, the following connections would boot the database and require
the boot password or encryption key, depending on what mechanism was used to
encrypt the database originally:
- The first connection to the database in the JVM session
- The first connection to the database after the database has been explicitly
shut down
- The first connection to the database after the system has been shut down and
then rebooted
Note: The boot password and the encryption key are not meant to prevent
unauthorized connections to the database after the database is booted. To
protect a database after it has been booted, turn on user authentication (see
Configuring user authentication).