Booting an encrypted database

If you create an encrypted database using the bootPassword attribute, you must specify the boot password to reboot the database. If you create an encrypted database using the encryptionKey attribute, you must specify the encryptionKey to reboot the database.

Encrypted databases cannot be booted automatically along with all other system databases on system startup (see "derby.system.bootAll" in Tuning Derby). Instead, you boot encrypted databases when you first connect to the database.

Booting a database with the bootPassword attribute
To access an encrypted database called wombat that was created with the boot password clo760uds2caPe, use the following connection URL:
jdbc:derby:wombat;bootPassword=clo760uds2caPe
Booting a database with the encryptionKey attribute
To access an encrypted database called flintstone that was created with the encryptionKey=c566bab9ee8b62a5ddb4d9229224c678 and with the encryptionAlgorithm=AES/CBC/NoPadding, use the following connection URL:
jdbc:derby:flintstone;encryptionAlgorithm=AES/CBC/NoPadding;
encryptionKey=c566bab9ee8b62a5ddb4d9229224c678  

After the database is booted, all connections can access the database without the boot password. Only a connection that boots the database requires the key.

For example, the following connections would boot the database and require the boot password or encryption key, depending on what mechanism was used to encrypt the database originally:
Note: The boot password and the encryption key are not meant to prevent unauthorized connections to the database after the database is booted. To protect a database after it has been booted, turn on user authentication (see Working with user authentication).
Related concepts
Encrypting databases on creation
Creating the boot password
Changing the boot password
Related tasks
Encrypting an existing unencrypted database
Encrypting databases with a new boot password
Encrypting databases with a new external encryption key