Creating the boot password

When you encrypt a database you must also specify a boot password, which is an alpha-numeric string used to generate the encryption key.

The length of the encryption key depends on the algorithm used:

AES (128, 192, and 256 bits)
DES (the default) (56 bits)
DESede (168 bits)
All other algorithms (128 bits)

Note: The boot password should have at least as many characters as number of bytes in the encryption key (56 bits=8 bytes, 168 bits=24 bytes, 128 bits=16 bytes). The minimum number of characters for the boot password allowed by Derby is eight.

It is a good idea not to use words that would be easily guessed, such as a login name or simple words or numbers. A bootPassword, like any password, should be a mix of numbers and upper- and lowercase letters.

You turn on and configure encryption and specify the corresponding boot password on the connection URL for a database when you create it:

jdbc:derby:encryptionDB1;create=true;dataEncryption=true;
    bootPassword=clo760uds2caPe

Note: If you lose the bootPassword and the database is not currently booted, you will not be able to connect to the database anymore. (If you know the current bootPassword, you can change it. See Changing the boot password.)

Specifying an alternate encryption provider
You can specify an alternate provider when you create the database with the encryptionProvider=providerName attribute.
Specifying an alternate encryption algorithm
Derby supports the following encryption algorithms.

Parent topic: Working with encryption

Related concepts

Encrypting databases on creation

Booting an encrypted database

Changing the boot password