Encrypting databases with a new external encryption key

You can apply a new external encryption key to a Derby database by specifying the newEncryptionKey attribute on the connection URL when you boot the database.

If the database is configured with log archival for roll-forward recovery, you must disable log archival and perform a shutdown before you can encrypt the database with a new external encryption key.
If there are any global transaction that are in the prepared state after recovery, the database cannot be encrypted with a new encryption key.
If the database is currently encrypted with a boot password , you should use the newBootPassword attribute to encrypt the database.

To encrypt a database with a new external encryption key:

Specify the newEncryptionKey attribute in a URL and reboot the database. For example, when the following URL is used when the salesdb database is rebooted, the database is encrypted with the new encryption key 6862636465666768:

jdbc:derby:salesdb;encryptionKey=6162636465666768;newEncryptionKey=6862636465666768'

If authentication and SQL authorization are both enabled, the credentials of the database owner must be supplied as well, since encryption is a restricted operation.

If you disabled log archival before you applied the new encryption key, create a new backup of the database after the database is reconfigured with new the encryption key.