You can apply a new external encryption key to a Derby database by specifying the newEncryptionKey attribute on the connection URL when you boot the database.
To encrypt a database with a new external encryption key:
jdbc:derby:salesdb;encryptionKey=6162636465666768;newEncryptionKey=6862636465666768'
If authentication and SQL authorization are both enabled, the credentials of the database owner must be supplied as well, since encryption is a restricted operation.
If you disabled log archival before you applied the new encryption key, create a new backup of the database after the database is reconfigured with new the encryption key.