Specifying an alternate encryption algorithm

Derby supports the following encryption algorithms.

By Java convention, an encryption algorithm is specified like this:

algorithmName/feedbackMode/padding

The only feedback modes allowed are:

The only padding mode allowed is NoPadding.

By default, Derby uses the DES algorithm of DES/CBC/NoPadding.

To specify an alternate encryption algorithm when you create a database, use the encryptionAlgorithm=algorithm attribute. If the algorithm you specify is not supported by the provider you have specified, Derby throws an exception.

To specify the AES encryption algorithm with a key length other than the default of 128, specify the encryptionKeyLength attribute. For example, you might specify the following connection attributes:

jdbc:derby:encdbcbc_192;create=true;dataEncryption=true;
encryptionKeyLength=192;encryptionAlgorithm=AES/CBC/NoPadding;
bootPassword=Thursday

To use the AES algorithm with a key length of 192 or 256, you must use unrestricted policy jar files for your JRE. You can obtain these files from your Java provider. They might have a name like "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files." If you specify a non-default key length using the default policy jar files, a Java exception occurs.

Related concepts
Encrypting databases on creation
Specifying an alternate encryption provider