If you create an encrypted database using the bootPassword=key
attribute, you must specify the boot password to reboot the database. If you
create an encrypted database using the encryptionKey=key attribute, you
must specify the encryption key to reboot the database.
Encrypted databases cannot be booted automatically along with all other
system databases on system startup (see "derby.system.bootAll" in the
Derby Reference Manual). Instead, you boot an encrypted
database when you first connect to the database.
- Booting a database with the bootPassword=key attribute
- To access an encrypted database called wombat that was
created with the boot password clo760uds2caPe, use the following
connection URL:
jdbc:derby:wombat;bootPassword=clo760uds2caPe
- Booting a database with the encryptionKey=key attribute
- To access an encrypted database called flintstone that
was created with the attributes
encryptionKey=c566bab9ee8b62a5ddb4d9229224c678 and
encryptionAlgorithm=AES/CBC/NoPadding, use the following
connection URL:
jdbc:derby:flintstone;encryptionKey=c566bab9ee8b62a5ddb4d9229224c678
After the database is booted, all connections can access the database without
the boot password. Only a connection that boots the database requires the
key.
For example, the following connections would boot the database and require
the boot password or encryption key, depending on what mechanism was used
to encrypt the database originally:
- The first connection to the database in the JVM session
- The first connection to the database after the database has been explicitly
shut down
- The first connection to the database after the system has been shut down
and then rebooted
Note: The boot password and the encryption key are not meant to prevent unauthorized
connections to the database after the database is booted. To protect a database
after it has been booted, turn on user authentication (see
Working with user authentication).