You can encrypt an unencrypted Derby database by specifying attributes on the connection URL when you boot the database. The attributes that you specify depend on how you want the database encrypted.
When you encrypt an existing, unencrypted database, you can specify whether the database should be encrypted using a boot password (bootPassword=key) or an external encryption key (encryptionKey=key). You can also specify the encryptionProvider=providerName attribute and the encryptionAlgorithm=algorithm attribute on the connection URL. The database is configured with the specified encryption attributes, and all of the existing data in the database is encrypted.
See the Derby Reference Manual for details on the connection URL attributes.
Encrypting a database is a time-consuming process because it involves encrypting all of the existing data in the database. If the process is interrupted before completion, all the changes are rolled back the next time the database is booted. If the interruption occurs immediately after the database is encrypted but before the connection is returned to the application, you might not be able to boot the database without the boot password or external encryption key. In these rare circumstances, you should try to boot the database with the boot password or the external encryption key.
To encrypt an existing unencrypted database:
jdbc:derby:salesdb;dataEncryption=true;bootPassword=abc1234xyz
If authentication and SQL authorization are both enabled, the credentials of the database owner must be supplied as well, since encryption is a restricted operation.
If you disabled log archival before you encrypted the database, create a new backup of the database after the database is encrypted. For more information, see the section "Backing up and restoring databases" in the Derby Server and Administration Guide, particularly "Roll-forward recovery".