Data Encryption in Derby with Spring Boot Applications

September 30, 2025

#1

This guide shows how to enable data encryption in Apache Derby when used with Spring Boot applications to protect sensitive data.

1. Add Dependencies

In pom.xml:

<dependency>
  <groupId>org.apache.derby</groupId>
  <artifactId>derby</artifactId>
  <scope>runtime</scope>
</dependency>

<dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>

2. Create Encrypted Database

Run Derby with database encryption enabled:

java -cp $DERBY_HOME/lib/derby.jar org.apache.derby.tools.ij

Inside IJ tool:

CONNECT 'jdbc:derby:encryptedDB;create=true;dataEncryption=true;bootPassword=MySecretKey123';

This creates an encrypted Derby database.

3. Configure Spring Boot

In application.properties:

spring.datasource.url=jdbc:derby:encryptedDB;dataEncryption=true;bootPassword=MySecretKey123
spring.datasource.driver-class-name=org.apache.derby.jdbc.EmbeddedDriver
spring.jpa.hibernate.ddl-auto=update

The bootPassword is required to unlock the encrypted DB on startup.

4. Create Entity

import jakarta.persistence.*;

@Entity
public class SecretNote {
    @Id
    @GeneratedValue(strategy = GenerationType.IDENTITY)
    private Long id;
    private String title;
    private String message;

    // getters and setters
}

5. Repository

import org.springframework.data.jpa.repository.JpaRepository;

public interface SecretNoteRepository extends JpaRepository<SecretNote, Long> {
}

6. REST Controller

import org.springframework.web.bind.annotation.*;
import java.util.List;

@RestController
@RequestMapping("/notes")
public class SecretNoteController {
    private final SecretNoteRepository repo;

    public SecretNoteController(SecretNoteRepository repo) {
        this.repo = repo;
    }

    @PostMapping
    public SecretNote add(@RequestBody SecretNote note) {
        return repo.save(note);
    }

    @GetMapping
    public List<SecretNote> all() {
        return repo.findAll();
    }
}

7. Test Encrypted DB

Run Spring Boot:

mvn spring-boot:run

Derby will require the bootPassword and use encryption for all stored data.