If a database is shutdown and booted with (re)encryption,
the (re)encryption boot will silently fail (i.e. no (re)encryption takes place), if another
connection has booted the database in the meantime.
Presumably, if the database was encrypted at creation time, only the dba will
have the bootpassword and the above scenario is less likely.
If it was created unencrypted, is is more of a hole, IMHO: Any other connection
can then foil the encryption boot, even one which can not be authenticated,
DERBY-2407. To further exacerbate this issue; when the database is shutdown
and rebooted, using the boot password supplied (and the database was not encrypted),
no error is given, since a boot password is not required. This can lull a dba
into thinking the encryption took place!
We may want to generate a warning or an error in these cases.
This issue may affect upgrade boots as well?