Is there a way to encrypt the odb file so that if hackers somehow steal it they cannot access the data without some kind of password?
I would imagine accessing the database from java could just have another connection parameter while accessing from explorer.jar/exe would need to prompt the user for a password for encrypted odb files.
The way to keep an ObjectDB database encrypted is simply to store it on an encrypted drive. Modern operating systems support encryption of complete drives, directories or files, and an ObjectDB database is an ordinary file.
If you are going to encrypt the ObjectDB database file, then for maximum performance use an SSD hard drive with built in hardware encryption ability. If your hard drive does not support hardware encryption prefer using a CPU that supports the AES instruction set.
What if you're using a hosting provider and hardware encryption is not up to you? Solutions like Bitlocker require you to keep the file or drive mounted and unlocked while in use. In this case if you're hosting a website that uses ObjectDB, the odb file is out in the open for anyone that has access to see. Alternatively, If someone were to break into their servers and take your odb file they'd pretty much have all your system data. This could be avoided if there was a password string in a java class (not in an xml/json/txt/etc) so that it's compiled and unreadable. Not sure what you can do about decompiling tools but this is surely better than nothing at all.
As you described well, an ObjectDB encrypted file with a password in an application Java class cannot be a perfect solution (it is very easy to generate a Java file from a class file and see the password, or run the application on another computer), but it may be better than nothing.
This is currently not supported by ObjectDB, but you may be able to achieve similar results (not very good but maybe better than nothing) by encryption files on your hosted dedicated server or VPS.
The ultimate solution to protect your data is to avoid an hosted server or VPS.
In which case objectdb will only be useful/secure for entities that have the capacity to implement their own hosting solution?
This is the wrong conclusion. The conclusion should be that a dedicated server or a VPS hosted by a third party is inappropriate when a very high data security is required and you cannot trust the hosting company, since there is no practical way to prevent access to your data even if you encrypt it, whether you use ObjectDB or any other DBMS.
As explained above, there is no real difference between internal ObjectDB encryption (which is currently not supported) to external file encryption, since in both cases your application is active with the password. An administrator can take a RAM snapshot of your application or your application communication with the database or with the users (before encryption) and get access to your data.
If you cannot trust your hosting company switch to another company or manage your own server, whether you use ObjectDB or not.
