- Documentation
- Specification
- Introduction
- Data Types
- Queries
- Tables
- Overview
- column
- column_mapping
- name_mapping
- column_tag
- data_file
- delete_file
- file_column_stats
- file_partition_value
- files_scheduled_for_deletion
- inlined_data_tables
- metadata
- partition_column
- partition_info
- schema
- schema_versions
- snapshot
- snapshot_changes
- table
- table_column_stats
- table_stats
- tag
- view
- DuckDB Extension
- Introduction
- Usage
- Connecting
- Choosing a Catalog Database
- Choosing Storage
- Snapshots
- Schema Evolution
- Time Travel
- Upserting
- Configuration
- Paths
- Maintenance
- Recommended Maintenance
- Merge Files
- Expire Snapshots
- Cleanup of Files
- Rewrite Files with Deletes
- Checkpoint
- Advanced Features
- Constraints
- Conflict Resolution
- Data Change Feed
- Data Inlining
- Encryption
- Partitioning
- Transactions
- Row Lineage
- Views
- Comments
- Metadata
- Migrations
- Guides
- Overview
- Access Control
- Backups and Recovery
- Using a Remote Data Path
- Public DuckLake on Cloudflare R2
- Unsupported Features
- FAQ
DuckLake supports an encrypted mode.
In this mode, all files that are written to the data directory are encrypted using Parquet encryption.
In order to use this mode, the ENCRYPTED flag must be passed when initializing the DuckLake catalog:
ATTACH 'ducklake:encrypted.ducklake'
(DATA_PATH 'untrusted_location/', ENCRYPTED);
When enabled, all Parquet files that are written as part of DuckLake operations are automatically encrypted.
The encryption keys for each file are automatically generated by the system when the files are written.
New encryption keys are automatically generated for each write operation – such that each file is encrypted using their own encryption key.
The generated keys are stored in the catalog, in the encryption_key field of the ducklake_data_file table.
When data is read from the encrypted files, the keys are read from the catalog server and automatically used to decrypt the files. This allows encrypted DuckLake databases to be interacted with in exactly the same manner as unencrypted databases.