DuckLake supports an encrypted mode.
In this mode, all files that are written to the data directory are encrypted using Parquet encryption.
In order to use this mode, the ENCRYPTED flag must be passed when initializing the DuckLake catalog:
ATTACH 'ducklake:encrypted.ducklake'
(DATA_PATH 'untrusted_location/', ENCRYPTED);
When enabled, all Parquet files that are written as part of DuckLake operations are automatically encrypted.
The encryption keys for each file are automatically generated by the system when the files are written.
New encryption keys are automatically generated for each write operation – such that each file is encrypted using their own encryption key.
The generated keys are stored in the catalog, in the encryption_key field of the ducklake_data_file table.
When data is read from the encrypted files, the keys are read from the catalog server and automatically used to decrypt the files. This allows encrypted DuckLake databases to be interacted with in exactly the same manner as unencrypted databases.