Data-at-Rest Encryption in DuckDB
2 days ago
- #encryption
- #database
- #security
- DuckDB v1.4 introduces database encryption capabilities for data-at-rest using AES-GCM-256 and AES-CTR-256.
- Encryption in DuckDB includes main database headers, blocks, write-ahead logs (WAL), and temporary files.
- Key management involves deriving secure keys from user-provided keys and storing them securely in memory.
- Performance impact of encryption is minimal, especially when using OpenSSL with hardware acceleration.
- DuckDB supports encrypting existing databases, creating new encrypted databases, and re-encrypting databases.
- Encryption enhances security for deployment models like CDN distribution and cloud storage.