duckdb · Mytherin · Jun 26, 2025 · Jun 13, 2025 · Jun 13, 2025 · Jun 13, 2025
diff --git a/src/catalog/duck_catalog.cpp b/src/catalog/duck_catalog.cpp
@@ -173,4 +173,23 @@ optional_idx DuckCatalog::GetCatalogVersion(ClientContext &context) {
 	return transaction_manager.GetCatalogVersion(*transaction.transaction);
 }
 
+//===--------------------------------------------------------------------===//
+// Encryption
+//===--------------------------------------------------------------------===//
+void DuckCatalog::SetEncryptionKeyId(const string &key_id) {
+	encryption_key_id = key_id;
+}
+
+string &DuckCatalog::GetEncryptionKeyId() {
+	return encryption_key_id;
+}
+
+void DuckCatalog::SetIsEncrypted() {
+	is_encrypted = true;
+}
+
+bool DuckCatalog::GetIsEncrypted() {
+	return is_encrypted;
+}
+
 } // namespace duckdb
diff --git a/src/common/encryption_functions.cpp b/src/common/encryption_functions.cpp
@@ -1,3 +1,4 @@
+#include "duckdb/common/exception/conversion_exception.hpp"
 #include "duckdb/common/encryption_key_manager.hpp"
 #include "duckdb/common/encryption_functions.hpp"
 #include "duckdb/main/attached_database.hpp"
@@ -13,7 +14,7 @@ const_data_ptr_t EncryptionEngine::GetKeyFromCache(DatabaseInstance &db, const s
 	return keys.GetKey(key_name);
 }
 
-bool EncryptionEngine::ContainsKey(DatabaseInstance &db, const string &key_name) const {
+bool EncryptionEngine::ContainsKey(DatabaseInstance &db, const string &key_name) {
 	auto &keys = EncryptionKeyManager::Get(db);
 	return keys.HasKey(key_name);
 }

diff --git a/src/common/encryption_key_manager.cpp b/src/common/encryption_key_manager.cpp
@@ -39,9 +39,9 @@ void EncryptionKey::LockEncryptionKey(data_ptr_t key, idx_t key_len) {
 void EncryptionKey::UnlockEncryptionKey(data_ptr_t key, idx_t key_len) {
 	memset(key, 0, key_len);
 #if defined(_WIN32)
-	VirtualUnlock(static_cast<void *>(&key[0]), key_len);
+	VirtualUnlock(key, key_len);
 #else
-	munlock(static_cast<void *>(&key[0]), key_len);
+	munlock(key, key_len);
 #endif
 }
 
@@ -88,15 +88,20 @@ void EncryptionKeyManager::DeleteKey(const string &key_name) {
 	derived_keys.erase(key_name);
 }
 
-void EncryptionKeyManager::KeyDerivationFunctionSHA256(const string &user_key, data_ptr_t salt,
+void EncryptionKeyManager::KeyDerivationFunctionSHA256(const_data_ptr_t key, idx_t key_size, data_ptr_t salt,
                                                        data_ptr_t derived_key) {
 	//! For now, we are only using SHA256 for key derivation
 	duckdb_mbedtls::MbedTlsWrapper::SHA256State state;
 	state.AddSalt(salt, MainHeader::SALT_LEN);
-	state.AddBytes(duckdb::data_ptr_t(reinterpret_cast<const uint8_t *>(user_key.data())), user_key.size());
+	state.AddBytes(key, key_size);
 	state.FinalizeDerivedKey(derived_key);
 }
 
+void EncryptionKeyManager::KeyDerivationFunctionSHA256(data_ptr_t user_key, idx_t user_key_size, data_ptr_t salt,
+                                                       data_ptr_t derived_key) {
+	KeyDerivationFunctionSHA256(reinterpret_cast<const_data_ptr_t>(user_key), user_key_size, salt, derived_key);
+}
+
 string EncryptionKeyManager::Base64Decode(const string &key) {
 	auto result_size = Blob::FromBase64Size(key);
 	auto output = duckdb::unique_ptr<unsigned char[]>(new unsigned char[result_size]);
@@ -117,7 +122,8 @@ void EncryptionKeyManager::DeriveKey(string &user_key, data_ptr_t salt, data_ptr
 		decoded_key = user_key;
 	}
 
-	KeyDerivationFunctionSHA256(decoded_key, salt, derived_key);
+	KeyDerivationFunctionSHA256(reinterpret_cast<const_data_ptr_t>(decoded_key.data()), decoded_key.size(), salt,
+	                            derived_key);
 
 	// wipe the original and decoded key
 	std::fill(user_key.begin(), user_key.end(), 0);

diff --git a/src/common/settings.json b/src/common/settings.json
@@ -853,6 +853,12 @@
             "user"
         ]
     },
+    {
+        "name": "wal_encryption",
+        "description": "Encrypt the WAL if the database is encrypted",
+        "type": "BOOLEAN",
+        "scope": "global"
+    },
     {
         "name": "zstd_min_string_length",
         "description": "The (average) length at which to enable ZSTD compression, defaults to 4096",

diff --git a/src/include/duckdb/catalog/catalog.hpp b/src/include/duckdb/catalog/catalog.hpp
@@ -107,6 +107,7 @@ class Catalog {
 	virtual bool IsDuckCatalog() {
 		return false;
 	}
+
 	virtual void Initialize(bool load_builtin) = 0;
 	virtual void Initialize(optional_ptr<ClientContext> context, bool load_builtin);
 	virtual void FinalizeLoad(optional_ptr<ClientContext> context);

diff --git a/src/include/duckdb/catalog/duck_catalog.hpp b/src/include/duckdb/catalog/duck_catalog.hpp
@@ -21,6 +21,7 @@ class DuckCatalog : public Catalog {
 public:
 	bool IsDuckCatalog() override;
 	void Initialize(bool load_builtin) override;
+
 	string GetCatalogType() override {
 		return "duckdb";
 	}
@@ -29,6 +30,12 @@ class DuckCatalog : public Catalog {
 		return write_lock;
 	}
 
+	// Encryption Functions
+	void SetEncryptionKeyId(const string &key_id);
+	string &GetEncryptionKeyId();
+	void SetIsEncrypted();
+	bool GetIsEncrypted();
+
 public:
 	DUCKDB_API optional_ptr<CatalogEntry> CreateSchema(CatalogTransaction transaction, CreateSchemaInfo &info) override;
 	DUCKDB_API void ScanSchemas(ClientContext &context, std::function<void(SchemaCatalogEntry &)> callback) override;
@@ -79,6 +86,11 @@ class DuckCatalog : public Catalog {
 	mutex write_lock;
 	//! The catalog set holding the schemas
 	unique_ptr<CatalogSet> schemas;
+
+	//! Identifies whether the db is encrypted
+	bool is_encrypted = false;
+	//! If is encrypted, store the encryption key_id
+	string encryption_key_id;
 };
 
 } // namespace duckdb
diff --git a/src/include/duckdb/common/encryption_functions.hpp b/src/include/duckdb/common/encryption_functions.hpp
@@ -18,12 +18,14 @@ class EncryptionEngine {
 	~EncryptionEngine();
 
 public:
+	//! General key management wrapper functions
 	static const_data_ptr_t GetKeyFromCache(DatabaseInstance &db, const string &key_name);
-	bool ContainsKey(DatabaseInstance &db, const string &key_name) const;
+	static bool ContainsKey(DatabaseInstance &db, const string &key_name);
 	static void AddKeyToCache(DatabaseInstance &db, data_ptr_t key, const string &key_name, bool wipe = true);
 	static string AddKeyToCache(DatabaseInstance &db, data_ptr_t key);
 	static void AddTempKeyToCache(DatabaseInstance &db);
 
+	//! Encryption Functions
 	static void EncryptBlock(DatabaseInstance &db, const string &key_id, FileBuffer &block,
 	                         FileBuffer &temp_buffer_manager, uint64_t delta);
 	static void DecryptBlock(DatabaseInstance &db, const string &key_id, data_ptr_t internal_buffer,

diff --git a/src/include/duckdb/common/encryption_key_manager.hpp b/src/include/duckdb/common/encryption_key_manager.hpp
@@ -36,12 +36,12 @@ class EncryptionKey {
 		return key;
 	}
 
-private:
-	data_t key[MainHeader::DEFAULT_ENCRYPTION_KEY_LENGTH];
-
-private:
+public:
 	static void LockEncryptionKey(data_ptr_t key, idx_t key_len = MainHeader::DEFAULT_ENCRYPTION_KEY_LENGTH);
 	static void UnlockEncryptionKey(data_ptr_t key, idx_t key_len = MainHeader::DEFAULT_ENCRYPTION_KEY_LENGTH);
+
+private:
+	data_t key[MainHeader::DEFAULT_ENCRYPTION_KEY_LENGTH];
 };
 
 class EncryptionKeyManager : public ObjectCacheEntry {
@@ -62,9 +62,13 @@ class EncryptionKeyManager : public ObjectCacheEntry {
 	string GetObjectType() override;
 
 public:
-	static string Base64Decode(const string &key);
+public:
 	static void DeriveKey(string &user_key, data_ptr_t salt, data_ptr_t derived_key);
-	static void KeyDerivationFunctionSHA256(const string &user_key, data_ptr_t salt, data_ptr_t derived_key);
+	static void KeyDerivationFunctionSHA256(const_data_ptr_t user_key, idx_t user_key_size, data_ptr_t salt,
+	                                        data_ptr_t derived_key);
+	static void KeyDerivationFunctionSHA256(data_ptr_t user_key, idx_t user_key_size, data_ptr_t salt,
+	                                        data_ptr_t derived_key);
+	static string Base64Decode(const string &key);
 	static string GenerateRandomKeyID();
 
 public:

diff --git a/src/include/duckdb/main/config.hpp b/src/include/duckdb/main/config.hpp
@@ -268,6 +268,8 @@ struct DBConfigOptions {
 	string custom_user_agent;
 	//! Use old implicit casting style (i.e. allow everything to be implicitly casted to VARCHAR)
 	bool old_implicit_casting = false;
+	//!  By default, WAL is encrypted for encrypted databases
+	bool wal_encryption = true;
 	//! The default block allocation size for new duckdb database files (new as-in, they do not yet exist).
 	idx_t default_block_alloc_size = DUCKDB_BLOCK_ALLOC_SIZE;
 	//! The default block header size for new duckdb database files.

diff --git a/src/include/duckdb/main/settings.hpp b/src/include/duckdb/main/settings.hpp
@@ -24,7 +24,7 @@ enum class SettingScope : uint8_t {
 	GLOBAL,
 	//! Setting is from the local Setting scope
 	LOCAL,
-	//! Setting was not feteched from settings, but it was fetched from a secret instead
+	//! Setting was not fetched from settings, but it was fetched from a secret instead
 	SECRET,
 	//! The setting was not found or invalid in some other way
 	INVALID
@@ -1282,6 +1282,16 @@ struct UsernameSetting {
 	static Value GetSetting(const ClientContext &context);
 };
 
+struct WalEncryptionSetting {
+	using RETURN_TYPE = bool;
+	static constexpr const char *Name = "wal_encryption";
+	static constexpr const char *Description = "Encrypt the WAL if the database is encrypted";
+	static constexpr const char *InputType = "BOOLEAN";
+	static void SetGlobal(DatabaseInstance *db, DBConfig &config, const Value &parameter);
+	static void ResetGlobal(DatabaseInstance *db, DBConfig &config);
+	static Value GetSetting(const ClientContext &context);
+};
+
 struct ZstdMinStringLengthSetting {
 	using RETURN_TYPE = idx_t;
 	static constexpr const char *Name = "zstd_min_string_length";

diff --git a/src/include/duckdb/storage/single_file_block_manager.hpp b/src/include/duckdb/storage/single_file_block_manager.hpp
@@ -133,6 +133,11 @@ class SingleFileBlockManager : public BlockManager {
 	static void StoreSalt(MainHeader &main_header, data_ptr_t salt);
 	void StoreEncryptionMetadata(MainHeader &main_header) const;
 
+	//! Check and adding Encryption Keys
+	void CheckAndAddEncryptionKey(MainHeader &main_header, string &user_key);
+	void CheckAndAddEncryptionKey(MainHeader &main_header);
+	void CheckAndAddEncryptionKey(MainHeader &main_header, DBConfigOptions &config_options);
+
 	//! Return the blocks to which we will write the free list and modified blocks
 	vector<MetadataHandle> GetFreeListBlocks();
 	void TrimFreeBlocks();

diff --git a/src/include/duckdb/storage/write_ahead_log.hpp b/src/include/duckdb/storage/write_ahead_log.hpp
@@ -69,6 +69,9 @@ class WriteAheadLog {
 
 	void WriteVersion();
 
+	//! Determines if WAL should be encrypted
+	bool IsEncrypted() const;
+
 	virtual void WriteCreateTable(const TableCatalogEntry &entry);
 	void WriteDropTable(const TableCatalogEntry &entry);
 

diff --git a/src/main/config.cpp b/src/main/config.cpp
@@ -178,6 +178,7 @@ static const ConfigurationOption internal_options[] = {
     DUCKDB_GLOBAL_ALIAS("worker_threads", ThreadsSetting),
     DUCKDB_GLOBAL(UsernameSetting),
     DUCKDB_GLOBAL_ALIAS("user", UsernameSetting),
+    DUCKDB_GLOBAL(WalEncryptionSetting),
     DUCKDB_GLOBAL(ZstdMinStringLengthSetting),
     FINAL_SETTING};
 

diff --git a/src/main/settings/autogenerated_settings.cpp b/src/main/settings/autogenerated_settings.cpp
@@ -1179,6 +1179,22 @@ Value SchedulerProcessPartialSetting::GetSetting(const ClientContext &context) {
 	return Value::BOOLEAN(config.options.scheduler_process_partial);
 }
 
+//===----------------------------------------------------------------------===//
+// Wal Encryption
+//===----------------------------------------------------------------------===//
+void WalEncryptionSetting::SetGlobal(DatabaseInstance *db, DBConfig &config, const Value &input) {
+	config.options.wal_encryption = input.GetValue<bool>();
+}
+
+void WalEncryptionSetting::ResetGlobal(DatabaseInstance *db, DBConfig &config) {
+	config.options.wal_encryption = DBConfig().options.wal_encryption;
+}
+
+Value WalEncryptionSetting::GetSetting(const ClientContext &context) {
+	auto &config = DBConfig::GetConfig(context);
+	return Value::BOOLEAN(config.options.wal_encryption);
+}
+
 //===----------------------------------------------------------------------===//
 // Zstd Min String Length
 //===----------------------------------------------------------------------===//