duckdb · Mytherin · Jul 10, 2025 · Jun 16, 2025 · Jun 16, 2025 · Jun 18, 2025
diff --git a/src/common/encryption_functions.cpp b/src/common/encryption_functions.cpp
@@ -58,22 +58,18 @@ void EncryptionEngine::AddTempKeyToCache(DatabaseInstance &db) {
 void EncryptionEngine::EncryptBlock(DatabaseInstance &db, const string &key_id, FileBuffer &block,
                                     FileBuffer &temp_buffer_manager, uint64_t delta) {
 	data_ptr_t block_offset_internal = temp_buffer_manager.InternalBuffer();
+	auto encrypt_key = GetKeyFromCache(db, key_id);
+	auto encryption_state =
+	    db.GetEncryptionUtil()->CreateEncryptionState(encrypt_key, MainHeader::DEFAULT_ENCRYPTION_KEY_LENGTH);
 
-	auto encryption_state = db.GetEncryptionUtil()->CreateEncryptionState(GetKeyFromCache(db, key_id),
-	                                                                      MainHeader::DEFAULT_ENCRYPTION_KEY_LENGTH);
-
-	uint8_t tag[MainHeader::AES_TAG_LEN];
-	memset(tag, 0, MainHeader::AES_TAG_LEN);
-
-	//! a nonce is randomly generated for every block
-	uint8_t nonce[MainHeader::AES_IV_LEN];
-	memset(nonce, 0, MainHeader::AES_IV_LEN);
-	encryption_state->GenerateRandomData(static_cast<data_ptr_t>(nonce), MainHeader::AES_NONCE_LEN);
+	EncryptionTag tag;
+	EncryptionNonce nonce;
+	encryption_state->GenerateRandomData(nonce.data(), nonce.size());
 
 	//! store the nonce at the start of the block
-	memcpy(block_offset_internal, nonce, MainHeader::AES_NONCE_LEN);
-	encryption_state->InitializeEncryption(static_cast<data_ptr_t>(nonce), MainHeader::AES_NONCE_LEN,
-	                                       GetKeyFromCache(db, key_id), MainHeader::DEFAULT_ENCRYPTION_KEY_LENGTH);
+	memcpy(block_offset_internal, nonce.data(), nonce.size());
+	encryption_state->InitializeEncryption(nonce.data(), nonce.size(), encrypt_key,
+	                                       MainHeader::DEFAULT_ENCRYPTION_KEY_LENGTH);
 
 	auto checksum_offset = block.InternalBuffer() + delta;
 	auto encryption_checksum_offset = block_offset_internal + delta;
@@ -87,30 +83,27 @@ void EncryptionEngine::EncryptBlock(DatabaseInstance &db, const string &key_id,
 	}
 
 	//! Finalize and extract the tag
-	aes_res = encryption_state->Finalize(block.InternalBuffer() + delta, 0, static_cast<data_ptr_t>(tag),
-	                                     MainHeader::AES_TAG_LEN);
+	aes_res = encryption_state->Finalize(block.InternalBuffer() + delta, 0, tag.data(), tag.size());
 
 	//! store the generated tag after consequetively the nonce
-	memcpy(block_offset_internal + MainHeader::AES_NONCE_LEN, tag, MainHeader::AES_TAG_LEN);
+	memcpy(block_offset_internal + nonce.size(), tag.data(), tag.size());
 }
 
 void EncryptionEngine::DecryptBlock(DatabaseInstance &db, const string &key_id, data_ptr_t internal_buffer,
                                     uint64_t block_size, uint64_t delta) {
 	//! initialize encryption state
-	auto encryption_state = db.GetEncryptionUtil()->CreateEncryptionState(GetKeyFromCache(db, key_id),
-	                                                                      MainHeader::DEFAULT_ENCRYPTION_KEY_LENGTH);
+	auto decrypt_key = GetKeyFromCache(db, key_id);
+	auto encryption_state =
+	    db.GetEncryptionUtil()->CreateEncryptionState(decrypt_key, MainHeader::DEFAULT_ENCRYPTION_KEY_LENGTH);
 
-	//! load the stored nonce
-	uint8_t nonce[MainHeader::AES_IV_LEN];
-	memset(nonce, 0, MainHeader::AES_IV_LEN);
-	memcpy(nonce, internal_buffer, MainHeader::AES_NONCE_LEN);
-
-	//! load the tag for verification
-	uint8_t tag[MainHeader::AES_TAG_LEN];
-	memcpy(tag, internal_buffer + MainHeader::AES_NONCE_LEN, MainHeader::AES_TAG_LEN);
+	//! load the stored nonce and tag
+	EncryptionTag tag;
+	EncryptionNonce nonce;
+	memcpy(nonce.data(), internal_buffer, nonce.size());
+	memcpy(tag.data(), internal_buffer + nonce.size(), tag.size());
 
 	//! Initialize the decryption
-	encryption_state->InitializeDecryption(nonce, MainHeader::AES_NONCE_LEN, GetKeyFromCache(db, key_id),
+	encryption_state->InitializeDecryption(nonce.data(), nonce.size(), decrypt_key,
 	                                       MainHeader::DEFAULT_ENCRYPTION_KEY_LENGTH);
 
 	auto checksum_offset = internal_buffer + delta;
@@ -124,8 +117,80 @@ void EncryptionEngine::DecryptBlock(DatabaseInstance &db, const string &key_id,
 	}
 
 	//! check the tag
-	aes_res =
-	    encryption_state->Finalize(internal_buffer + delta, 0, static_cast<data_ptr_t>(tag), MainHeader::AES_TAG_LEN);
+	aes_res = encryption_state->Finalize(internal_buffer + delta, 0, tag.data(), tag.size());
+}
+
+void EncryptionEngine::EncryptTemporaryBuffer(DatabaseInstance &db, data_ptr_t buffer, idx_t buffer_size,
+                                              data_ptr_t metadata) {
+	if (!ContainsKey(db, "temp_key")) {
+		AddTempKeyToCache(db);
+	}
+
+	auto temp_key = GetKeyFromCache(db, "temp_key");
+
+	auto encryption_util = db.GetEncryptionUtil();
+	auto encryption_state = encryption_util->CreateEncryptionState(temp_key, MainHeader::DEFAULT_ENCRYPTION_KEY_LENGTH);
+
+	// zero-out the metadata buffer
+	memset(metadata, 0, DEFAULT_ENCRYPTED_BUFFER_HEADER_SIZE);
+
+	EncryptionTag tag;
+	EncryptionNonce nonce;
+
+	encryption_state->GenerateRandomData(nonce.data(), nonce.size());
+
+	//! store the nonce at the start of metadata buffer
+	memcpy(metadata, nonce.data(), nonce.size());
+
+	encryption_state->InitializeEncryption(nonce.data(), nonce.size(), temp_key,
+	                                       MainHeader::DEFAULT_ENCRYPTION_KEY_LENGTH);
+
+	auto aes_res = encryption_state->Process(buffer, buffer_size, buffer, buffer_size);
+
+	if (aes_res != buffer_size) {
+		throw IOException("Encryption failure: in- and output size differ");
+	}
+
+	//! Finalize and extract the tag
+	encryption_state->Finalize(buffer, 0, tag.data(), tag.size());
+
+	//! store the generated tag after consequetively the nonce
+	memcpy(metadata + nonce.size(), tag.data(), tag.size());
+
+	// check if tag is correctly stored
+	D_ASSERT(memcmp(tag.data(), metadata + nonce.size(), tag.size()) == 0);
+}
+
+void EncryptionEngine::DecryptBuffer(EncryptionState &encryption_state, const_data_ptr_t temp_key, data_ptr_t buffer,
+                                     idx_t buffer_size, data_ptr_t metadata) {
+	//! load the stored nonce and tag
+	EncryptionTag tag;
+	EncryptionNonce nonce;
+	memcpy(nonce.data(), metadata, nonce.size());
+	memcpy(tag.data(), metadata + nonce.size(), tag.size());
+
+	//! Initialize the decryption
+	encryption_state.InitializeDecryption(nonce.data(), nonce.size(), temp_key,
+	                                      MainHeader::DEFAULT_ENCRYPTION_KEY_LENGTH);
+
+	auto aes_res = encryption_state.Process(buffer, buffer_size, buffer, buffer_size);
+
+	if (aes_res != buffer_size) {
+		throw IOException("Encryption failure: in- and output size differ");
+	}
+
+	//! check the tag
+	encryption_state.Finalize(buffer, 0, tag.data(), tag.size());
+}
+
+void EncryptionEngine::DecryptTemporaryBuffer(DatabaseInstance &db, data_ptr_t buffer, idx_t buffer_size,
+                                              data_ptr_t metadata) {
+	//! initialize encryption state
+	auto encryption_util = db.GetEncryptionUtil();
+	auto temp_key = GetKeyFromCache(db, "temp_key");
+	auto encryption_state = encryption_util->CreateEncryptionState(temp_key, MainHeader::DEFAULT_ENCRYPTION_KEY_LENGTH);
+
+	DecryptBuffer(*encryption_state, temp_key, buffer, buffer_size, metadata);
 }
 
 } // namespace duckdb
diff --git a/src/common/file_buffer.cpp b/src/common/file_buffer.cpp
@@ -33,10 +33,11 @@ void FileBuffer::Init() {
 	internal_size = 0;
 }
 
-FileBuffer::FileBuffer(FileBuffer &source, FileBufferType type_p) : allocator(source.allocator), type(type_p) {
+FileBuffer::FileBuffer(FileBuffer &source, FileBufferType type_p, idx_t block_header_size)
+    : allocator(source.allocator), type(type_p) {
 	// take over the structures of the source buffer
-	buffer = source.buffer;
-	size = source.size;
+	buffer = source.internal_buffer + block_header_size;
+	size = source.internal_size - block_header_size;
 	internal_buffer = source.internal_buffer;
 	internal_size = source.internal_size;
 
@@ -62,6 +63,7 @@ void FileBuffer::ReallocBuffer(idx_t new_size) {
 	if (!new_buffer) {
 		throw std::bad_alloc();
 	}
+
 	internal_buffer = new_buffer;
 	internal_size = new_size;
 

diff --git a/src/common/settings.json b/src/common/settings.json
@@ -842,6 +842,13 @@
         "scope": "global",
         "custom_implementation": true
     },
+    {
+        "name": "temp_file_encryption",
+        "description": "Encrypt all temporary files if database is encrypted",
+        "type": "BOOLEAN",
+        "scope": "global",
+        "custom_implementation": true
+    },
     {
         "name": "threads",
         "description": "The number of total threads used by the system.",

diff --git a/src/function/pragma/pragma_functions.cpp b/src/function/pragma/pragma_functions.cpp
@@ -11,6 +11,7 @@
 #include "duckdb/planner/expression_binder.hpp"
 #include "duckdb/storage/buffer_manager.hpp"
 #include "duckdb/storage/storage_manager.hpp"
+#include "duckdb/common/encryption_functions.hpp"
 
 #include <cctype>
 

diff --git a/src/include/duckdb/common/encryption_functions.hpp b/src/include/duckdb/common/encryption_functions.hpp
@@ -11,6 +11,36 @@
 
 namespace duckdb {
 
+struct EncryptionTag {
+	EncryptionTag() = default;
+
+	data_ptr_t data() {
+		return tag;
+	}
+
+	idx_t size() const {
+		return MainHeader::AES_TAG_LEN;
+	}
+
+private:
+	data_t tag[MainHeader::AES_TAG_LEN];
+};
+
+struct EncryptionNonce {
+	EncryptionNonce() = default;
+
+	data_ptr_t data() {
+		return nonce;
+	}
+
+	idx_t size() const {
+		return MainHeader::AES_NONCE_LEN;
+	}
+
+private:
+	data_t nonce[MainHeader::AES_NONCE_LEN];
+};
+
 class EncryptionEngine {
 
 public:
@@ -30,6 +60,11 @@ class EncryptionEngine {
 	                         FileBuffer &temp_buffer_manager, uint64_t delta);
 	static void DecryptBlock(DatabaseInstance &db, const string &key_id, data_ptr_t internal_buffer,
 	                         uint64_t block_size, uint64_t delta);
+
+	static void EncryptTemporaryBuffer(DatabaseInstance &db, data_ptr_t buffer, idx_t buffer_size, data_ptr_t metadata);
+	static void DecryptBuffer(EncryptionState &encryption_state, const_data_ptr_t temp_key, data_ptr_t buffer,
+	                          idx_t buffer_size, data_ptr_t metadata);
+	static void DecryptTemporaryBuffer(DatabaseInstance &db, data_ptr_t buffer, idx_t buffer_size, data_ptr_t metadata);
 };
 
 class EncryptionTypes {

diff --git a/src/include/duckdb/common/file_buffer.hpp b/src/include/duckdb/common/file_buffer.hpp
@@ -32,7 +32,7 @@ class FileBuffer {
 	//! DIRECT_IO
 	FileBuffer(Allocator &allocator, FileBufferType type, uint64_t user_size, idx_t block_header_size);
 	FileBuffer(Allocator &allocator, FileBufferType type, BlockManager &block_manager);
-	FileBuffer(FileBuffer &source, FileBufferType type);
+	FileBuffer(FileBuffer &source, FileBufferType type, idx_t block_header_size);
 
 	virtual ~FileBuffer();
 
@@ -60,6 +60,10 @@ class FileBuffer {
 	void Resize(uint64_t user_size, BlockManager &block_manager);
 	void Resize(BlockManager &block_manager);
 
+	idx_t GetHeaderSize() const {
+		return internal_size - size;
+	}
+
 	uint64_t AllocSize() const {
 		return internal_size;
 	}

diff --git a/src/include/duckdb/common/types/row/row_data_collection.hpp b/src/include/duckdb/common/types/row/row_data_collection.hpp
@@ -113,8 +113,7 @@ class RowDataCollection {
 #ifdef DEBUG
 		for (auto &block : blocks) {
 			D_ASSERT(block->block->GetMemoryUsage() ==
-			         BufferManager::GetAllocSize(block->capacity * entry_size +
-			                                     buffer_manager.GetTemporaryBlockHeaderSize()));
+			         BufferManager::GetAllocSize(block->capacity * entry_size + Storage::DEFAULT_BLOCK_HEADER_SIZE));
 		}
 #endif
 	}

diff --git a/src/include/duckdb/main/config.hpp b/src/include/duckdb/main/config.hpp
@@ -272,6 +272,8 @@ struct DBConfigOptions {
 	bool old_implicit_casting = false;
 	//!  By default, WAL is encrypted for encrypted databases
 	bool wal_encryption = true;
+	//! Encrypt the temp files
+	bool temp_file_encryption = false;
 	//! The default block allocation size for new duckdb database files (new as-in, they do not yet exist).
 	idx_t default_block_alloc_size = DUCKDB_BLOCK_ALLOC_SIZE;
 	//! The default block header size for new duckdb database files.

diff --git a/src/include/duckdb/main/settings.hpp b/src/include/duckdb/main/settings.hpp
@@ -1273,6 +1273,16 @@ struct TempDirectorySetting {
 	static Value GetSetting(const ClientContext &context);
 };
 
+struct TempFileEncryptionSetting {
+	using RETURN_TYPE = bool;
+	static constexpr const char *Name = "temp_file_encryption";
+	static constexpr const char *Description = "Encrypt all temporary files if database is encrypted";
+	static constexpr const char *InputType = "BOOLEAN";
+	static void SetGlobal(DatabaseInstance *db, DBConfig &config, const Value &parameter);
+	static void ResetGlobal(DatabaseInstance *db, DBConfig &config);
+	static Value GetSetting(const ClientContext &context);
+};
+
 struct ThreadsSetting {
 	using RETURN_TYPE = int64_t;
 	static constexpr const char *Name = "threads";

diff --git a/src/include/duckdb/storage/block.hpp b/src/include/duckdb/storage/block.hpp
@@ -22,7 +22,7 @@ class Block : public FileBuffer {
 	Block(Allocator &allocator, const block_id_t id, const idx_t block_size, const idx_t block_header_size);
 	Block(Allocator &allocator, block_id_t id, uint32_t internal_size, idx_t block_header_size);
 	Block(Allocator &allocator, const block_id_t id, BlockManager &block_manager);
-	Block(FileBuffer &source, block_id_t id);
+	Block(FileBuffer &source, block_id_t id, idx_t block_header_size);
 
 	block_id_t id;
 };

diff --git a/src/include/duckdb/storage/buffer_manager.hpp b/src/include/duckdb/storage/buffer_manager.hpp
@@ -76,8 +76,6 @@ class BufferManager {
 	virtual idx_t GetBlockAllocSize() const = 0;
 	//! Returns the block size for buffer-managed blocks.
 	virtual idx_t GetBlockSize() const = 0;
-	//! Returns the block header size for buffer-managed blocks.
-	virtual idx_t GetTemporaryBlockHeaderSize() const = 0;
 	//! Returns the maximum available memory for a given query.
 	virtual idx_t GetQueryMaxMemory() const = 0;
 
@@ -110,6 +108,8 @@ class BufferManager {
 	virtual void SetTemporaryDirectory(const string &new_dir);
 	//! Returns true, if the path to the temporary file directory is not empty.
 	virtual bool HasTemporaryDirectory() const;
+	//! Returns true if there are files found in the temporary directory
+	virtual bool HasFilesInTemporaryDirectory() const;
 
 	//! Construct a managed buffer.
 	virtual unique_ptr<FileBuffer> ConstructManagedBuffer(idx_t size, idx_t block_header_size,

diff --git a/src/include/duckdb/storage/standard_buffer_manager.hpp b/src/include/duckdb/storage/standard_buffer_manager.hpp
@@ -40,9 +40,6 @@ class StandardBufferManager : public BufferManager {
 
 public:
 	static unique_ptr<StandardBufferManager> CreateBufferManager(DatabaseInstance &db, string temp_directory);
-	static unique_ptr<FileBuffer> ReadTemporaryBufferInternal(BufferManager &buffer_manager, FileHandle &handle,
-	                                                          idx_t position, idx_t size,
-	                                                          unique_ptr<FileBuffer> reusable_buffer);
 
 	//! Registers a transient memory buffer.
 	shared_ptr<BlockHandle> RegisterTransientMemory(const idx_t size, BlockManager &block_manager) final;
@@ -59,7 +56,6 @@ class StandardBufferManager : public BufferManager {
 	idx_t GetBlockAllocSize() const final;
 	//! Returns the block size for buffer-managed blocks.
 	idx_t GetBlockSize() const final;
-	idx_t GetTemporaryBlockHeaderSize() const final;
 	idx_t GetQueryMaxMemory() const final;
 
 	//! Allocate an in-memory buffer with a single pin.
@@ -108,6 +104,7 @@ class StandardBufferManager : public BufferManager {
 	DUCKDB_API void ReserveMemory(idx_t size) final;
 	DUCKDB_API void FreeReservedMemory(idx_t size) final;
 	bool HasTemporaryDirectory() const final;
+	bool HasFilesInTemporaryDirectory() const final;
 
 protected:
 	//! Helper

diff --git a/src/include/duckdb/storage/storage_info.hpp b/src/include/duckdb/storage/storage_info.hpp
@@ -36,7 +36,8 @@ struct FileHandle;
 #define DEFAULT_ENCRYPTION_BLOCK_HEADER_SIZE 40ULL
 //! The configurable block allocation size.
 #ifndef DUCKDB_BLOCK_HEADER_STORAGE_SIZE
-#define DUCKDB_BLOCK_HEADER_STORAGE_SIZE DEFAULT_BLOCK_HEADER_STORAGE_SIZE
+#define DUCKDB_BLOCK_HEADER_STORAGE_SIZE     DEFAULT_BLOCK_HEADER_STORAGE_SIZE
+#define DEFAULT_ENCRYPTED_BUFFER_HEADER_SIZE 28ULL
 #endif
 
 using block_id_t = int64_t;