2025-03-25
VCrypt: Leveraging Vectorized and Compressed Execution for Client-side Encryption
Publication
Publication
VCrypt is a novel extension on DuckDB that enables fine-grained client-side [en/de]cryption in a performance- and storage-efficient manner, by exploiting columnar compression as well as vectorized and compressed execution. We designed VCrypt such that in analytical queries, typically (i) data can be encrypted and decrypted batch-at-a-time instead of value-at-a-time, and (ii) the extra storage for cryptographic nonces gets compressed away. We also demonstrate the use of VCrypt inside MotherDuck, leveraging its hybrid processing model that evaluates SQL queries partly on a client DuckDB and partly on a cloud DuckDB, to achieve secure hybrid execution. This provides security even if the cloud server is untrusted, by forcing the [en/de]cryption of sensitive data to happen only client-side, while still allowing useful cloud-side work like filters and joins.
| Additional Metadata | |
|---|---|
| doi.org/10.48786/edbt.2025.113 | |
| Organisation | Database Architectures |
|
Felius, L., & Boncz, P. (2025). VCrypt: Leveraging Vectorized and Compressed Execution for Client-side Encryption. In Proceedings of the International Conference on Extending Database Technology (pp. 1158–1161). doi:10.48786/edbt.2025.113 |
|
