DuckDB v1.4 introduces built-in encryption for data-at-rest, implementing industry-standard AES encryption methods. Users can now secure their databases with AES-GCM-256 and AES-CTR-256, although AES-GCM is preferred for its added authentication feature. The encryption process is designed to be transparent, meaning it doesn't compromise the main database header, which remains in plaintext and contains no sensitive information. This header indicates whether the database is encrypted and stores essential metadata, including a unique database identifier and encryption parameters. The encryption key management in DuckDB emphasizes user responsibility. Users can provide a plaintext or base64-encoded string for encryption, but DuckDB derives a more secure 32-byte key from it using a key derivation function. This ensures that the original input keys are wiped from memory, enhancing security. The database structure includes encrypted blocks, where each block has a header that contains a nonce/IV and, depending on the encryption method, a tag. Notably, the encryption process does not yet meet NIST compliance, but ongoing development is addressing this. DuckDB's approach to encryption addresses a notable gap in database systems where encryption options have often been limited. By supporting AES encryption and managing keys securely, DuckDB enhances data protection for users, particularly important for compliance with standards like SOC 2. The architecture allows for unique encryption for each database instance, preventing identical inputs from yielding the same encrypted output, thereby reducing vulnerabilities.