Skip to content

File Encryption for the Lakehouse: The Terminology, the Machinery, and the Hard Problem of Interoperable Encrypted Tables

Published: at 09:00 AM

File Encryption for the Lakehouse: The Terminology, the Machinery, and the Hard Problem of Interoperable Encrypted Tables

By Alex Merced, Head of Developer Relations at Dremio

For years, the open lakehouse had an honest gap that practitioners whispered about and slide decks skipped: encryption. Not the checkbox kind, every cloud bucket has offered that for a decade, but the real kind, where the data itself is cryptographically protected in a way that survives a compromised bucket, satisfies a regulator, and still works when five different query engines from five different vendors need to read the same table. That last clause is the hard part, and it is why encryption arrived at the lakehouse years after transactions, evolution, and time travel.

The gap is now closing, and 2026 is the year it became real. Apache Parquet’s modular encryption matured from specification into broadly implemented capability, and Apache Iceberg 1.11, released this May, shipped table-level encryption as a headline feature: a full envelope-encryption design with a three-tier key hierarchy, encrypted metadata, and the catalog as the key broker. The pieces of an interoperable encrypted lakehouse finally exist. What does not yet exist is widespread understanding of how they fit, and encryption is a domain where partial understanding is worse than none, because a misconfigured cryptosystem produces perfect confidence and no protection.

So this article is the full treatment: the terminology bootcamp, every term you will meet, defined properly, the layers at which data can be encrypted and what each layer actually protects, the deep mechanics of Parquet Modular Encryption and Iceberg’s new table encryption, and then the heart of the piece, the interoperability challenge set: why encrypted files that every engine can read is a genuinely hard distributed-systems problem, where the seams are, and the patterns emerging to manage them. Plus the operational realities, rotation, crypto-shredding, disaster recovery, that determine whether an encryption deployment is an asset or a time bomb. As always: plain language, honest trade-offs, and the goal that the logic clicks.

Why Bucket Encryption Was Never Enough

Start with the question that stalls half the encryption conversations I have: our object storage is already encrypted, so what problem remains?

Server-side encryption, the SSE in your S3 configuration, means the storage service encrypts bytes before writing them to its disks and decrypts them on every authorized read. It is genuinely valuable and genuinely narrow: it protects against threats to the physical storage layer, stolen drives, decommissioned hardware, a breach beneath the service’s API. Against everything above that line it does nothing, because the service transparently decrypts for any caller with bucket permissions. A leaked credential, an over-broad IAM role, a compromised service, a malicious insider with storage access: every one of them reads plaintext, because to the storage API, they are authorized.

Threat modeling makes the gap precise. Server-side encryption answers “what if someone steals the disks.” It does not answer “what if someone gets into the bucket,” which is the overwhelmingly more common incident, nor “what if the storage provider itself must be outside the trust boundary,” which is the sovereignty and regulated-industry requirement, nor “how do I prove to an auditor that a specific column of personal data was unreadable to everyone without a specific key.” Those questions require the data to be encrypted before it reaches storage, under keys the storage service never holds, decryptable only by clients you control. That is client-side encryption, and in the lakehouse, where the clients are a fleet of heterogeneous query engines sharing files, client-side encryption is exactly the interoperability puzzle this article exists to work through.

The honest framing, which I will repeat at the end: bucket-level encryption plus access control is a legitimate, sufficient posture for plenty of estates. The machinery below is for the estates where it is not, regulated data, multi-tenant platforms, sovereignty constraints, defense in depth mandates, and the population of those estates grows every year the AI era pushes more sensitive data into analytical reach.

The Terminology Bootcamp

Encryption conversations run on a vocabulary that gates comprehension, so here is the working glossary, built in dependency order, each term earning the next.

Plaintext and ciphertext are the before and after: readable data, and the output of encryption, which should be computationally indistinguishable from random bytes. That indistinguishability, incidentally, is why my compression article insists on compressing before encrypting: ciphertext has no redundancy left to compress.

Symmetric encryption uses one key for both directions, and it is what bulk data encryption always uses, because it is fast. The universal standard is AES, the Advanced Encryption Standard, hardware-accelerated on essentially every modern CPU through dedicated instructions, which is why encrypting terabytes is computationally cheap in 2026. Asymmetric encryption, the public-and-private key kind, is too slow for bulk data and appears in this story only around the edges, wrapping keys and authenticating parties.

Modes determine how AES, which natively scrambles single 16-byte blocks, extends to real data, and one distinction here does enormous work. AES-CTR, counter mode, encrypts efficiently and provides confidentiality only: an attacker cannot read the data but can flip bits and splice sections without detection. AES-GCM, Galois/Counter Mode, provides authenticated encryption: confidentiality plus an integrity tag, so any tampering, truncation, or splicing is detected at decryption. Modern designs default to GCM, and when you see a format offer a CTR variant, it is a deliberate performance-versus-integrity trade for specific situations. Authenticated modes require a nonce or initialization vector, a never-reused-per-key value, whose correct handling is one of those details specifications exist to get right so you cannot get it wrong.

AAD, additional authenticated data, extends GCM’s integrity beyond the ciphertext: extra context, a filename, a module identifier, that is not encrypted but is bound into the integrity tag, so ciphertext moved to a different context fails to decrypt. Hold this one, it is the elegant trick that stops an attacker from swapping encrypted pieces between files.

Envelope encryption is the architecture everything at scale uses. Encrypting a petabyte directly with one master key is operationally insane, so instead: each file gets its own DEK, data encryption key, generated randomly at write time. The DEK encrypts the data, and then the DEK itself is encrypted, wrapped, by a higher key and stored alongside the data it protects. The wrapping key may itself be wrapped by another, yielding hierarchies: DEKs wrapped by KEKs, key encryption keys, wrapped by a master key. The master key lives in a KMS, key management service, a hardened system, often backed by an HSM, a tamper-resistant hardware security module, that never releases the master key at all: clients send wrapped keys to the KMS and receive unwrapped ones, every operation authenticated, authorized, and audited. The beauty of the envelope: bulk data never moves for key operations, rotating or revoking a master key means re-wrapping small keys, not re-encrypting petabytes, and the KMS audit log becomes the ledger of who could read what, when.

Key rotation is the practice of retiring keys on schedule, limiting how much any single compromised key exposes. Crypto-shredding is rotation’s dramatic cousin: destroy a key, and everything encrypted under it becomes permanently unreadable, which converts data deletion, nearly impossible to prove across replicated immutable storage, into key deletion, which is instant and provable, a property privacy regulation made valuable beyond measure.

Finally, the client-side versus server-side axis from the previous section, and the cloud’s menu along it: SSE with provider-managed keys, SSE with your KMS keys, which adds your audit and revocation but still decrypts for any bucket-authorized caller, SSE with customer-provided keys, and full client-side encryption, where the storage never sees plaintext. The lakehouse machinery below is the client-side end of that menu, made multi-engine.

The Layers: Where You Can Encrypt, and What Each Buys

With the vocabulary loaded, the design space becomes a clean question of layers, each protecting against more and costing more.

Layer one, transport: TLS on every connection. Table stakes, universally deployed, protects data in motion, and says nothing about data at rest.

Layer two, storage-service encryption: the SSE family. Protects the physical layer, satisfies the baseline checkbox, transparent to everything above, and, per the threat model above, powerless against credentialed access.

Layer three, whole-file client-side encryption: encrypt each object before upload, as an opaque blob. Maximum confidentiality and the death of analytics: an encrypted blob has no readable footer, no statistics, no ranged reads, so every query downloads and decrypts entire files. This layer is for archives and backups, not tables, and its failure at analytics is precisely what motivated the next layer.

Layer four, format-aware encryption: encryption designed into the file format itself, so that the columnar machinery, footers, statistics, selective column reads, pruning, survives. This is Parquet Modular Encryption’s layer, and it is where the lakehouse story lives, because it is the only layer that delivers client-side protection and analytical performance simultaneously.

Layer five, field-level and application encryption: individual values encrypted before they ever enter the data platform, by the producing application. Strongest isolation, and the values become opaque to the platform, no filtering, no aggregation, no statistics on those fields, so it suits the narrow tier of ultra-sensitive identifiers, often paired with tokenization, rather than general columns.

The pattern to internalize: each layer up the stack shrinks the set of parties who can see plaintext, and shrinks what the platform can do with the data, and format-aware encryption exists because it bends that trade better than any other point, keeping plaintext away from storage and network while preserving nearly everything analytics needs. Defense in depth means running several layers at once, TLS plus SSE plus format-level for the sensitive tables, and the design work is choosing where each table’s requirements land.

Parquet Modular Encryption: The Format-Aware Foundation

Parquet Modular Encryption, developed in the Parquet community with Gidon Gershinsky as its long-time driving force, is the piece that made layer four real, and its design rewards a close look because every property was chosen to preserve exactly what makes Parquet valuable.

The core move: encrypt Parquet’s modules, not its file. Each unit of the format, data pages, dictionary pages, footer, indexes, is encrypted independently with AES, GCM by default, after encoding and compression have done their work, order matters, per the compression article. Because modules encrypt independently, the read path survives intact: a reader fetches and decrypts the footer, plans as always, and then fetches and decrypts only the pages the query touches. Selective column reads, predicate pushdown, ranged GETs, the whole economic model of my storage deep dive, all preserved under encryption. That single property is the difference between encryption you can afford on analytical tables and encryption you cannot.

The key model is columnar, and this is where governance enters the format: different columns can be encrypted under different keys. The salary column under one key, the email column under another, the non-sensitive columns under a footer key or left plaintext. A reader possessing only some keys can read exactly those columns, and fine-grained access control acquires a cryptographic enforcement layer beneath the policy layer: even a reader who bypasses every engine and opens the raw file gets only the columns whose keys it holds.

The footer gets special treatment because it is special: it holds the schema, the offsets, and the statistics, and statistics leak, min and max values of an encrypted column are data. Encrypted-footer mode, marked by the PARE magic bytes replacing Parquet’s usual signature, encrypts the whole footer under its own key, hiding schema and statistics from keyless readers, while a plaintext-footer variant keeps legacy readers able to see the file’s structure and the unencrypted columns, trading some leakage for compatibility. And integrity runs through everything via AAD: each module’s encryption binds identifiers of its position, which file, which column, which page, into its authentication tag, so an attacker with storage access cannot splice pages between files, swap one file’s column chunk into another, or roll a column back to an older version without decryption failing loudly. Tamper-proofing, not just secrecy.

What the format deliberately does not define is where keys come from: it specifies key metadata fields and leaves key management to the layer above, a modularity that seemed like a gap and turned out to be foresight, because the layer above now exists.

Iceberg Table Encryption: The Envelope Around Everything

Parquet encrypts files. Tables are more than files: they are metadata trees, manifests full of statistics, paths, and structure, and an encrypted table whose metadata is plaintext leaks its shape, its stats, and its history. Iceberg 1.11, released May 19, 2026, closed that gap with table-level encryption, the feature I flagged as a design discussion in my Polaris coverage, now shipped, and its architecture is the envelope pattern executed across a whole table format.

The key hierarchy has three tiers, each earning its place. At the top, a table master key, living in your KMS, referenced by the table property that names it, and never stored in Iceberg at all. In the middle, key encryption keys, KEKs, generated by Iceberg, wrapped by the master key via KMS calls, and stored wrapped inside the table metadata. At the bottom, per-file data encryption keys: every data file, delete file, and manifest gets its own DEK, generated with a secure random source on the workers, used once, and stored wrapped by a KEK in the metadata’s key_metadata fields. The division of labor is the envelope pattern’s textbook payoff: the KMS is consulted rarely, to unwrap KEKs, not per file, keeping it off the query hot path, rotation of the master key re-wraps KEKs without touching data, and every file’s compromise surface is one unique key.

The mechanics then split by artifact. Parquet data files encrypt through native Parquet Modular Encryption, with Iceberg supplying each file’s DEK and a unique AAD prefix, so the format-level protections above apply intact. Avro artifacts and the metadata tree, manifests and manifest lists, encrypt through an AES GCM streaming construction, marked by its own AGS1 magic bytes, so the table’s structure, statistics, and file inventory are themselves ciphertext at rest. The read path stitches it together: the engine fetches table metadata through the catalog, which returns the metadata location along with the key material the caller is authorized to unwrap, decrypts the manifest list in memory, never on disk in plaintext, plans against the decrypted statistics, and proceeds down to data files with their individual DEKs. Even an attacker holding full bucket access sees only encrypted bytes at every level of the tree.

Note the load-bearing phrase in that read path: through the catalog. Iceberg’s encryption is configured via catalog and table properties, currently supported through the REST and Hive catalog paths with Parquet and Avro data formats, and the catalog’s role as the broker of key material is not incidental, it is the design’s answer to the interoperability problem, which brings us to the heart of the article.

The Interoperability Challenge Set

Here is why encrypted lakehouse tables took years longer than encrypted databases: a database is one codebase holding its own keys, and a lakehouse table is a contract among many engines, from many vendors, in many languages, all of which must now agree not just on bytes but on cryptography, key acquisition, and trust. Walk the challenges one by one, because each shapes the emerging architecture.

Challenge one: every engine must implement everything. An encrypted table is only interoperable if every reader and writer in the estate implements the same encryption spec, the same modes, the same AAD construction, the same key-metadata interpretation, and implements them correctly, because cryptographic near-misses fail closed at best and fail silent at worst. The specs, Parquet Modular Encryption and now Iceberg’s table encryption, exist precisely to make this possible, and implementation coverage still rolls out engine by engine: the Java lineage, Spark and Flink, matured first, the C++ and Python paths through Arrow followed, work across Trino and the broader community continues, and any given estate must audit its actual engines and versions against its actual requirements before turning the keys. An encrypted table that one critical engine cannot read is an outage with a compliance certificate.

Challenge two: the N-by-M key management problem. Beyond the crypto, every engine needs to reach your KMS: authentication, authorization, client libraries, per cloud and per vendor. N engines times M key services is the same quadratic monster this series has met at every layer, and the same class of answer is emerging: standardize the interface. Iceberg ships pluggable KMS clients with pre-defined types for the major clouds and a custom client path, and, more strategically, the catalog is stepping into the broker role, engines authenticate once to the catalog, the catalog talks to the KMS, and key material flows through the same governed channel as everything else. Readers of my Polaris article will recognize this as credential vending’s sibling: the catalog already brokers short-lived storage credentials per principal per operation, and brokering wrapped table keys through the same authenticated, audited surface is the natural extension, one the community’s catalog-side encryption discussions are actively shaping. The endgame worth rooting for: an engine that speaks the REST catalog protocol gets governed access to encrypted tables without ever learning what KMS sits behind them.

Challenge three: maintenance needs keys too. Compaction reads old files and writes new ones, snapshot expiration deletes, manifests rewrite, and every one of those background jobs must decrypt and re-encrypt, meaning the maintenance identity needs key access, wide key access, since it touches everything. This concentrates risk exactly where nobody is watching, and the design response is discipline: maintenance runs as its own principal with its own audited grants, DEKs are regenerated fresh on every rewrite, never reused, and the compaction fleet becomes part of the trust boundary you actively manage rather than an afterthought.

Challenge four: time travel meets rotation. Iceberg’s snapshots are immutable and long-lived, and each snapshot’s files carry the DEKs of their era, wrapped by the KEKs of their era. Rotate the master key and the envelope saves you, re-wrap the KEKs and history remains readable. Crypto-shred a key, and you have deliberately amputated every snapshot that depended on it, which is sometimes exactly the point, the GDPR erasure made provable, and sometimes a catastrophic surprise, the backup that can never be restored. Encrypted tables demand that key lifecycle policy and snapshot retention policy be designed as one policy, with the unglamorous corollary that your disaster recovery plan now has a second single point of failure: lose the KMS, or lose access to it in the recovery region, and the lake full of perfectly durable ciphertext is a lake full of noise. Key material replication and recovery drills join the runbook, permanently.

Challenge five: what encryption does to the surrounding features. Statistics under encrypted footers are invisible to keyless planners, which is the point, and which means shared services that relied on peeking at files, discovery crawlers, third-party optimizers, cost estimators, must now come through the governed path or go blind. Column-level keys interact with schema evolution, renames and re-additions must not confuse key assignments, the kind of edge the specs and implementations have spent their maturation grinding through. And the boundary with the policy layer needs stating plainly: encryption is not a substitute for RBAC, masking, and row filters, it is the enforcement backstop beneath them, the layer that holds even when the perimeter fails, and mature designs run both, policy for flexibility, cryptography for finality.

Challenge six: sharing across trust boundaries. The lakehouse’s proudest trick, one copy of data served to many parties, meets its hardest test when the parties span organizations. Encrypted sharing means key sharing, which means the KMS grant becomes the actual instrument of data sharing, with all the revocation power and audit visibility that implies, per-partner KEKs so that revoking one consumer never touches another, and catalog federation carrying the governed key flow across boundaries. It is early days for this pattern at scale, and it is also the most exciting one on the board, because cryptographic sharing is what finally makes “share the data without trusting the perimeter” a literal statement.

The Design Patterns That Are Emerging

Out of the challenge set, a recognizable set of deployment patterns has formed, and matching your requirements to a pattern beats inventing one.

Uniform table encryption is the baseline pattern and the 1.11 default shape: every file and manifest of a sensitive table encrypted under the table’s hierarchy, one master key per table or per domain, catalog-brokered keys, engines none the wiser beyond configuration. It answers the bucket-compromise and sovereignty threat models cleanly and adds the least design complexity, which makes it the right first deployment for most estates.

Column-tiered keys layer Parquet’s per-column model on top for the tables where sensitivity is uneven: PII columns under restricted keys, the rest under the table baseline, so that cryptographic access mirrors the classification policy and a data scientist’s engine literally cannot decrypt the columns their role excludes. The cost is key sprawl and evolution care, spend it only where classification genuinely demands it.

Key-per-tenant is the multi-tenant platform’s pattern: each tenant’s slices encrypted under tenant-dedicated keys, making isolation cryptographic rather than merely logical, offboarding a matter of key revocation, and the deletion clauses of contracts satisfiable by crypto-shredding with a KMS audit log as the receipt.

And defense in depth is the meta-pattern wrapping all of them: TLS everywhere, SSE on the buckets because it is free, format and table encryption on the estates that need it, RBAC and masking above, credential vending for storage, key brokering through the catalog, and every layer’s audit flowing to the same place. No single layer is the security story. The stack is.

A Worked Example: One Healthcare Table, End to End

Assemble everything with a single concrete deployment: a health-tech company’s patient_events table, clinical event records with identifiers, diagnoses, and timestamps, queried by Spark pipelines, a Dremio-served BI tier, and a data science team in Python, under a regulator who will eventually ask for proofs.

Design first, machinery second. The threat model: bucket compromise must expose nothing, the analytics vendor’s support staff must be outside the trust boundary for identifiers, and patient erasure requests must be provable. The classification: two identifier columns are the crown jewels, the clinical columns are sensitive, the operational columns are ordinary. That maps to column-tiered keys on top of uniform table encryption.

The key architecture follows the envelope. A table master key is created in the company’s KMS with its own IAM policy and audit stream, and its ARN lands in the table’s encryption property. Iceberg generates KEKs, wraps them via the KMS, and stores them wrapped in table metadata. Every data file, delete file, and manifest gets its own DEK at write time, wrapped and recorded in key_metadata. The identifier columns additionally encrypt under a restricted column key whose KMS grant lists exactly three principals: the ingestion service, the compliance analytics role, and the maintenance identity. Footer mode is encrypted, PARE magic and all, so even schema and statistics are ciphertext to a keyless reader.

Now run the actors through it. The Spark ingestion job authenticates to the Polaris-based catalog as its principal, receives the table metadata plus the key material its grants allow, and writes: pages encoded, compressed, then encrypted, each file under a fresh DEK, AAD binding every module to its position. The BI tier’s engine plans through the catalog the same way, decrypts manifests in memory, prunes on the decrypted statistics, and serves dashboards from the clinical and operational columns, its role holds those keys and not the identifier key, so a support engineer inspecting that engine’s environment could never surface a patient identifier, not by policy but by mathematics. The data science notebook, holding only the baseline keys, queries the same table and receives the identifier columns as unreadable, exactly mirroring the masking policy above, now enforced beneath it. The nightly maintenance principal compacts small files, decrypting with old DEKs and re-encrypting outputs under fresh ones, its broad key access logged operation by operation in the KMS trail.

Then the hard days, which is what the design was for. The bucket credential leaks in month seven: the incident review confirms the attacker’s haul was ciphertext at every level, data, manifests, statistics, and the disclosure obligations shrink accordingly. The annual rotation lands: the master key rotates in the KMS, the KEKs re-wrap in a metadata-only operation, and not one data file is touched. A patient exercises erasure: their records, isolated by design under a patient-scoped key strategy in the identifier tier, become permanently unreadable when that key is destroyed, and the KMS log of the destruction is the proof the regulator receives, months faster than any storage-level deletion audit could have delivered. And the disaster recovery drill, run because the runbook now demands it, verifies that key material replicates to the recovery region alongside the data, closing the one failure mode that would have turned eleven nines of durability into a perfectly preserved pile of noise.

Nothing in the story required exotic engineering. Every piece was a shipped capability, Parquet Modular Encryption, Iceberg 1.11 table encryption, catalog-brokered access, KMS discipline, composed in the order the threat model dictated. That composition is the whole craft.

A Decision Framework: How Much of This Do You Need?

Compress the article into the triage I walk teams through.

Start from the threat model, stated as sentences with names in them, not from the feature list. “A leaked bucket credential must not expose data” points at format or table encryption. “The platform vendor must not be able to read identifiers” points at column-tiered keys held outside the vendor’s reach. “We must prove erasure” points at crypto-shredding and therefore at key granularity aligned to the erasure unit, per patient, per tenant, per contract. “Regulated categories require encryption at rest with customer-managed keys” is often satisfiable at SSE-KMS, read the actual requirement before building past it.

Then size the machinery to the sentences. No sentence beyond perimeter protection: TLS, SSE-KMS, catalog RBAC, credential vending, done, and spend the saved complexity on governance quality. Sentences about storage compromise or sovereignty: uniform table encryption on the sensitive domains, catalog-brokered, with rotation and DR added to the runbook. Sentences about intra-platform trust tiers or provable erasure: add column keys and granular key scoping where the sentences demand, and nowhere else, because every additional key is permanent operational surface. Multi-tenant platform sentences: key-per-tenant from day one, retrofitting tenancy into a shared-key estate is the migration nobody enjoys.

And gate the rollout on the two audits this article kept flagging: engine coverage, every reader and writer in the estate verified against the encryption spec at your versions, and lifecycle coupling, key rotation, snapshot retention, maintenance identity, and KMS recovery designed as one document. Encryption deployed without those audits is not security, it is a scheduled incident. Deployed with them, it is the quiet completion of the open lakehouse’s promise.

Questions I Hear Most Often

What does encryption cost in performance? Far less than intuition suggests, thanks to hardware AES: bulk encryption and decryption run at gigabytes per second per core on modern CPUs, and published experience with Parquet Modular Encryption puts typical query overhead in the low single-digit percentages, with the envelope design keeping KMS calls off the per-file path. The honest costs live elsewhere: key management operations, the loss of file-peeking shortcuts, and engineering time. Cycles are the cheap part.

Compress then encrypt, or encrypt then compress? Compress first, always, because ciphertext does not compress, and the formats enforce the right order internally, encoding, then compression, then encryption per module. The corollary from the compression article applies: never layer another compressor over encrypted files expecting gains.

Is this overkill if I already run SSE-KMS and strong RBAC? For many estates, genuinely yes, and I say that as the person who just wrote six thousand words on the machinery. SSE-KMS plus tight IAM plus catalog governance is a defensible posture for data whose threat model ends at the perimeter. Format and table encryption earn their complexity when the model extends further: regulated categories, provable erasure, multi-tenant isolation, sovereignty, or the simple institutional requirement that storage compromise must not equal data compromise. Threat model first, machinery second.

How does this relate to credential vending? They are siblings in one governance architecture, and the pairing is the future I keep pointing at: vending controls who can reach the bytes, encryption controls who can read them, both brokered per-principal through the catalog, both audited in one trail. Vending without encryption trusts the storage perimeter. Encryption without vending sprawls keys. Together, through a catalog like Polaris, they are the complete story of governed access, which is why the catalog communities are where this integration work is happening.

Can I encrypt an existing table? Not in place, immutability forbids it: encryption arrives through rewrite, which in practice means enabling it and letting compaction and lifecycle rewrites migrate the estate, or forcing a full rewrite where urgency demands. Plan it like the compression migrations of the companion article, as maintenance-driven, table-by-table, with the encrypted-and-plaintext coexistence handled by the format’s metadata.

What should I watch next in this space? Three fronts. Engine coverage maturing, the boring rollout that determines when “interoperable” is simply true for your stack. The catalog-as-key-broker work deepening across the REST catalog world, which is where the N-by-M problem actually dies. And the sharing frontier, cryptographic cross-organization data products, where the lakehouse’s economics and encryption’s guarantees combine into something the industry has wanted for twenty years: sharing without perimeter trust. My newsletters track all three weekly.

Closing Thoughts

Encryption was the lakehouse’s last unfinished pillar because it was the hardest kind of problem the open data movement takes on: not an algorithm, cryptography solved the algorithms decades ago, but an agreement, a way for many engines under many vendors to share not just bytes and schemas but secrets, safely, with the machinery of keys and trust standardized enough to interoperate and flexible enough to satisfy every regulator’s variance. The pieces that closed the gap tell this series’ oldest story one more time: a format-level spec matured in the Parquet community, a table-level design shipped through Iceberg’s open process, and the catalog layer, the same open governance point that credential vending established, stepping up as the broker that makes it operable at fleet scale.

The practitioner’s summary: know your threat model, run defense in depth, let the envelope pattern and the catalog carry the key management, respect the operational couplings, rotation with retention, KMS with disaster recovery, maintenance with trust, and treat the interoperability rollout as the deployment gate it is. Do that, and the lakehouse’s proudest properties, one copy, many engines, open formats, no perimeter of lock-in, now extend to its most sensitive data, which is exactly the data the next decade’s AI systems most need governed access to.

If you want these foundations at full depth, from the formats and catalogs through the governance and AI systems above them, that is what my books are for. I co-authored Apache Iceberg: The Definitive Guide and Apache Polaris: The Definitive Guide for O’Reilly, with further titles on lakehouse architecture, data engineering, and agentic analytics.

Browse the full collection of my books on data and AI at books.alexmerced.com. To try a modern Agentic Lakehouse experience, visit dremio.com/get-started.