PME in Modular footer

7 views
Skip to first unread message

Jiayi Wang

unread,
Jul 1, 2026, 4:32:37 PM (13 days ago) Jul 1
to apache-parquet-fo...@googlegroups.com, Alkis Evlogimenos, Rok Mihevc, Divjot Arora, wedw...@spotify.com

Hi everyone,


I'd like to raise a question for the next sync.


PME has two encryption modes: footer encryption, where a single footer key encrypts every module, and per-column encryption, where each column can use its own key.


Footer encryption is straightforward: one key encrypts everything, as before.


Per-column encryption is trickier. A column's ColumnMetaData bundles two kinds of information with very different sensitivity: location (data/dictionary page offsets and sizes) and statistics (min/max/null count). Today PME encrypts the entire ColumnMetaData as a single module under one key.


In the modular footer, though, location and statistics are separate modules, and we want to store location as a struct-of-arrays. That makes per-column encryption impossible for location: a single column's offset is just one element inside a shared array, and we can't encrypt an individual element of a Thrift list under a column-specific key.


think the reasonable resolution is to keep location in plaintext and only encrypt statistics. Location leaks little on its own, for example, if only one column is encrypted, its offset and size can already be reconstructed from the surrounding columns' metadata, so encrypting it buys almost nothing. Statistics (min/max) are what actually reveal data content, so that's where encryption matters.


In Databricks, there is almost no usage of PME, we have very little understanding of the real PME user cases, so let me know if you see it differently.

Best,
Jiayi

Rok Mihevc

unread,
Jul 2, 2026, 3:19:55 PM (12 days ago) Jul 2
to Jiayi Wang, apache-parquet-fo...@googlegroups.com, Alkis Evlogimenos, Divjot Arora, wedw...@spotify.com, adam....@gr-oss.io
# ccing Adam Reeve who might have a more nuanced opinion

I think location should be fine to exclude from PME.

Rok

Adam Reeve

unread,
Jul 2, 2026, 5:40:24 PM (12 days ago) Jul 2
to Rok Mihevc, Jiayi Wang, apache-parquet-fo...@googlegroups.com, Alkis Evlogimenos, Divjot Arora, wedw...@spotify.com
Yes I agree the location data doesn't need to be encrypted with the column keys. Although when you say the location would be in plaintext, it would actually be encrypted by the footer key right? Unless a plaintext footer is enabled.

Thanks,
Adam

Jiayi Wang

unread,
Jul 3, 2026, 5:05:23 AM (11 days ago) Jul 3
to adam....@gr-oss.io, Rok Mihevc, apache-parquet-fo...@googlegroups.com, Alkis Evlogimenos, Divjot Arora, wedw...@spotify.com
Yes, the location is also encrypted when a footer key is used. It is only stored in plaintext when a column key is used and not footer key.

Alkis Evlogimenos

unread,
Jul 3, 2026, 7:27:16 AM (11 days ago) Jul 3
to Jiayi Wang, apache-parquet-fo...@googlegroups.com, Rok Mihevc, Divjot Arora, wedw...@spotify.com
think the reasonable resolution is to keep location in plaintext and only encrypt statistics. Location leaks little on its own, for example, if only one column is encrypted, its offset and size can already be reconstructed from the surrounding columns' metadata, so encrypting it buys almost nothing. Statistics (min/max) are what actually reveal data content, so that's where encryption matters.


I agree with this assessment.


On Wed, Jul 1, 2026 at 10:32 PM Jiayi Wang <jiayi...@databricks.com> wrote:
Reply all
Reply to author
Forward
0 new messages