Data Encryption Mapping within QDS (AWS)

The QDS Control Plane denotes all the components except the clusters. Understanding the Qubole Folders in the Default Location on S3 (AWS) provides the list of folders in the account’s default location into which QDS has access to write data. Here is a table that maps the different types of data encryption with QDS Control Plane and Hadoop, Hive, Presto, and Spark engines.

Type Filesystem QDS Account QDS Control Plane Hadoop/Hive/Spark Engines Presto Engine
Server-side Encryption S3n S3n NA SSE-S3 NA
S3a SSE-S3 (via Support) SSE-KMS (via API) SSE-S3, SSE-KMS, and SSE-C NA
PrestoS3Filesystem NA NA NA SSE-S3 and SSE-KMS
Client-side Encryption S3a NA NA Supported only on the S3a filesystem NA

The expanded form of the supported encryption keys in the above table are:

  • SSE-S3: Amazon S3-managed encryption keys
  • SSE-KMS: Amazon S3-KMS Managed encryption keys
  • SSE-C: Server-Side Encryption with Customer-Provided encryption keys


The encryption keys in Presto have different configuration parameters. For more information, see catalog/

You can enable SSE-S3 on the QDS account only by creating a ticket with the Qubole Support.