Document encryption of FTE spool

docs/src/main/sphinx/admin/fault-tolerant-execution.md

@@ -80,6 +80,10 @@ execution on a Trino cluster:
   - Enable compression of spooling data. Setting to `true` is recommended
     when using an [exchange manager](fte-exchange-manager).
   - ``false``
+* - `fault-tolerant-execution.exchange-encryption-enabled`
+  - Enable encryption of spooling data, see [Encryption](fte-encryption) for details. 
+    Setting this property to false is not recommended if Trino processes sensitive data.
+  - ``true``
 :::
 
 (fte-retry-policy)=
@@ -145,6 +149,14 @@ with a `TASK` retry policy for large batch queries, separate from another
 cluster that handles short queries.
 :::
 
+(fte-encryption)=
+## Encryption
+
+Trino encrypts data before spooling it to storage. This prevents access to query data
+by anyone besides the Trino cluster that wrote it, including administrators of the
+storage system. A new encryption key is randomly generated for every query, and keys
+are discarded once a query is completed.
+
 ## Advanced configuration
 
 You can further configure fault-tolerant execution with the following
@@ -449,7 +461,11 @@ the property may be configured for:
   - AWS S3, GCS
 * - `exchange.s3.endpoint`
   - S3 storage endpoint server if using an S3-compatible storage system that
-    is not AWS. If using AWS S3, this can be ignored. If using GCS, set it
+    is not AWS. If using AWS S3, this can be ignored unless HTTPS is required 
+    by an AWS bucket policy. If TLS is required, then this property can be 
+    set to an https endpoint such as ``https://s3.us-east-1.amazonaws.com``. 
+    Note that TLS is redundant due to {ref}`automatic encryption <fte-encryption>`. 
+    If using GCS, set it
     to `https://storage.googleapis.com`.
   -
   - Any S3-compatible storage