From bd8821d1c6026d535376817b4fae68fde5706049 Mon Sep 17 00:00:00 2001
From: Will Morrison <wzmorrison@gmail.com>
Date: Mon, 8 Jan 2024 13:12:20 -0500
Subject: [PATCH] Document encryption of FTE spool

---
 .../sphinx/admin/fault-tolerant-execution.md   | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/docs/src/main/sphinx/admin/fault-tolerant-execution.md b/docs/src/main/sphinx/admin/fault-tolerant-execution.md
index 864b8e442545..a1624221440f 100644
--- a/docs/src/main/sphinx/admin/fault-tolerant-execution.md
+++ b/docs/src/main/sphinx/admin/fault-tolerant-execution.md
@@ -80,6 +80,10 @@ execution on a Trino cluster:
   - Enable compression of spooling data. Setting to `true` is recommended
     when using an [exchange manager](fte-exchange-manager).
   - ``false``
+* - `fault-tolerant-execution.exchange-encryption-enabled`
+  - Enable encryption of spooling data, see [Encryption](fte-encryption) for details. 
+    Setting this property to false is not recommended if Trino processes sensitive data.
+  - ``true``
 :::
 
 (fte-retry-policy)=
@@ -145,6 +149,14 @@ with a `TASK` retry policy for large batch queries, separate from another
 cluster that handles short queries.
 :::
 
+(fte-encryption)=
+## Encryption
+
+Trino encrypts data before spooling it to storage. This prevents access to query data
+by anyone besides the Trino cluster that wrote it, including administrators of the
+storage system. A new encryption key is randomly generated for every query, and keys
+are discarded once a query is completed.
+
 ## Advanced configuration
 
 You can further configure fault-tolerant execution with the following
@@ -449,7 +461,11 @@ the property may be configured for:
   - AWS S3, GCS
 * - `exchange.s3.endpoint`
   - S3 storage endpoint server if using an S3-compatible storage system that
-    is not AWS. If using AWS S3, this can be ignored. If using GCS, set it
+    is not AWS. If using AWS S3, this can be ignored unless HTTPS is required 
+    by an AWS bucket policy. If TLS is required, then this property can be 
+    set to an https endpoint such as ``https://s3.us-east-1.amazonaws.com``. 
+    Note that TLS is redundant due to {ref}`automatic encryption <fte-encryption>`. 
+    If using GCS, set it
     to `https://storage.googleapis.com`.
   -
   - Any S3-compatible storage