Abstract: The subject technology determines a derived encryption key using a cryptographic hash function applied to a hybrid tenant master encryption key and a local random generated identifier. The subject technology encrypts a record value and a key value associated with a transaction using the derived encryption key. The subject technology determines a non-leaf node using a tenant prefix of a tenant. The subject technology inserts the encrypted record value at a leaf node below a non-leaf node of a tree structure associated with the tenant. The subject technology receives a second transaction for performing a read operation on a distributed database. The subject technology retrieves a set of encryption keys based at least in part on an account and the tenant. The subject technology decrypts, using the set of encryption keys, data from the distributed database. The subject technology provides the decrypted data as a result of the second transaction.

Abstract: The subject technology receives a transaction for performing an operation on a distributed database, the transaction associated with an account. The subject technology identifies a tenant corresponding to the account associated with the transaction. The subject technology retrieves a set of encryption keys based at least in part on the account and the tenant. The subject technology determines a derived encryption key using a cryptographic hash function applied to a hybrid tenant master encryption key and a local random generated identifier. The subject technology encrypts a record value and a key value associated with transaction using the derived encryption key. The subject technology determines a tree structure associated with the tenant. The subject technology determines a non-leaf node using a tenant prefix of the tenant. The subject technology inserts the encrypted record value, and the encrypted key value at a leaf node below the non-leaf node of the tree structure.