Encryption

Data Encryption

• Snowflake uses AES 256-bit encryption for all data
  • Data copied to Snowflake internal stages are automatically encrypted using server-side and default 128-bit (256 optional) client-side encryption
• Hierarchy: Root > Account Master Keys (AMK) > Table Master Keys > File Keys
• Snowflake managed keys are rotated every 30 days.
• Active keys are used for encryption, Retired keys are kept around for decrypting old data
• Rekeying (optional, only Enterprise edition+) ensures that the data is rekeyed if retired key is older than one year,
  • any rekeyed failsafe storage maintains two copies and charged to the customer
• Tri-Secret Secure: available only for Business Critical edition and VPS
  • Account master key is replaced by a composite master key, composed by Customer Managed Key and Snowflake Managed Key
  • Composite key are cached only for ~10 minutes. Revoked customer key will take effect in ~10 minutes
  • Snowflake doesn't store customer key - just accesses AWS KMS or their key vault
  • requires downtime when enabling for the first time
• External stage data encryption is Customer's choice
  • supply encryption key while creating a stage
• Snowflake uses Hardware Security Module (HSM) to generate root keys (on GCP, HSM is available via KMS API)

External Tokenization

• data is tokenized using external functions before loading into Snowflake
• an external UDF can be called at run-time to unmask the value.
  • The external UDF can be called directly, or as part of masking policy (requires EE or higher)
• recommended: use SCIM to sync users and roles between Snowflake and the external tokenization provider (e.g. Protegrity)