July 11, 2022

How Do I Encrypt Snowflake Data With My Own Keys?

By Kenton Steiner

As we move deeper into the digital age, the amount of data we possess continues growing exponentially. In 2018, it was estimated that 2.5 quintillion bytes of data were being created every day, and that number only continues to grow. As a result, it becomes increasingly more critical to store and secure data properly, as it is estimated that hackers conduct attacks every 39 seconds. 

Every company today is faced with this same challenge of how to secure their data, whether it be related to users, products, services, employees, etc. This is where companies like the Snowflake Data Cloud have come in and developed solutions that will provide extra protection for you and your data. 

In this post, we’ll explain data encryption within Snowflake and give an explanation of how to implement customer managed encryption keys within the Snowflake Cloud Data Warehouse. 

How Does Snowflake Support Data Encryption?  

Snowflake supports encryption in a variety of ways. By default, all data (both at-rest and in transit) within Snowflake is automatically encrypted using the industry standard AES 256-bit encryption. Snowflake managed encryption keys are organized in a hierarchical structure, with the top level being a hardware security module to further isolate data. In order to provide an extra layer of security, Snowflake recommends encrypting your data prior to Snowflake loading and encrypting.

Snowflake also supports the use of customer-managed keys with Snowflake-managed keys in a feature called Tri-Secret Secure, a feature of the Business Critical edition of Snowflake. Tri-Secret Secure creates a master encryption key by combining the customer’s key with a Snowflake maintained key, which offers several distinct advantages. 

First, it allows you more control over access to your data within Snowflake.  If you disable access to the encryption key, Snowflake is blocked from being able to access and decrypt your data.  This can prove to be especially helpful in the second advantage: stopping data breaches. 

In the event of a breach, a customer can disable access to encryption keys, which blocks currently running queries from executing within Snowflake and prevents further access to the data. Lastly, it provides extra peace of mind through giving you full control of your data’s lifecycle. For highly sensitive data, you fully control all access and operations performed on your data through granting and revoking access to the encryption keys.  

Customer Managed Encryption Keys in Snowflake

As mentioned above, Snowflake uses a hierarchical structure to manage encryption keys, where parent keys encrypt all of their child keys. The bottom of this structure is each individual data file being encrypted with a separate key. 

A diagram that depicts the various encryption keys in Snowflake for securing data.

When using a customer managed encryption key to secure your data, it adds the KMS key to the top level along with the HSM. KMS stands for key management service, which is a service for creation, storing, and managing access to encryption keys.  

A hierarchy graphic that shows 5 bars, the top two bars are labeled, "Encrypted," the next level is "Decrypted" and the bottom bar is "Composed"

When working with your data, Snowflake will gather both the KMS and HSM keys, and use each to unwrap the AMK-C and AMK-S account keys as shown above. The logs in your KMS provider will show that the key was accessed, and then those two unwrapped keys will be combined in order to form the composed AMK, which unwraps the child keys which access the tables. This composed AMK will be cached in the warehouse in order to speed up performance on subsequent queries. 

Once the Tri-Secret Secure functionality is implemented in your Snowflake instance, all the control over your data is now returned to you. You are able to revoke Snowflake’s access to your KMS, which will cause the composed AMK to be removed from the cache, currently running queries will be aborted and no new queries will be able to be submitted until access is granted for Snowflake to be able to decrypt your data. 

If the key is tampered with or destroyed, all the data in your Snowflake account will be unreadable until the key is restored. Snowflake by default is built to handle temporary (up to 10 minutes) availability issues, such as network communication failures but after 10 minutes, if the key is still unavailable, then all data operations will be stopped until the access is restored. 

How to Enable Tri-Secret Secure

To enable Tri-Secret Secure on your Snowflake account, you must first utilize your provider’s key management service and create an encryption key. All three of the major cloud providers that can host your Snowflake account contain a key management service, AWS has AWS Key Management Service, Google has Cloud Key Management Service, and Microsoft Azure has Azure Key Vault.  

Once you have this key, you need to contact Snowflake support for them to verify you are running Business Critical edition or higher of Snowflake and for them to enable Tri-Secret Secure on your account with the key that you generated. With this feature enabled, your account encryption key hierarchy will now follow the structure outlined above. 

Tips and Reminders for Using Customer Managed Encryption keys 

  1. Customer-managed keys are a component of the Tri-Secret Secure feature of the Business Critical edition of Snowflake. Your account must be on the Business Critical edition or higher in order to utilize this feature.
  2. To enable Tri-Secret Secure on your account, you must first create an encryption key using your cloud provider’s KMS and then contact Snowflake Support for them to activate the feature
  3. Automated key rotation is not supported for Customer Managed Encryption Keys

Summary

Snowflake offers a variety of options for providing their customers with peace of mind when it comes to protecting sensitive data. Outside of industry standard algorithms and defaults, Snowflake manages encryption of all data within the platform, they also offer the ability to use customer managed encryption keys with Tri-Secret Secure on the Business Critical edition and higher. This gives full control over access to data back to the customer, allowing them to manage requests for data, mitigate breaches, and have full control over the data lifecycle. 

If you have any lingering Snowflake questions, or are curious about finding new ways to get more out of the platform, our Snowflake experts are happy to help! Feel free to browse our Snowflake services.

Data Coach is our premium analytics training program with one-on-one coaching from renowned experts.

Accelerate and automate your data projects with the phData Toolkit