AWS data file encryption¶

Snowflake supports either client-side encryption or server-side encryption. Either can be configured to decrypt files staged in S3 buckets.

  • Client-side encryption:

    • AWS_CSE: Requires a MASTER_KEY value. The master key must be a 128-bit or 256-bit key in Base64-encoded form.

      For more information, see the AWS documentation for client-side encryption. Note that for client-side encryption, Snowflake supports using a master key stored in Snowflake; using a master key stored in AWS Key Management Service (AWS KMS) is not supported.

  • Server-side encryption:

    • AWS_SSE_S3: Requires no additional encryption settings.

    • AWS_SSE_KMS: Accepts an optional KMS_KEY_ID value.

    For more information, see the AWS documentation for server-side encryption.

    Using AWS Key Management Service (KMS) to manage keys requires configuring an IAM policy. For information, see the KMS documentation.

Next: Creating an S3 stage