Understanding Tri-Secret Secure in Snowflake¶

Tri-Secret Secure is the combination of a Snowflake-maintained key and a customer-managed key in the cloud provider platform that hosts your Snowflake account to create a composite master key to protect your Snowflake data. The composite master key acts as an account master key and wraps all of the keys in the hierarchy; however, the composite master key never encrypts raw data.

If the customer-managed key in the composite master key hierarchy is revoked, your data can no longer be decrypted by Snowflake, providing a level of security and control above Snowflake’s standard encryption. This dual-key encryption model, together with Snowflake’s built-in user authentication, enables the three levels of data protection offered by Tri-Secret Secure.

Attention

Before engaging with Snowflake to enable Tri-Secret Secure for your account, you should carefully consider your responsibility for safeguarding your key as mentioned in Customer-managed keys. If you have any questions or concerns, we are more than happy to discuss them with you.

Note that Snowflake also bears the same responsibility for the keys that we maintain. As with all security-related aspects of our service, we treat this responsibility with the utmost care and vigilance.

All of our keys are maintained under strict policies that have enabled us to earn the highest security accreditations, including SOC 2 Type II, PCI-DSS, HIPAA and HITRUST CSF.

Feature compatibility¶

The following features are not compatible with Tri-Secret Secure:

Image registry.
Hybrid tables:

You cannot use hybrid tables if your Snowflake account is enabled to use Tri-Secret Secure. Prior to using hybrid tables, verify whether your Snowflake account is enabled for Tri-Secret Secure by contacting Snowflake Support.

Enabling Tri-Secret Secure¶

To enable Snowflake Tri-Secret Secure for your Business Critical (or higher) account, please contact Snowflake Support.