Self-service Tri-Secret Secure in Snowflake

Using a dual-key encryption model together with Snowflake’s built-in user authentication enables three levels of data protection, known as Tri-Secret Secure. Tri-Secret Secure offers you a level of security and control above Snowflake’s standard encryption.

Our dual-key encryption model combines a Snowflake-maintained key and a customer-managed key (CMK) (which you create on the cloud provider platform that hosts your Snowflake account) to create a composite master key that protects your Snowflake data. This composite master key acts as an account master key by wrapping all of the keys in your account hierarchy. The composite master key is never used to encrypt raw data. For example, the composite master key wraps table master keys, which are used to derive file keys that encrypt the raw data.

Attention

Using the procedure in this topic, you will enable Tri-Secret Secure using Snowflake system functions. Before enabling Tri-Secret Secure for your account, carefully consider your responsibility for safeguarding your key, as mentioned in Customer-managed keys. If the CMK in the composite master key hierarchy is revoked, your data can no longer be decrypted by Snowflake. If you have any questions or concerns, contact Snowflake Support.

Note that Snowflake also bears the same responsibility for the keys that we maintain. As with all security-related aspects of our service, we treat this responsibility with the utmost care and vigilance.

All of our keys are maintained under strict policies that have enabled us to earn the highest security accreditations, including SOC 2 Type II, PCI-DSS, HIPAA and HITRUST CSF.

Feature compatibility

Hybrid tables are not compatible with Tri-Secret Secure.

You cannot use hybrid tables if your Snowflake account is enabled to use Tri-Secret Secure. Before using hybrid tables, verify whether your Snowflake account is enabled for Tri-Secret Secure by contacting Snowflake Support.

Self-service overview

You can use the Tri-Secret Secure self-service procedure to first register a CMK and then activate Tri-Secret Secure. If you decide to replace a CMK for use with Tri-Secret Secure, the self-service procedure informs you whether your new CMK is registered and activated. You can continue to use your account during the rekeying process.

Self-service provides these benefits to you:

  • Facilitates working with the key management service (KMS) service in the cloud platform that hosts your Snowflake account.

  • Streamlines the steps to register and authorize your CMK.

  • Provides transparency to your CMK registration and Tri-Secret Secure activation status.

  • Enables you to manage Tri-Secret Secure without any downtime of your Snowflake account.

Self-service procedure

This procedure works on all cloud provider platforms that Snowflake supports. See your specific cloud provider documentation for any steps taken on the cloud provider platform.

To create and register your CMK, and then activate Tri-Secret Secure, complete the following steps:

  1. On the cloud provider: Create a CMK.

    Do this step in the key management service (KMS) on the cloud platform that hosts your Snowflake account.

  2. In Snowflake: Call the SYSTEM$REGISTER_CMK_INFO system function.

    • This system function registers your CMK with your Snowflake account.

    • Double-check the system function arguments to make sure they are correct for the cloud platform that hosts your Snowflake account.

    • When you call the SYSTEM$REGISTER_CMK_INFO function, Snowflake sends an email message to account administrators who have a validated email address. The message notifies the account administrator when to call the SYSTEM$ACTIVATE_CMK_INFO function to activate Tri-Secret Secure.

    Important

    You must wait 72 hours before activating Tri-Secret Secure (step 6). If you attempt to activate Tri-Secret Secure during this waiting period, you will see an error message that advises you to wait.

  3. In Snowflake: Call the SYSTEM$GET_CMK_INFO system function.

    This system function returns the registration status and details for the CMK that you registered.

  4. In Snowflake: Call the SYSTEM$GET_CMK_CONFIG system function.

    This system function generates the information required for your cloud provider to allow Snowflake to access your CMK.

    Note

    If Microsoft Azure hosts your Snowflake account, you must pass the tenant_id value into the function.

  5. In Snowflake: Call the SYSTEM$VERIFY_CMK_INFO system function.

    This system function confirms connectivity between your Snowflake account and your CMK.

  6. In Snowflake: Call the SYSTEM$ACTIVATE_CMK_INFO system function.

    This system function activates Tri-Secret Secure with your registered CMK. This system function starts the rekeying process and generates an email message that notifies system administrators when the process finishes. The rekeying process can complete in under an hour, but might require up to 24 hours.

    Warning

    Snowflake uses the old CMK until the rekeying process completes. Do not remove access to the old CMK until receiving email notification that the rekeying process completed.

Viewing the status of your CMK

Optionally, you can call the SYSTEM$GET_CMK_INFO system function before or after completing the self-service procedure, to check the registration and activation status of your CMK. For example, calling SYSTEM$GET_CMK_INFO immediately after calling SYSTEM$ACTIVATE_CMK_INFO while Tri-Secret Secure is disabled returns is being activated, which indicates that rekeying is not complete. After the process completes, the SYSTEM$GET_CMK_INFO function output includes is activated. This means your Snowflake account is using Tri-Secret Secure with the CMK that you registered.

Changing the CMK for Tri-Secret Secure

The self-service process supports changing your CMK, based on your security needs. Use the same steps to register a new CMK as the steps that you followed to register your initial CMK. When you do those steps again using a new key, the output of the system functions differs. Read the output from each system function you call during the self-service procedure to confirm that you have changed your key. For example, When you change your CMK, calling the SYSTEM$GET_CMK_INFO function returns ...is being rekeyed....

Using Tri-Secret Secure self-service with automatic key rotation

If you use your cloud provider’s automatic key rotation feature to maintain the lifecycle of your Customer-managed keys, you can rekey with the latest version of your CMK, by calling the SYSTEM$ACTIVATE_CMK_INFO system function and providing the 'REKEY_SAME_CMK' argument.

Deactivating Tri-Secret Secure

To deactivate Tri-Secret Secure in your account, call the SYSTEM$DEACTIVATE_CMK_INFO system function.

Deregistering your current CMK

You can only register one CMK at a time with Tri-Secret Secure. When you register your CMK, if the SYSTEM$REGISTER_CMK_INFO function fails because a different CMK exists, call the SYSTEM$DEREGISTER_CMK_INFO system function, as prompted.

Integrating Tri-Secret Secure with AWS external key stores

Snowflake also supports integrating Tri-Secret Secure with AWS external key stores to securely store and manage a customer-managed key outside AWS. Snowflake officially tests and supports only Thales HSM and Thales CCKM data encryption products. For more information about setting up and configuring Tri-Secret Secure with Thales solutions, see How to use Thales External Key Store for Tri-Secret Secure on an AWS Snowflake account.

Language: English