AWS Data File Encryption¶
Snowflake supports either client-side encryption or server-side encryption. Either can be configured to decrypt files staged in S3 buckets.
Client-side encryption:
AWS_CSE: Requires a MASTER_KEY value. The master key must be a 128-bit or 256-bit key in Base64-encoded form.
For more information, see the AWS documentation for client-side encryption. Note that for client-side encryption, Snowflake supports using a master key stored in Snowflake; using a master key stored in AWS Key Management Service (AWS KMS) is not supported.
Server-side encryption:
AWS_SSE_S3: Requires no additional encryption settings.
AWS_SSE_KMS: Accepts an optional KMS_KEY_ID value.
For more information, see the AWS documentation for server-side encryption.
Using AWS Key Management Service (KMS) to manage keys requires configuring an IAM policy. For information, see the KMS documentation.
Next: Creating an S3 Stage