Understanding Tri-Secret Secure in Snowflake

Tri-Secret Secure is the combination of a Snowflake-maintained key and a customer-managed key in the cloud provider platform that hosts your Snowflake account to create a composite master key to protect your Snowflake data. The composite master key acts as an account master key and wraps all of the keys in the hierarchy; however, the composite master key never encrypts raw data.

If the customer-managed key in the composite master key hierarchy is revoked, your data can no longer be decrypted by Snowflake, providing a level of security and control above Snowflake’s standard encryption. This dual-key encryption model, together with Snowflake’s built-in user authentication, enables the three levels of data protection offered by Tri-Secret Secure.

Attention

Before engaging with Snowflake to enable Tri-Secret Secure for your account, you should carefully consider your responsibility for safeguarding your key as mentioned in Customer-managed keys. If you have any questions or concerns, contact Snowflake Support

Note that Snowflake also bears the same responsibility for the keys that we maintain. As with all security-related aspects of our service, we treat this responsibility with the utmost care and vigilance.

All of our keys are maintained under strict policies that have enabled us to earn the highest security accreditations, including SOC 2 Type II, PCI-DSS, HIPAA and HITRUST CSF.

Feature compatibility

The following features are not compatible with Tri-Secret Secure:

Self-registration overview

You can use the CMK self-registration process to register and activate a CMK for use with Tri-Secret Secure. Additionally, if you decide to replace a CMK for use with Tri-Secret Secure, the self-registration process informs you whether your new CMK is registered and activated. After you complete the self-registration process, you can contact Snowflake Support to enable your Snowflake account to use Tri-Secret Secure.

The self-registration process provides these benefits to you:

  • Streamlines the steps to register and authorize your CMK.

  • Provides transparency to the status of your CMK registration and activation with Tri-Secret Secure.

  • Facilitates working with the key management service (KMS) service in the cloud platform that hosts your Snowflake account.

  • Enables you to rotate your CMK along with registering the new CMK for use with Tri-Secret Secure.

Self-registration procedure

The self-registration process is as follows:

  1. As the customer, do the following:

    1. Create the CMK.

    2. Register the CMK.

    3. Generate information for the cloud provider.

    4. Apply the KMS policy.

    5. Confirm the connectivity between your Snowflake account and your CMK.

    6. Contact Snowflake Support to enable your Snowflake account to use Tri-Secret Secure.

  2. Snowflake Support enables your Snowflake account to use Tri-Secret Secure based on the CMK that you register.

The steps in this section avoid terms like “Amazon Resource Number” (ARN) to keep the procedure cloud agnostic. The steps are the same regardless of the cloud platform that hosts your Snowflake account. However, the system function arguments for some of the steps are different because each cloud platform service is different.

Complete the following steps to self-register your CMK for use with Tri-Secret Secure:

  1. In the KMS service on the cloud platform that hosts your Snowflake account, create a CMK.

  2. In Snowflake, call the SYSTEM$REGISTER_CMK_INFO system function to register your CMK with the KMS integration.

    Double-check the system function arguments for the cloud platform that hosts your Snowflake account.

  3. Call the SYSTEM$GET_CMK_INFO system function to view the details for the CMK that you registered.

  4. Call the SYSTEM$GET_CMK_CONFIG system function to generate the required information for the cloud provider.

    This policy allows Snowflake to access your CMK.

    If your Snowflake account is on Microsoft Azure, pass the tenant_id value into the function.

  5. Call the SYSTEM$VERIFY_CMK_INFO system function to confirm the connectivity between your Snowflake account and your CMK.

  6. Contact Snowflake Support and request that your Snowflake account be enabled to use Tri-Secret Secure.

    Be sure to mention the specific account that you want to use with Tri-Secret Secure.

Tip

After you contact Snowflake support, you can call the SYSTEM$GET_CMK_INFO system function to view the enablement status.

Once Snowflake Support enables your Snowflake account to use Tri-Secret Secure, the output of the SYSTEM$GET_CMK_INFO function includes is activated. This means your Snowflake account is using Tri-Secret Secure with the CMK that you registered.

Setting a different CMK for Tri-Secret Secure

The self-registration process lets you register a different CMK based on your security needs. The process to register a new CMK is the same as the self-registration process that you followed to register and activate your initial CMK.

You can complete the self-registration process to update or replace the CMK used with Tri-Secret Secure at any time. When you go through the self-registration process again with a new key, the outputs of the system functions are different. The difference is that you already have a CMK that is registered and in use with Tri-Secret Secure and you are in the process of enabling a new CMK. For details, see the possible outputs for each system function.

Integrating Tri-Secret Secure with AWS external key stores

Snowflake also supports integrating Tri-Secret Secure (TSS) with AWS external key stores to securely store and manage a customer-managed key (CMK) outside AWS. Snowflake officially tests and supports only Thales HSM and Thales CCKM data encryption products. For more information about setting up and configuring TSS with Thales’ solutions, see How to use Thales External Key Store for Tri-Secret Secure on an AWS Snowflake account.