Skip to content
  • AT SNOWFLAKE
  • Industry solutions
  • Partner & Customer Value
  • Product & Technology
  • Strategy & Insights
Languages
  • Deutsch
  • English
  • Français
  • Italiano
  • 日本語
  • 한국어
  • Português
  • Español
  • Deutsch
  • English
  • Français
  • Italiano
  • 日本語
  • 한국어
  • Português
  • Español
  • AT SNOWFLAKE
  • Industry solutions
  • Partner & Customer Value
  • Product & Technology
  • Strategy & Insights
  • Deutsch
  • English
  • Français
  • Italiano
  • 日本語
  • 한국어
  • Português
  • Español
  • Übersicht
    • Warum Snowflake
    • Kunden-Stories
    • Partner
    • Services
  • Übersicht
    • Data Cloud
    • Die Plattform im Überblick
    • Snowflake Marketplace
    • Powered by Snowflake
    • Live Demo
  • Workloads
    • Collaboration
    • Data Science & ML
    • Cybersecurity
    • Applications
    • Data Warehouse
    • Data Lake
    • Data Engineering
    • Unistore
  • Preise
    • Preise
  • Für Branchen
    • Werbung, Medien und Unterhaltung
    • Finanzdienstleistungen
    • Gesundheitswesen und Life Sciences
    • Fertigungsindustrie
    • Öffentlicher Dienst und Verwaltung
    • Handel und Verbrauchsgüter
    • Technologie
  • Lernen
    • Bibliothek
    • Dokumentation
    • Virtuelle Praxis-Workshops
    • Training
  • Erleben
    • Blog
    • Community
    • Veranstaltungen
    • Webinare
    • Podcast
  • Übersicht
    • Über Snowflake
    • Investor Relations
    • Unternehmensführung und Vorstand
    • Karriere
Author
Martin Hentschel
Share
Subscribe
Mai 11, 2017

Data Encryption with Customer-Managed Keys

  • Produkt & Technologie
    • Cybersecurity
Data Encryption with Customer-Managed Keys

The security of customer data is Snowflake’s first priority. All customer data is encrypted using industry-standard techniques such as AES-256. Encryption keys are organized hierarchically, rooted in a hardware security module (HSM). This allows complete isolation of customer data and greatly reduces the attack vectors.

For customers with the highest security requirements, we are adding another security component: customer-managed keys. With customer-managed keys, the customer manages the encryption key and makes it available to Snowflake. The customer has full control over this key. If the customer disables access to the encryption key, Snowflake can no longer access the customer’s data. Your data. Your encryption keys.

In this blog post, we will explain the benefits of customer-managed keys and their implementation in the Snowflake cloud data warehouse.

Benefits

Customer-managed keys provide the following benefits:

More Control over Data Access: Customer-managed keys make it impossible for Snowflake to comply with requests to access customer data. If data is encrypted using customer-managed keys and the customer disables access to the encryption key, it is technically impossible for Snowflake to decrypt the data. It is therefore the customer’s responsibility to comply with such requests directly.

Stop Data Breaches: If a customer experiences a data breach, they may disable access of customer-managed keys to Snowflake. This will halt all running queries in Snowflake, including queries that may inspect data or unload data. Disabling customer-managed keys allows customers to stop ongoing exfiltration of their data.

More Control over Data Lifecycle: The last reason why customers require this feature is lack of trust with any cloud provider. Customers may have sensitive data that they do not trust Snowflake to manage on their own. Using customer-managed keys, such sensitive data is ultimately encrypted with the customer’s key. It is impossible for Snowflake to decrypt this data without the customer’s consent. The customer has full control over the data’s lifecycle.

Implementation

Before we explain the implementation of customer-managed keys, we should first give a background of Snowflake’s key hierarchy and Amazon’s key management service.

Background 1: Snowflake’s Key Hierarchy

Snowflake manages encryption keys hierarchically. Within this key hierarchy, a parent key encrypts all of its child keys. When a key encrypts another key, it is called „wrapping“. When the key is decrypted again, it is called „unwrapping“.

Encryption key hierarchy - Snowflake

Figure 1: Encryption key hierarchy in Snowflake.

Figure 1 shows Snowflake’s hierarchy of encryption keys. The top-most root keys are stored in a hardware security module (or CloudHSM). A root key wraps account master keys. Each account master key corresponds to one customer account in Snowflake. Account master keys, in turn, wrap all data-level keys, including table master keys, stage master keys, and result master keys. In addition, every single data file is encrypted with a separate key. A detailed overview of Snowflake’s encryption key management is provided in this Blog post.

Background 2: AWS Key Management Service

Amazon’s AWS Key Management Service (KMS) is a service to store encryption keys and tightly control access to them. Amazon provides an audit log of all operations and interactions with KMS by using CloudTrail. This allows customers to manage their own encryption keys and validate their usage via the audit log. KMS also allows customers to disable access to any keys at any time. Combining KMS with Snowflake’s encryption key hierarchy allows us to implement customer-managed keys. More details about AWS KMS can be found on the Amazon website.

Implementation of Customer-Managed Keys

The implementation of customer-managed keys changes the way account master keys (AMKs) are stored within Snowflake’s encryption key hierarchy. Normally, as shown in Figure 1 above, an AMK is wrapped by the root key stored in CloudHSM. For customer-managed keys, this is only partly true. There are two AMKs involved: a first key is wrapped by the root key stored in the CloudHSM and a second key is wrapped by the customer key in KMS. Unwrapping and combining these two keys leads to the composed account master key, which then wraps and unwraps all underlying keys in the hierarchy (table master keys, result master keys, etc.).

Account master key - Customer-Managed Keys

Figure 2: Account master key composed of AMK-S and AMK-C. AMK-C is wrapped by KMS.

Figure 2 shows this concept in detail. With customer-managed keys, the AMK is composed of two keys: AMK-S and AMK-C. AMK-S is a random 256-bit key that is wrapped with the root key stored in HSM. AMK-C is a second random 256-bit key that is wrapped with the customer key stored in KMS. AMK-S and AMK-C are completely random and unrelated. Both wrapped keys are stored in Snowflake’s encryption key hierarchy.

Figure 3: Unwrapping and composing of AMK.

When the customer runs a query in Snowflake that requires access to customer data, the composed AMK is produced as follows (see Figure 3). Both wrapped keys, AMK-S and AMK-C, are retrieved from the encryption key hierarchy. AMK-S is unwrapped using the root key in HSM. AMK-C is unwrapped using the customer key in KMS. The KMS audit log logs an access event to the customer key. Both unwrapped keys are combined to form the composed AMK. The composed AMK is then used to unwrap the underlying table master keys to access the customer data.

The composed AMK is cached within the Snowflake data warehouse for performance reasons. This cache has a timeout period after which the cached AMK is not accessible anymore. The cache is refreshed in the background such that continuous queries are not impacted by any latency to KMS. If access to KMS is revoked, refreshing the cache fails and the AMK is removed from the cache immediately. Any running queries are aborted. New queries fail to start because no AMK can be composed. The customer’s data can no longer be decrypted by the Snowflake service.

Summary

Customer-managed keys provide an extra level of security for customers with sensitive data. With this feature, the customer manages the encryption key themselves and makes it accessible to Snowflake. If the customer decides to disable access, data can no longer be decrypted. In addition, all running queries are aborted. This has the following benefits for customers: (a) it makes it technically impossible for Snowflake to comply with requests for access to customer data, (b) the customer can actively mitigate data breaches and limit data exfiltration, and (c) it gives the customer full control over data lifecycle.

Availability

Customer-managed keys are a primary component of Tri-Secret Secure, a Business Critical edition feature. To enable Tri-Secret Secure for your ESD account, you need to first create a key in AWS KMS (in your AWS account) and then contact Snowflake Support.

Acknowledgements

We want to thank Difei Zhang for his contributions to this project.

For more information, please feel free to reach out to us at: [email protected]. We would love to help you on your journey to the cloud. And keep an eye on this blog or follow us on Twitter (@snowflakedb) to keep up with all the news and developments here at Snowflake Computing.

Share

The Data Cloud for Dummies

Learn how to build and transform your business.

Read More

Encryption Key Management in Snowflake

To protect customer data, Snowflake uses strong AES 256-bit encryption key management rooted in AWS CloudHSM. Here's how we...

Have a look
Weiterlesen

Data Encryption with Customer-Managed Keys for Azure

In 2017, Snowflake announced support for customer-managed keys using AWS Key Management Service (KMS). These keys, created...

More
Weiterlesen

JSON Examples

JSON examples include global social media apps that benefit from easy data transmission.

Expand your knowledge
Weiterlesen

Data-Driven Demand Forecasting in Manufacturing

Accurate demand forecasting is essential to a healthy manufacturing operation, helping to improve production planning, inventory management, and resource allocation.

Find Out More
Weiterlesen
Snowflake Inc.
  • PLATTFORM
    • Cloud-Data-Plattform
    • Architektur
    • Preise
    • Data Marketplace
  • LÖSUNGEN
    • Snowflake für das Gesundheitswesen und Life Sciences
    • Snowflake für Finanzdienstleistungen
    • Snowflake für Marketing Analytics
    • Snowflake für den Einzelhandel
    • Snowflake für Bildungseinrichtungen
  • RESSOURCEN
    • Ressourcenbibliothek
    • Webinare
    • Dokumentation
    • Community
    • Rechtliches
  • ENTDECKEN
    • Aktuelles
    • Blog
    • Aktuelle Trends
  • UNTERNEHMEN
    • Über Snowflake
    • Unternehmensführung und Vorstand
    • Partner
    • Karriere
    • Kontakt

Sign up for Snowflake Communications

Thanks for signing up!

  • Privacy Notice
  • Site Terms
  • Cookie Settings

© 2023 Snowflake Inc. All Rights Reserved