Data Encryption with Customer-Managed Keys for Azure

In 2017, Snowflake announced support for customer-managed keys using AWS Key Management Service (KMS). These keys, created and controlled by the Snowflake customer, are used as part of the data encryption key for all data within a customer’s account.

Today, we are announcing the availability of data encryption with customer-managed keys for Snowflake on Azure. As a component of Tri-Secret Secure that is available on Snowflake Business Critical (BC) edition, customer-managed keys provide additional layers of security that allow highly security-sensitive customers to manage Snowflake’s ability to encrypt and decrypt their data. When customers use customer-managed keys, they can revoke Snowflake’s access to use their key at any time, making it impossible for Snowflake to read or write data in their account. You can learn more about data encryption with customer-managed keys in this blog post.

Customer-managed keys for Snowflake on Azure use keys defined in Azure Key Vault. The Azure Key Vault service creates and stores encryption keys, controls access to them, and allows cryptographic operations using those keys. Azure Key Vault also provides auditing and logging for key usage. Keys based on RSA can be created by Azure Key Vault or imported from another source. Keys are stored in a secure hardware security module (HSM) and cannot be exported from Azure Key Vault.

To enable data encryption with customer-managed keys for Azure, customers create an RSA 4K key in their own Azure tenant. Then they grant to a Snowflake service principal in their tenant the ability to use the key for wrapping, unwrapping, signing, and verifying. To disable key usage, the customer can remove the ability to perform cryptographic operations or revoke all privileges from the Snowflake service principal. Snowflake caches the derived key for a short period to ensure resiliency through short service interruptions, and after that time, data will not be accessible as long as the Snowflake service principal doesn’t have key usage privileges. When privileges are revoked, data will be encrypted and decrypted as normal.

To enable data encryption with customer-managed keys for Azure on your Snowflake Business Critical (BC) account, you need to create an Azure Key Vault that you will give Snowflake permission to use. We recommend that your Azure Key Vault contain only the specific key you wish to share with us. 

Contact Snowflake support for help getting started.