Understanding end-to-end encryption in Snowflake

453 viewsConnecting to SnowflakeSnowflakeecosystem

Understanding end-to-end encryption in Snowflake

Alejandro Penzini Answered question December 20, 2023

End-to-End Encryption in Snowflake: Your Data, Always Secure
What is it?

End-to-end encryption (E2EE) in Snowflake safeguards your data at every step, from your device to Snowflake and back. No one intercepts or sees your data in plain text, minimizing security risks.

How it works:

Data Upload:
Upload data files to either Snowflake's internal stage (automatically encrypted) or your own external stage on a cloud storage service (optional client-side encryption recommended).

Data Processing:
Snowflake encrypts data files uploaded to external stages.
All data at rest remains encrypted in Snowflake's secure cloud storage.
Transformations and operations on data happen in an encrypted state and re-encrypted upon completion.

Data Output:
Unload query results to either an internal or external stage, with optional client-side encryption for external stages.
Downloaded data files remain encrypted until decrypted on your device.

Client-Side Encryption:

This optional layer adds another security blanket for data in external stages:

You create a secret master key shared with Snowflake.
Your cloud storage service client encrypts data with a random key, then encrypts that key with your master key.
Both encrypted files are uploaded to the cloud storage service.
Downloading involves decrypting the random key with your master key, then using it to decrypt the data file – all on your device.

Ingesting Client-Side Encrypted Data:

Create a named stage object in Snowflake with the CREATE STAGE command, specifying the cloud storage service, credentials, and your Base64-encoded master key as the MASTER_KEY parameter.
Load data from the stage into your Snowflake tables like usual.


Stronger data security throughout its journey.
Reduced attack surface by minimizing exposure to unencrypted data.
Flexibility to use any client or tool supporting client-side encryption.
Named stage objects simplify data access control without revealing encryption keys.


Snowflake always encrypts data at rest and in transit, with an additional layer through client-side encryption (optional).

- You control your secret master key for client-side encryption.
- Snowflake adheres to the specific client-side encryption protocol of your chosen cloud storage service.
- With E2EE in Snowflake, your data enjoys maximum protection, empowering you to focus on valuable insights, not security worries.

Alejandro Penzini Answered question December 20, 2023

Maximize Your Data Potential With ITS

Feedback on Q&A