Tri-Secret Secure in Snowflake¶
Tri-Secret Secure overview¶
Using a dual-key encryption model together with Snowflake's built-in user authentication enables three levels of data protection, known as Tri-Secret Secure. Tri-Secret Secure offers you a level of security and control above Snowflake's standard encryption.
Our dual-key encryption model combines a Snowflake-maintained key and a customer-managed key (CMK), which you create on the cloud provider platform that hosts your Snowflake account. The model creates a composite master key that protects your Snowflake data. This composite master key acts as an account master key by wrapping all of the keys in your account hierarchy. The composite master key is never used to encrypt raw data. For example, the composite master key wraps table master keys, which are used to derive file keys that encrypt the raw data.
注意
Before engaging with Snowflake to enable Tri-Secret Secure for your account, you should carefully consider your responsibility for safeguarding your key as mentioned in 客户管理的密钥. If the customer managed key (CMK) in the composite master key hierarchy is revoked, your data can no longer be decrypted by Snowflake.
If you have any questions or concerns, contact Snowflake Support.
Snowflake also bears the same responsibility for the keys that we maintain. As with all security-related aspects of our service, we treat this responsibility with the utmost care and vigilance.
我们按照严格的政策对所有密钥进行维护,这使我们能够获得最高安全认证,包括 SOC 2 Type II、PCI-DSS、HIPAA 以及 HITRUST CSF。
Tri-Secret Secure compatibility with hybrid tables¶
如果您打算在账户中创建混合表,并且已启用或将要启用 TSS,则必须启用专用存储模式。有关信息,请参阅 TSS 的混合表专用存储模式。
Understanding CMK self-registration with support activation of Tri-Secret Secure¶
You can register a CMK for use with Tri-Secret Secure using Snowflake system functions. If you decide to replace a CMK for use with Tri-Secret Secure, the SYSTEM$GET_CMK_INFO function informs you whether your new CMK is registered and activated. After you self-register your CMK, you can contact Snowflake Support to enable your Snowflake account to use Tri-Secret Secure with your CMK.
CMK self-registration with support activation provides the following benefits to you:
简化注册和授权 CMK 的步骤。
通过 Tri-Secret Secure 提供 CMK 注册和激活状态的透明度。
Facilitates working with the key management service (KMS) in the cloud platform that hosts your Snowflake account.
Enables you to rotate your CMK and register the new CMK for use with Tri-Secret Secure.
The following list shows how CMK self-registration with support activation works:
As the customer, you do the following actions:
创建 CMK。
注册 CMK。
为云提供商生成信息。
应用 KMS 策略。
确认您的 Snowflake 账户与 CMK 之间的连接。
请联系 Snowflake 支持部门,启用您的 Snowflake 账户以使用 Tri-Secret Secure。
Snowflake 支持团队会启用您的 Snowflake 账户,以基于您注册的 CMK 使用 Tri-Secret Secure。
The steps in the following section avoid terms like Amazon Resource Number (ARN) to keep the procedure cloud agnostic. The steps are the same regardless of the cloud platform that hosts your Snowflake account. However, the system function arguments for some of the steps are different because each cloud platform service is different.
Self-register a CMK¶
To self-register your CMK for use with Tri-Secret Secure, complete the following steps:
On the cloud provider, create a CMK.
Do this step in the key management service (KMS) on the cloud platform that hosts your Snowflake account.
在 Snowflake 中,调用 SYSTEM$REGISTER_CMK_INFO 系统函数,将 CMK 注册到 KMS 集成。
仔细检查托管 Snowflake 账户的云平台对应的系统函数参数。
In Snowflake, call the SYSTEM$GET_CMK_INFO system function to view the details for the CMK that you registered.
In Snowflake, call the SYSTEM$GET_CMK_CONFIG system function to generate the required information for the cloud provider.
此策略允许 Snowflake 访问您的 CMK。
备注
If Microsoft Azure hosts your Snowflake account, you must pass the
tenant_idvalue into the function.In Snowflake, call the SYSTEM$VERIFY_CMK_INFO system function to confirm the connectivity between your Snowflake account and your CMK.
请联系 Snowflake 支持部门,并申请启用您的 Snowflake 账户以使用 Tri-Secret Secure。
请务必提及您希望与 Tri-Secret Secure 一起使用的特定账户。
If you want to enable private connectivity for a CMK that is already activated with Tri-Secret Secure, see 为活动 CMK 启用私有连接端点 for more information.
View the status of your CMK¶
You can call SYSTEM$GET_CMK_INFO at any time, to check the registration and activation status of your CMK.
For example, depending on when you call SYSTEM$GET_CMK_INFO, the function returns the following output:
Immediately after activating Tri-Secret Secure, returns
...is being activated.... This means that rekeying isn't complete.After the Tri-Secret Secure activation process completes, returns output that includes
...is activated.... This means that your Snowflake account is using Tri-Secret Secure with the CMK that you registered.
Change the CMK for Tri-Secret Secure¶
Snowflake system functions support changing your customer-managed key (CMK), based on your security needs. Use the same steps to register a new CMK as the
steps that you followed to register your initial CMK. When you complete those steps again by using a new key, the output of the system functions
differs. Read the output from each system function that you call during self-registration to confirm that you have changed your key. For
example, when you change your CMK, calling the SYSTEM$GET_CMK_INFO function returns a message that contains ...is being rekeyed....
Integrate Tri-Secret Secure with AWS external key stores¶
Snowflake supports integrating Tri-Secret Secure with AWS external key stores to securely store and manage a customer-managed key outside AWS. Snowflake officially tests and supports only Thales Hardware Security Modules (HSM) and Thales CipherTrust Cloud Key Manager (CCKM) data encryption products.
For more information about setting up and configuring Tri-Secret Secure with Thales solutions, see How to use Thales External Key Store for Tri-Secret Secure on an AWS Snowflake account (https://community.snowflake.com/s/article/thales-xks-for-tss-aws#e3).