"Tri-Secret Secure is Snowflake's advanced encryption model that blends: Snowflake-managed key (platform root key) Customer-managed key (CMK) hosted in the cloud provider's KMS User authentication Together, these form a composite master key that wraps all keys in Snowflake's encryption hierarchy. Importantly, this composite key never encrypts raw data directly it wraps lower-level keys like table master keys, which in turn derive file-level encryption keys."
"The real power of TSS lies in revocation control. If a customer revokes their CMK, Snowflake loses the ability to decrypt data even though its own key remains intact. This gives customers a kill switch for their data, adding a layer of control beyond standard encryption. Key Benefits Data Sovereignty: Customers retain control over encryption keys. Compliance Alignment: Supports frameworks like PCI-DSS, HIPAA, and HITRUST. Operational Transparency: Self-registration workflows provide visibility into CMK status. Security Assurance: Snowflake's HSM-backed key management is SOC 2 Type II"
Tri-Secret Secure blends a Snowflake-managed platform root key, a customer-managed key (CMK) hosted in the cloud provider's KMS, and user authentication into a composite master key. The composite master key wraps lower-level keys in Snowflake's encryption hierarchy and does not encrypt raw data directly. Table master keys derive file-level encryption keys under that hierarchy. Revocation of the CMK prevents Snowflake from decrypting data even if Snowflake's own key remains intact, providing a customer-controlled kill switch. Benefits include data sovereignty, compliance support (PCI-DSS, HIPAA, HITRUST), operational transparency through self-registration workflows, and HSM-backed SOC 2 Type II key management.
Read at faun.pub
Unable to calculate read time
Collection
[
|
...
]