Loading controls...
Benchmark: Data Encryption
Overview
All data stored in Snowflake is transparently encrypted using a key hierarchy (with cloud HSM backed root of trust), which provides enhanced security by encrypting individual pieces of data using a different key. Snowflake also offers the use of a customer-managed key (CMK) in this encryption process through a feature called Tri-Secret Secure. Independent of the Tri-secret secure feature, Snowflake rotates the keys every 30 days, ensuring that new data ingested after 30 days is encrypted using a new key hierarchy.
Usage
Browse dashboards and select Data Encryption:
steampipe dashboard
Or run the benchmarks in your terminal:
steampipe check snowflake_compliance.benchmark.security_overview_data_encryption
Snapshot and share results via Steampipe Cloud:
steampipe loginsteampipe check --share snowflake_compliance.benchmark.security_overview_data_encryption
Controls
- Use Tri-Secret Secure
- Use automatic key rotation for the CMK as provided by the cloud provider
- Enable Tri-Secret Secure in the target account when using the database Replication
- Enable periodic rekeying in Snowflake
- Use built-in encryption functions in addition to the transparent encryption to encrypt/decrypt certain columns