How to Enable Encryption in Snowflake

How do I enable encryption in Snowflake?

Configures column-level and external-stage encryption to protect data in Snowflake.

Welcome to the Galaxy, Guardian!

Oops! Something went wrong while submitting the form.

Description

What does “enable encryption” mean in Snowflake?

Snowflake already encrypts all data at rest and in transit. "Enabling encryption" normally refers to adding extra protections, such as column-level encryption with the ENCRYPT/DECRYPT functions, or server-side encryption on external stages.

How do I encrypt new data during INSERT?

Wrap sensitive values with ENCRYPT when you load them.Store the encrypted VARBINARY in a dedicated column (often suffixed “_enc”).

Syntax for ENCRYPT

ENCRYPT( plaintext_expr :: STRING , passphrase_expr :: STRING [ , 'aes' ] ) :: VARBINARY

How do I encrypt existing columns?

Create a new encrypted column, update it with ENCRYPT, validate, then drop the original plaintext column to avoid data loss.

How do I decrypt data for reading?

Use DECRYPT at query time or create a secure view that handles decryption for authorized roles only.

Syntax for DECRYPT

DECRYPT( ciphertext_expr :: VARBINARY , passphrase_expr :: STRING [ , 'aes' ] ) :: STRING

How do I enforce encryption on external stages?

Add an ENCRYPTION = ( TYPE = 'AWS_SSE_KMS' MASTER_KEY = 'aws_kms_key_arn' ) clause in CREATE STAGE to ensure files are encrypted in S3.

Syntax for CREATE STAGE with encryption

CREATE OR REPLACE STAGE stage_name URL = 's3://bucket/path/' STORAGE_INTEGRATION = my_int ENCRYPTION = ( TYPE = 'AWS_SSE_KMS' MASTER_KEY = 'aws_kms_key_arn' );

Best practices for managing keys

Store passphrases in Snowflake secrets or a dedicated key vault, rotate keys regularly, audit access, and limit decryption to roles that absolutely need it.

Why How to Enable Encryption in Snowflake is important

How to Enable Encryption in Snowflake Example Usage


-- Encrypt customer emails, decrypt on read
WITH encrypted AS (
  SELECT id,
         name,
         ENCRYPT(email, 'my_pass') AS email_enc,
         created_at
  FROM Customers
)
INSERT INTO Customers_secure(id, name, email_enc, created_at)
SELECT * FROM encrypted;

-- Decrypt when needed
SELECT id,
       name,
       DECRYPT(email_enc, 'my_pass') AS email_plain
FROM Customers_secure
WHERE id = 101;

How to Enable Encryption in Snowflake Syntax


-- Column-level functions
ENCRYPT(plaintext :: STRING, passphrase :: STRING [, 'aes']) :: VARBINARY
DECRYPT(ciphertext :: VARBINARY, passphrase :: STRING [, 'aes']) :: STRING

-- Encrypt during INSERT (ecommerce example)
INSERT INTO Customers(id, name, email_enc, created_at)
VALUES (101, 'Ada Lovelace', ENCRYPT('ada@galaxy.dev', 'my_pass'), CURRENT_TIMESTAMP);

-- Update existing table
ALTER TABLE Customers ADD COLUMN email_enc VARBINARY;
UPDATE Customers SET email_enc = ENCRYPT(email, 'my_pass');
ALTER TABLE Customers DROP COLUMN email;

-- External stage with SSE-KMS
CREATE OR REPLACE STAGE order_exports
  URL = 's3://acme-exports/orders/'
  STORAGE_INTEGRATION = acme_int
  ENCRYPTION = (TYPE = 'AWS_SSE_KMS', MASTER_KEY = 'arn:aws:kms:us-east-1:123:key/abc');

Common Mistakes

Storing the passphrase inside the SQL text. Fix: move the passphrase to a Snowflake secret or external key vault and reference it via a binding or session variable.
Leaving the original plaintext column in place after creating the encrypted version. Fix: validate the encrypted data, back it up, then drop the plaintext column to avoid accidental exposure.