How to Enable Encryption in Transit in Snowflake

Why do I need encryption in transit?

Protecting data as it travels over networks prevents eavesdropping and man-in-the-middle attacks. Snowflake enforces TLS 1.2+ for all connections, but you can add network policies and key rotation for stricter control.

How does Snowflake provide TLS encryption?

Every connection—web UI, JDBC, Python, SnowSQL—must negotiate TLS 1.2 or higher. Certificates are managed by Snowflake and rotated automatically.No action is required unless you need custom certificate pinning.

How can I verify my session is encrypted?

Run:

SELECT SYSTEM$CLIENT_SSL_STATUS();

A return of "TLS" confirms encryption. The function also lists protocol and cipher.

Can I restrict non-TLS connections?

Solely TLS is allowed by default.To block legacy endpoints or enforce IP allowlists, create a network policy and attach it to roles or the whole account.

Syntax to create a network policy

CREATE NETWORK POLICY policy_name
ALLOWED_IP_LIST = ( '1.2.3.0/24', '4.5.6.7' )
BLOCKED_IP_LIST = ( '0.0.0.0/0' );
ALTER ACCOUNT SET NETWORK_POLICY = policy_name;

How do I rotate Snowflake’s certificates?

Certificate management is fully automated by Snowflake.If your security program demands proof, download the current public certificate with:

SELECT SYSTEM$GET_PRIVATELINK_CONFIG();

The JSON output includes the active certificate thumbprint.

What about internal stage transfers?

When you copy data between S3 stages and Snowflake tables, the connection is still TLS-encrypted.Example:

PUT file://./daily_orders.csv @%Orders AUTO_COMPRESS=TRUE;
COPY INTO Orders
FROM @%Orders
FILE_FORMAT=(TYPE=CSV SKIP_HEADER=1);

The PUT uses HTTPS behind the scenes, ensuring encryption during upload.

Best practices for encryption in transit

• Always use the latest SnowSQL/JDBC drivers to get the strongest ciphers.
• Enable network policies to tighten IP ranges.
• Use PrivateLink for traffic confined to your VPC.
• Monitor LOGIN_HISTORY for protocol details.

Common mistakes and fixes

Mistake 1: Using outdated drivers that force TLS 1.1.
Fix: Upgrade to the newest driver; Snowflake will then negotiate TLS 1.2.

Mistake 2: Assuming stage transfers are unencrypted.
Fix: All Snowflake stage endpoints use HTTPS automatically; no extra flag is required.

Need IP-restricted TLS plus VPC isolation?

Combine a network policy with AWS PrivateLink.After your account is enabled for PrivateLink, update connection strings to the provided privatelink.snowflakecomputing.com URL. Traffic stays within AWS, still wrapped in TLS.

Quick driver test snippet

Python example:

import snowflake.connector as sf
ctx = sf.connect(user='USER', password='***', account='acct')
print(ctx.is_pyformat)
print(ctx.cmd_query('SELECT SYSTEM$CLIENT_SSL_STATUS()'))

The result shows the TLS version, confirming encryption.

Where to learn more?

Snowflake Docs → Security → Data Encryption → Encryption in Transit.

.