Zeta + Snowflake: Clean Room Data Onboarding Guide

image-20250812-061006.png

Zeta ensures secure data handling through End-to-End Encryption (E2EE) when working with Snowflake. This guide walks you through how E2EE works, including internal and external staging, client-side encryption, and how to load/unload data into Snowflake using named stages securely.

End-to-End Encryption (E2EE) protects your data:

  • At rest (while stored)

  • In transit (while being transferred to and from Snowflake)

This ensures third parties, including cloud providers, cannot access your data in plaintext.

Key Components of the E2EE Workflow

  1. Customer’s corporate network

  2. Data file staging area:

    • Internal stage (provided by Snowflake)

    • External stage (customer-managed, e.g., S3)

  3. Snowflake Virtual Private Cloud (VPC)

How the Data Flows

image-20250812-055641.png

  1. Upload to Stage

    • External stage (e.g., Amazon S3): You may apply client-side encryption.

    • Internal stage: Data is encrypted automatically before upload and again after loading.

  2. Load into Table

    • Data is transformed into Snowflake’s proprietary format and encrypted both at rest and in transit using TLS.

    • During processing, data is decrypted and re-encrypted post-operation.

  3. Unload Data (Optional)

    • Data can be unloaded to either stage type.

    • Client-side encryption is optional for external stages; internal stages encrypt automatically.

  4. Download from Stage

    • If client-side encrypted, you decrypt locally using your master key.

Client-Side Encryption

Client-side encryption ensures your files are encrypted before they even touch the cloud.

image-20250812-060052.png

How it Works

  1. You generate a secret master key and share it with Snowflake.

  2. Your client generates a random encryption key to encrypt each file.

  3. That key is then encrypted with the master key.

  4. Both the encrypted file and key are uploaded—key stored in file metadata.

When retrieving files:

  • Your client decrypts the random key using your master key.

  • It then decrypts the file using the now-unlocked random key.

Result: No third party (including cloud providers or ISPs) can access your raw data.

Loading Encrypted Data into Snowflake

Snowflake supports secure loading via named stage objects that include your MASTER_KEY.

Step-by-Step Example

  1. Create a Named Stage Object
    Here's how to create a secure stage in S3:

    CREATE STAGE encrypted_customer_stage
URL='s3://customer-bucket/data/'
CREDENTIALS=(AWS_KEY_ID='ABCDE123' AWS_SECRET_KEY='XYZ987')
ENCRYPTION=(MASTER_KEY='Base64EncodedKey...');

  2. Load Encrypted Data into a Table

    CREATE TABLE users (id BIGINT, name VARCHAR(500), purchases INT);
COPY INTO users FROM @encrypted_customer_stage/users;

  3. Unload Encrypted Data from Snowflake

    CREATE TABLE most_purchases AS
SELECT * FROM users ORDER BY purchases DESC LIMIT 10;
COPY INTO @encrypted_customer_stage/most_purchases FROM most_purchases;

Data in customer-managed stages is encrypted using your master key and follows the defined encryption protocol of your cloud provider.

Please Note:

  • The MASTER_KEY must be AES-128 or AES-256 and Base64-encoded.

  • Your encryption keys are transmitted securely over HTTPS and stored encrypted within Snowflake’s metadata layer.

  • Named stage objects allow for secure sharing within your Snowflake account without disclosing encryption keys to other users.