Exam SnowPro Core topic 1 question 570 discussion

It is either before transit client side encryption or during transit sse

C. https://community.snowflake.com/s/question/0D5Do00000JqKGqKAN/when-exactly-is-the-put-command-encrypted-in-snowflake

correct

Verified: https://docs.snowflake.com/user-guide/security-encryption-end-to-end#client-side-encryption:~:text=If%20the%20stage%20is%20an%20internal%20(i.e.%20Snowflake)%20stage%20(Image%20B)%20data%20files%20are%20automatically%20encrypted%20by%20the%20Snowflake%20client%20on%20the%20user%E2%80%99s%20local%20machine%20prior%20to%20being%20transmitted%20to%20the%20internal%20stage%2C%20in%20addition%20to%20being%20encrypted%20after%20they%20are%20loaded%20into%20the%20stage.

A user uploads one or more data files to a stage. If the stage is an external stage (Image A), the user may optionally encrypt the data files using client-side encryption (see Client-Side Encryption for more information). We recommend client-side encryption for data files in external stages; but if the data is not encrypted, Snowflake immediately encrypts the data when it is loaded into a table. If the stage is an internal (i.e. Snowflake) stage (Image B) data files are automatically encrypted by the Snowflake client on the user’s local machine prior to being transmitted to the internal stage, in addition to being encrypted after they are loaded into the stage.

Put command means the customer is loading from the user’s local machine into an internal stage via the Snowflake client (SnowSQL). If the stage is an internal (i.e. Snowflake) stage data files are automatically encrypted by the Snowflake client on the user’s local machine prior to being transmitted to the internal stage, in addition to being encrypted after they are loaded into the stage. https://docs.snowflake.com/user-guide/security-encryption-end-to-end

Always end-to-end encryption https://docs.snowflake.com/en/sql-reference/sql/put#:~:text=Uploaded%20files%20are%20automatically%20encrypted%20with%20128%2Dbit%20or%20256%2Dbit%20keys.%20The%20CLIENT_ENCRYPTION_KEY_SIZE%20account%20parameter%20specifies%20the%20size%20key%20used%20to%20encrypt%20the%20files.

SNOWFLAKE_FULL: Client-side encryption. The files are encrypted by a client when it uploads them to the internal stage using PUT.

I'm a little confused. When creating a stage the encryption can be specified ENCRYPTION = (TYPE = 'SNOWFLAKE_FULL' | TYPE = 'SNOWFLAKE_SSE') SNOWFLAKE_FULL: Client-side encryption. The files are encrypted by a client when it uploads them to the internal stage using PUT. SNOWFLAKE_SSE: Server-side encryption. The files are encrypted when they arrive in the stage. SNOWFLAKE_FULL is the default. Wouldn't this mean answer (C) is correct (unless SNOWFLAKE_SSE was specifically set)?

Answer is D Uploaded files are automatically encrypted with 128-bit or 256-bit keys. The CLIENT_ENCRYPTION_KEY_SIZE account parameter specifies the size key used to encrypt the files. CLIENT_ENCRYPTION_KEY_SIZE specifies the AES encryption key size, in bits, used by Snowflake to encrypt/decrypt files stored in internal stages (for loading/unloading data).

Correct answer : D https://docs.snowflake.com/en/sql-reference/sql/put Uploaded files are automatically encrypted with 128-bit or 256-bit keys. It says "Uploaded", means when reaches SnowFlake environment. Also it is impossible to encrypt file at client side with PUT command.