> For the complete documentation index, see [llms.txt](https://v2.dataos.info/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://v2.dataos.info/concepts/resources/secret/data-sources/snowflake/rsa-key-pair.md).

# RSA key-pair

## Steps to generate and register a key pair in Snowflake <a href="#steps-to-generate-and-register-a-key-pair-in-snowflake" id="steps-to-generate-and-register-a-key-pair-in-snowflake"></a>

### Step 1: Generate and secure RSA key pair <a href="#step-1-generate-and-secure-rsa-key-pair" id="step-1-generate-and-secure-rsa-key-pair"></a>

Run the following command sequence to generate an RSA key pair in one step:

```bash
mkdir -p ~/.snowflake/keys
cd ~/.snowflake/keys

# Generate encrypted private key (recommended)
openssl genrsa 2048 | openssl pkcs8 -topk8 -v2 des3 -inform PEM -out snowflake_rsa_key.p8

# Or, unencrypted private key (not recommended)
# openssl genrsa 2048 | openssl pkcs8 -topk8 -inform PEM -out snowflake_rsa_key.p8 -nocrypt

# Extract public key
openssl rsa -in snowflake_rsa_key.p8 -pubout -out snowflake_rsa_key.pub

# Secure file permissions
chmod 700 ~/.snowflake ~/.snowflake/keys
chmod 600 ~/.snowflake/keys/snowflake_rsa_key.p8 ~/.snowflake/keys/snowflake_rsa_key.pub
```

When you run the command sequence above, you are prompted for three passwords in order:

* **Encryption password**: A new password to encrypt the private key.
* **Verify encryption password**: Re-enter the same password to confirm.
* **Passphrase prompt**: The passphrase that decrypts the private key during authentication. An unencrypted private key does not require a passphrase.

You can use the same password for all three prompts. Note down the passphrase securely. You need it later when configuring Snowflake authentication.

### Step 2: Retrieve the private key <a href="#step-2-retrieve-the-private-key" id="step-2-retrieve-the-private-key"></a>

Run the following command to display the private key contents. You use these contents when creating the Secret.

```bash
cd ~/.snowflake/keyscat snowflake_rsa_key.p8
```

### Step 3: Retrieve the public key for Snowflake <a href="#step-3-retrieve-the-public-key-for-snowflake" id="step-3-retrieve-the-public-key-for-snowflake"></a>

Display the public key as a single line to register in Snowflake:

```bash
awk 'NR>1 && !/-----/' ~/.snowflake/keys/snowflake_rsa_key.pub | tr -d '\n'
```

Copy the output string and use it in the next step.

### Step 4: Register the public key in Snowflake <a href="#step-4-register-the-public-key-in-snowflake" id="step-4-register-the-public-key-in-snowflake"></a>

Use a Snowflake account with appropriate privileges such as `ACCOUNTADMIN` or `SECURITYADMIN`, then run:

```sql
USE ROLE ACCOUNTADMIN;
ALTER USER <snowflake-username> SET RSA_PUBLIC_KEY='MIIBIjANBgkqh...';
```

Verify that your public key has been registered successfully:

```sql
DESC USER <snowflake-username>;
```

### Step 5: (Optional) Verify the key fingerprint <a href="#step-5-optional-verify-the-key-fingerprint" id="step-5-optional-verify-the-key-fingerprint"></a>

To verify that your registered public key matches your local key, generate a fingerprint:

```bash
openssl rsa -pubin -in ~/.snowflake/keys/snowflake_rsa_key.pub -outform DER | \
openssl dgst -sha256 -binary | openssl enc -base64
```

Compare the fingerprint with the `RSA_PUBLIC_KEY_FP` in Snowflake (from `DESC USER`). They must match for authentication to succeed.

### Step 6: Rotate keys (recommended practice) <a href="#step-6-rotate-keys-recommended-practice" id="step-6-rotate-keys-recommended-practice"></a>

Snowflake supports two public keys (`RSA_PUBLIC_KEY` and `RSA_PUBLIC_KEY_2`) for key rotation.

1. Generate a new key pair.
2. Register the new public key:

   ```sql
   ALTER USER <your_user> SET RSA_PUBLIC_KEY_2='MIIBIjANBgkqh...';
   ```
3. Update your DataOS Instance Secret with the new private key.
4. Remove the old key after successful validation:

   ```sql
   ALTER USER <your_user> UNSET RSA_PUBLIC_KEY;
   ```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://v2.dataos.info/concepts/resources/secret/data-sources/snowflake/rsa-key-pair.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
