Encryption Keys

Yuki applies strict cryptographic controls to protect the confidentiality, integrity, authenticity, and non-repudiation of information across all its systems. All cryptographic activities are governed by Yuki’s Encryption Policy, which defines how keys are generated, stored, rotated, and protected throughout their lifecycle.

Key Management

Except where otherwise stated, encryption keys are managed directly by their owners. All cryptographic keys must be protected against loss, change, or destruction by implementing appropriate access control mechanisms and performing regular backups.

Keys are rotated at least once every 12 months and protected from unauthorized access at every stage of their lifecycle.

Key Management Service (KMS)

All key management operations are performed using dedicated software that automates:

  • Key generation and secure storage

  • Access control for encryption and decryption operations

  • Backup and rotation of all active keys

The service enforces a separation of duties:

  • Key Access Users - authorized to encrypt and decrypt information and generate data encryption keys.

  • Key Administrators - authorized to create, schedule deletion, enable or disable rotation, and define key usage policies.

Keys remain stored and backed up securely for their entire operational lifetime.

Secret Keys

Keys used for symmetric encryption (secret key cryptography) are distributed securely to all relevant parties and protected throughout their use.

During distribution:

  • Symmetric encryption keys are encrypted using a stronger algorithm with the longest approved key length for that algorithm.

  • If the key already uses the strongest algorithm, it must be split into portions, with each portion encrypted by a different key of the same strength and transmitted through separate mechanisms.

When at rest, symmetric keys are protected with measures at least as strong as those used during their distribution.

Hardware Token Storage

Hardware tokens that store encryption keys (such as smartcards or USB tokens) are treated as sensitive company equipment, as defined in Yuki’s Physical Security Policy.

When outside company offices:

  • Tokens must not be left connected to any computer when not in use.

  • Employees traveling with hardware tokens must not store them in the same container or bag as any computer or device.

PINs, Passwords, and Passphrases

All PINs, passwords, or passphrases used to protect encryption keys must comply with Yuki’s Password Policy, meeting the required standards for complexity and length.

Loss or Theft

The loss, theft, or potential unauthorized disclosure of any encryption key covered by this policy must be reported immediately. Compromised keys are invalidated as soon as the event is detected.

Next Step

→ Continue to Secure Data Flow to learn how Yuki encrypts, authenticates, and transmits queries securely between your environment, Yuki Engine, and Snowflake.

PreviousGeneral Security and Access ControlNextSecure Data Flow

Last updated