diff --git a/knowledge base/jargon.md b/knowledge base/jargon.md
index 31a9620..c4b0f76 100644
--- a/knowledge base/jargon.md
+++ b/knowledge base/jargon.md
@@ -96,8 +96,11 @@
| OIDC | OpenID Connect | |
| OKR | Objectives and Key Results | Framework helping teams set and track measurable goals |
| OOM | Out Of Memory | |
+| PAT | Personal Access Token | |
+| PAT | Programmatic Access Token | Used in [Snowflake] |
| PDF | Portable Document Format | |
| PEBCAK | Problem Exists Between Chair And Keyboard | |
+| PEM | Privacy Enhanced Mail | |
| PGP | Pretty Good Privacy | |
| PII | Personally Identifiable Information | |
| PR | Pull Request | Prevalently used in GitHub |
@@ -175,6 +178,7 @@
[kubernetes]: kubernetes/README.md
[lora]: lora.md
[siem]: siem.md
+[snowflake]: snowflake/README.md
[ssh]: ssh.md
[sssd]: sssd.md
[terraform enterprise]: terraform%20enterprise.md
diff --git a/knowledge base/snowflake/README.md b/knowledge base/snowflake/README.md
index 58e0c05..27ec8bc 100644
--- a/knowledge base/snowflake/README.md
+++ b/knowledge base/snowflake/README.md
@@ -377,17 +377,37 @@ Auto-suspend and resume are both enabled by default.
## Access with private keys
-Refer [Snowflake terraform provider authentication].
+Refer [Key-pair authentication and key-pair rotation] and [Snowflake terraform provider authentication].
+
+> [!important]
+> Snowflake only accepts keys in the Privacy Enhanced Mail (PEM) format.
+
+Snowflake supports multiple active keys to allow for uninterrupted rotation.
+Use the `RSA_PUBLIC_KEY` and `RSA_PUBLIC_KEY_2` parameters in `ALTER USER` to associate up to 2 public keys to one user.
+
+> [!tip]
+> Prefer using private keys in the PEM PKCS#8 format, as that is the one Snowflake accepts during authentication.
+> Some tools (e.g., the [Snowflake CLI]) can use private keys in other formats.
Procedure:
1. Generate a keypair.
```sh
- openssl genrsa -out "$HOME/.ssh/snowflake_key" 4096
- openssl rsa -in "$HOME/.ssh/snowflake_key" -pubout -out "$HOME/.ssh/snowflake_key.pub"
- openssl pkcs8 -topk8 -inform 'pem' -in "$HOME/.ssh/snowflake_key" \
- -outform 'PEM' -v2 aes-256-cbc -out "$HOME/.ssh/snowflake_key.p8"
+ openssl genrsa -out "$HOME/.ssh/snowflake.pem" '4096'
+ openssl rsa -inform 'PEM' -in "$HOME/.ssh/snowflake.pem" -pubout -outform 'PEM' -out "$HOME/.ssh/snowflake.pub"
+ ```
+
+1. Make sure the private key uses the PKCS#8 format.
+
+ ```sh
+ # unencrypted
+ openssl pkcs8 -inform 'PEM' -in "$HOME/.ssh/snowflake.pem" -outform 'PEM' -out "$HOME/.ssh/snowflake.p8" \
+ -topk8 -nocrypt
+
+ # encrypted (will require a password)
+ openssl pkcs8 -inform 'PEM' -in "$HOME/.ssh/snowflake.pem" -outform 'PEM' -out "$HOME/.ssh/snowflake.p8" \
+ -topk8 -v2 'aes-256-cbc'
```
1. Assign the key to your user in Snowflake.
@@ -399,9 +419,11 @@ Procedure:
1. Configure tools to use the key.
```sh
- export SNOWFLAKE_PRIVATE_KEY="$(cat ~/.ssh/snowflake_key.p8)"
- export SNOWFLAKE_PRIVATE_KEY_PATH="$HOME/.ssh/snowflake_key" SNOWFLAKE_PRIVATE_KEY_PASSPHRASE='somePassword'
- snow connection add -n 'jwt' --authenticator 'SNOWFLAKE_JWT' --private-key-file "$HOME/.ssh/snowflake_key"
+ export SNOWFLAKE_PRIVATE_KEY="$(cat ~/.ssh/snowflake.p8)"
+ export SNOWFLAKE_PRIVATE_KEY_PATH="$HOME/.ssh/snowflake.pem" SNOWFLAKE_PRIVATE_KEY_PASSPHRASE='somePassword'
+ snow connection add -n 'jwt' --authenticator 'SNOWFLAKE_JWT' --private-key-file "$HOME/.ssh/snowflake.p8"
+ snow connection test -x --account 'xy12345' --username 'MY_SERVICE_USER' \
+ --authenticator 'SNOWFLAKE_JWT' --private-key-file "$HOME/.ssh/snowflake.p8"
```
## Access with programmatic access tokens
@@ -448,6 +470,10 @@ Rotating a PAT generates a new secret (and a new expiration) for it, and invalid
Deletion is **permanent**, and allows for **no** recovery/restoration.
+> [!important]
+> One **cannot** modify, rename, rotate, or revoke programmatic access tokens in a session where one used a programmatic
+> access token for authentication.
+
Requirements:
- Tokens must belong to Snowflake users with `TYPE=PERSON` or `TYPE=SERVICE`.
@@ -686,11 +712,12 @@ Refer [RoleOut].
[Authentication policies]: https://docs.snowflake.com/en/user-guide/authentication-policies
[Controlling network traffic with network policies]: https://docs.snowflake.com/en/user-guide/network-policies
[Documentation]: https://docs.snowflake.com/en/
+[Key-pair authentication and key-pair rotation]: https://docs.snowflake.com/en/user-guide/key-pair-auth
[Network rules]: https://docs.snowflake.com/en/user-guide/network-rules
[Overview of Access Control]: https://docs.snowflake.com/en/user-guide/security-access-control-overview
+[Planning for the deprecation of single-factor password sign-ins]: https://docs.snowflake.com/en/user-guide/security-mfa-rollout
[Using programmatic access tokens for authentication]: https://docs.snowflake.com/en/user-guide/programmatic-access-tokens
[Website]: https://www.snowflake.com/en/
-[Planning for the deprecation of single-factor password sign-ins]: https://docs.snowflake.com/en/user-guide/security-mfa-rollout
[Programmatic Access Token (PAT) in Snowflake]: https://medium.com/%40mohitaverma0712/programmatic-access-token-pat-in-snowflake-how-to-use-754c28db8952
diff --git a/snippets/openssl.sh b/snippets/openssl.sh
index 9340509..b44a308 100644
--- a/snippets/openssl.sh
+++ b/snippets/openssl.sh
@@ -12,16 +12,18 @@ openssl rand -base64 '18' > 'key.bin'
##
-# Private keys
+# Key pairs
# --------------------------------------
##
-# Generate RSA keys
+# Generate (unencrypted) RSA keys
openssl genrsa -out 'rsa4096.key' '4096'
openssl genrsa -out 'rsa8192.key' '8192'
+openssl genrsa '2048' | openssl pkcs8 -topk8 -inform 'PEM' -out 'rsa2048.p8' -nocrypt
-# Generate RSA keys encrypted with passphrases based on AES CBC 256
+# Generate encrypted RSA keys
openssl genrsa -aes256 -out 'rsa4096.withPassphrase.key' '4096'
+openssl genrsa '2048' | openssl pkcs8 -topk8 -v2 'des3' -inform 'PEM' -out 'rsa2048.withPassphrase.p8'
# Generate ECDSA keys
# Supported curves: prime256v1, secp384r1, secp521r1, others
@@ -31,8 +33,9 @@ openssl ecparam -genkey -name 'secp521r1' | openssl ec -out 'ec521.key'
openssl ecparam -list_curves
# Print out key information
-openssl rsa -in 'rsa.key' -pubout # public key
-openssl rsa -in 'rsa.key' -noout -modulus # modulus
+openssl rsa -in 'rsa.key' -pubout # public key
+openssl rsa -in 'rsa_key.p8' -pubout -out 'rsa_key.pub' # public key
+openssl rsa -in 'rsa.key' -noout -modulus # modulus
# Print out key information
# Textual representation of components
@@ -41,6 +44,7 @@ openssl ec -in 'ec.key' -text -noout
# Check keys and verify their consistency.
openssl rsa -check -in 'private.key'
+openssl ec -check -in 'private.key'
# Remove passphrases from keys
openssl rsa -in 'withPassphrase.key' -out 'plain.key'
@@ -51,6 +55,17 @@ openssl rsa -des3 -in 'plain.key' -out 'withPassphrase.key'
# Generate Diffie-Hellman params with given lengths (in bits)
openssl dhparam -out 'dhparams.pem' '2048'
+# Convert private keys to other formats
+openssl pkcs8 -in 'key.pem' -topk8 -out 'encrypted.key.pem' # traditional to PKCS#8 with default parameters (AES-256 and hmacWithSHA256)
+openssl pkcs8 -in 'key.pem' -topk8 -nocrypt -out 'unencrypted.key.pem' # traditional to PKCS#8 unencrypted
+openssl pkcs8 -in 'key.pem' -topk8 -v2 'des3' -out 'encrypted.key.pem' # traditional to PKCS#5 v2.0 with triple DES encryption
+openssl pkcs8 -in 'key.pem' -topk8 -v2 'aes-256-cbc' -v2prf 'hmacWithSHA512' -out 'encrypted.key.pem' # traditional to PKCS#5 v2.0 with AES-256 and hmacWithSHA256
+openssl pkcs8 -in 'key.pem' -topk8 -v1 'PBE-MD5-DES' -out 'encrypted.key.pem' # PKCS#5 v1.5 to PKCS#8
+openssl pkcs8 -in 'key.pem' -topk8 -out 'encrypted.key.pem' -v1 'PBE-SHA1-3DES' # PKCS#12 to PKCS#8
+openssl pkcs8 -inform 'DER' -nocrypt -in 'key.der' -out 'unencrypted.key.pem' # DER unencrypted to PKCS#8 unencrypted
+openssl pkcs8 -in 'pk8.pem' -traditional -out 'encrypted.key.pem' # PKCS#8 encrypted to traditional
+openssl pkcs8 -in 'key.pem' -topk8 -v2 'aes-256-cbc' -iter '1000000' -out 'pk8.pem' # traditional to PKCS#8 with AES-256 and 1M iterations of the password
+
##
# Certificate Signing Requests (CSR)
diff --git a/snippets/pulumi/commands.fish b/snippets/pulumi/commands.fish
index 0697db6..a55ae54 100644
--- a/snippets/pulumi/commands.fish
+++ b/snippets/pulumi/commands.fish
@@ -39,6 +39,7 @@ pulumi config set --secret 'boincGuiRpcPasswd' 'something-something-darkside'
pulumi config set --path 'outer.inner' 'value'
pulumi config set --path 'list[1]' 'value'
gpg --export 'smth@example.org' | pulumi config set 'smthTeam:pgpKey-public-raw' --type 'string'
+cat "$HOME/.ssh/snowflake.key" | pulumi config set 'snowflake:privateKey' --secret
# Gitlab provider
# 'baseUrl' requires the ending slash