Format-preserving encryption for Snowflake — Java UDF powered by Cyphera.
Built on io.cyphera:cyphera from Maven Central.
This integration requires a Snowflake account. See below for deployment instructions.
mvn package -DskipTestsProduces target/cyphera-snowflake-0.1.0.jar (fat JAR with all dependencies).
docker build -t cyphera-snowflake .CREATE STAGE IF NOT EXISTS cyphera_stage;
PUT file://target/cyphera-snowflake-0.1.0.jar @cyphera_stage AUTO_COMPRESS=FALSE;CREATE OR REPLACE FUNCTION cyphera_protect(configuration_name VARCHAR, value VARCHAR)
RETURNS VARCHAR
LANGUAGE JAVA
HANDLER = 'io.cyphera.snowflake.CypheraUDF.cyphera_protect'
IMPORTS = ('@cyphera_stage/cyphera-snowflake-0.1.0.jar');
CREATE OR REPLACE FUNCTION cyphera_access(protected_value VARCHAR)
RETURNS VARCHAR
LANGUAGE JAVA
HANDLER = 'io.cyphera.snowflake.CypheraUDF.cyphera_access'
IMPORTS = ('@cyphera_stage/cyphera-snowflake-0.1.0.jar');See demo.sql for the full registration script.
Snowflake Java UDFs don't have filesystem access. Set the configuration via the CYPHERA_CONFIGURATION_FILE environment variable or bundle cyphera.json inside the JAR at build time.
-- Protect with a named configuration
SELECT cyphera_protect('ssn', '123-45-6789');
-- → 'T01i6J-xF-07pX' (header-prefixed, dashes preserved)
-- Access — the embedded header tells Cyphera which configuration to use
SELECT cyphera_access(cyphera_protect('ssn', '123-45-6789'));
-- → '123-45-6789'
-- Bulk protect
SELECT name, cyphera_protect('ssn', ssn) AS protected_ssn
FROM customers;- Configuration file bundled in JAR or accessible via
CYPHERA_CONFIGURATION_FILE - Configuration changes require re-uploading the JAR and re-registering functions
- Errors return
[error: message]as the function output - Check Snowflake query history for UDF errors
- Build a new JAR with the updated SDK version
- Re-upload to the stage:
PUT file://target/cyphera-snowflake-0.1.0.jar @cyphera_stage AUTO_COMPRESS=FALSE OVERWRITE=TRUE; - Re-register functions (or use
CREATE OR REPLACE)
- Function not found — JAR not uploaded or function not registered. Run
demo.sql. - "Unknown configuration" — cyphera.json not accessible from the UDF runtime
- Upload fails — check that the stage exists and you have write permissions
{
"configurations": {
"ssn": { "engine": "ff1", "key_ref": "demo-key", "header": "T01" },
"credit_card": { "engine": "ff1", "key_ref": "demo-key", "header": "T02" }
},
"keys": {
"demo-key": { "material": "2B7E151628AED2A6ABF7158809CF4F3C" }
}
}- Snowpark native function registration
- External function via API gateway (alternative to JAR upload)
- Snowflake Native App packaging
Apache 2.0 — Copyright 2026 Horizon Digital Engineering LLC