docs(DRC-1988): restructure security documentation as standalone section

iamcxa · iamcxa · commit 295316e9c242 · 2025-10-27T15:40:47.000+08:00
Move security documentation from Snowflake Key Pair section to a dedicated
Security section under Recce Cloud. This makes it clearer that the encryption
mechanism applies to all warehouse connections (passwords, tokens, and private
keys), not just Snowflake key pairs.

Changes:
- Add standalone Security section after Recce Cloud introduction
- Generalize content to cover all credential types
- Remove redundant security note from Snowflake Key Pair section

Signed-off-by: Kent &lt;iamcxa@gmail.com&gt;
diff --git a/docs/5-data-diffing/connect-to-warehouse.md b/docs/5-data-diffing/connect-to-warehouse.md
@@ -13,6 +13,10 @@ If you use Recce Cloud, here are the warehouse connection settings. We currently
 
 Others are coming in future releases
 
+### Security
+
+Recce Cloud protects all sensitive credentials (such as passwords, tokens, and private keys) using envelope encryption with AWS KMS. Credentials are encrypted at rest using AES-256, with encryption keys managed by AWS KMS. Decrypted credentials exist only in memory during connection establishment and are never written to disk. AWS KMS keys rotate automatically every 365 days to maintain security best practices.
+
 ### Snowflake
 We support two authentication methods for Snowflake:
 
@@ -43,8 +47,6 @@ We support two authentication methods for Snowflake:
 | `private_key`            | Your RSA private key in PEM format or Base64-encoded DER format                 | Yes      |
 | `private_key_passphrase` | Passphrase for the private key (only required if your private key is encrypted) | No       |
 
-**Security**: Recce Cloud protects your uploaded private keys using envelope encryption with AWS KMS. Private keys are encrypted at rest using AES-256, with encryption keys managed by AWS KMS. Decrypted keys exist only in memory during authentication and are never written to disk. AWS KMS keys rotate automatically every 365 days, and encrypted passphrases (if provided) receive the same protection.
-
 For more information on setting up key pair authentication, refer to [Snowflake's key pair authentication documentation](https://docs.snowflake.com/en/user-guide/key-pair-auth).
 
 
