docs(DRC-1988): add Snowflake key pair security documentation

iamcxa · iamcxa · commit 7a929f337697 · 2025-10-27T14:35:08.000+08:00
Add security explanation for Snowflake key pair authentication in Recce Cloud:
- Describe envelope encryption with AWS KMS
- Explain AES-256 encryption for private keys at rest
- Note that decrypted keys exist only in memory
- Mention automatic KMS key rotation every 365 days
- Clarify passphrase protection mechanism

Signed-off-by: Kent &lt;iamcxa@gmail.com&gt;
diff --git a/docs/5-data-diffing/connect-to-warehouse.md b/docs/5-data-diffing/connect-to-warehouse.md
@@ -43,6 +43,8 @@ We support two authentication methods for Snowflake:
 | `private_key`            | Your RSA private key in PEM format or Base64-encoded DER format                 | Yes      |
 | `private_key_passphrase` | Passphrase for the private key (only required if your private key is encrypted) | No       |
 
+**Security**: Recce Cloud protects your uploaded private keys using envelope encryption with AWS KMS. Private keys are encrypted at rest using AES-256, with encryption keys managed by AWS KMS. Decrypted keys exist only in memory during authentication and are never written to disk. AWS KMS keys rotate automatically every 365 days, and encrypted passphrases (if provided) receive the same protection.
+
 For more information on setting up key pair authentication, refer to [Snowflake's key pair authentication documentation](https://docs.snowflake.com/en/user-guide/key-pair-auth).
 
 
