top of page

External Tokenization Using Fortanix

Updated: Mar 9

Author: Kiran Pacchipulusu & Rohan Prabhakar

Objective: This document explains how to use an API Gateway proxy service to execute the Fortanix Data Security Manager (DSM) Plugin through Snowflake for tokenization and de-tokenization.

Tokenization is the process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security. The token is a randomized data string that has no essential or exploitable value or meaning.

The Fortanix DSM keys that will be used for the tokenization or detokenization of different columns must be specified by Snowflake External Functions at the time of construction. So long as certain headers are mapped, the API Gateway can continue to be stateless and simply route requests from Snowflake to the Fortanix DSM plugin.

To send information about key names, we'll use the "headers" property of CREATE EXTERNAL FUNCTION. The following header name and value should be used:

This will have the heading "key-names." Value for the header will be a list of key names separated by commas. The first entry matches the data's first column, and so on.

There must be an existing key with the key names listed in the header. The DSM plugin for Fortanix won't generate the key. It will check and make sure the key is real. Additionally, the Fortanix DSM plugin will confirm that the number of key names given in the header corresponds to the number of columns in the Snowflake data. The operation will fail if there are fewer keys than there are columns.

Setting up the Fortanix Data Security Manager

Put in the information as it appears in the screenshot below:

Add example: The instance generated will be known by this name.

In the section titled "Create tokenization keys,"

Choose the data type that applies to you. Users can create security objects that fall under any of the four tokenizer data type categories, depending on the sort of data they want to protect.

You can construct as many token objects as you need.

Give the instance a name and create tokenization keys.

From the instance details, take note of the API Key. When configuring your API gateway, you will require the API Key. Click COPY API KEY to copy the API Key.

By selecting View All from the integration wizard, you may see every instance.

Setting up AWS API Gateway Proxy Service

Create an AWS REST API Gateway

Add two resources for Tokenize and Detokenize. For each resource method, configure Integration Request with the following configuration:

Integration type: HTTP

Endpoint URL: Point it to your Plugin URL

Content handling: Passthrough

HTTP Headers – Add the “Authorization” header and leave the value empty, as it’ll be sent by Snowflake through an External Function custom header.

Configure the gateway settings and add the HTTP header.

Add Mapping template

Test the AWS API Gateway

Create an AWS IAM role for Snowflake.

Deploy the proxy service on a Demo stage.

Configure the AWS API Gateway Deployment stage and the IAM role in Snowflake.

Create an external function for the Email Address column.

Viewing Table from any role.

We can see that the “Email Address” column is tokenized.

Viewing Table from the Designated role.

We can see that the “Email Address” column is de-tokenized while using the designated role.


External tokenization using Fortanix has been successfully done through AWS API Gateway. Using the external function and API integration in Snowflake, the process of using external tokenization can be expedited through Fortanix DSM.



212 views0 comments
bottom of page