snowflake-auth-private-key-passphrase
--snowflake-auth-private-key-passphrase is a string parameter that specifies the passphrase used to decrypt an encrypted private key file for Snowflake key pair authentication. This parameter is available in Liquibase Pro/Secure and requires a valid license.
Uses
When your Snowflake private key file is encrypted (a security best practice), you must provide the passphrase to decrypt it. This parameter securely passes the passphrase to Liquibase so it can read and use the encrypted private key for authentication.
Encrypting your private key with a passphrase provides multiple security benefits:
Defense in depth — Even if someone gains access to the key file, they cannot use it without the passphrase.
Compliance requirements — Many security standards require private keys to be encrypted at rest.
Secure storage — Keys can be stored in version control or shared locations, reducing the risk.
Audit trail — Passphrase access can be logged and monitored separately from key file access.
You must set --snowflake-auth-private-key-passphrase when:
Encrypted keys — Your private key file is protected with a passphrase (recommended practice).
Security compliance — Your organization's security policies require encrypted private keys.
Production environments — You're deploying to production ,where encrypted credentials are mandatory.
Note: This parameter is optional if your private key is not encrypted. However, using an encrypted private key with a passphrase is strongly recommended for production environments. This parameter must be used with both --snowflake-auth-type and --snowflake-auth-private-key-path.
Syntax
You can set this parameter in the following ways:
Option | Syntax |
Liquibase properties file (defaults file) |
|
Global flow file argument (example) |
|
Global CLI parameter |
|
JVM system property (JAVA_OPTS Environment Variable) | Unix:
Windows:
|
LIQUIBASE_SNOWFLAKE_AUTH_PRIVATE_KEY_PATH=<path> |
|