I require client-side encryption of Azure blob.

Step 1: I have written a .NET code to encrypt on-premise files and upload it to blob using Azure Storage Client library for .NET (Version v2 GCM) In the code, an automatically generated Content Encryption Key using the client library will be wrapped by KEK(Key Encryption Key) stored in the key vault.

Step 2: I have created an external Azure Blob stage for Snowflake and passed KEK in the MASTERKEY parameter during the stage creation.

Step 3 I am using the "COPY INTO" command to load data into Snowflake.

Questions:

1. How to upload the metadata to the stage from the client application.
2. What all should be included in the metadata?
3. How will Snowflake understand the metadata and decrypt the content?