Customer-managed keys for managed services


This feature requires the Premium plan.

For additional control of your data, you can add your own key to protect and control access to some types of data. Azure Databricks has three customer-managed key features for different types of data and locations. To compare them, see Customer-managed keys for encryption.

Managed services data in the Azure Databricks control plane is encrypted at rest. You can add a customer-managed key for managed services to help protect and control access to the following types of encrypted data:

After you add a customer-managed key for managed services encryption for a workspace, Azure Databricks uses your key to control access to the key that encrypts future write operations to your workspace’s managed services data. Existing data is not re-encrypted. The data encryption key is cached in memory for several read and write operations and evicted from memory at a regular interval. New requests for that data require another request to your cloud service’s key management system. If you delete or revoke your key, reading or writing to the protected data fails at the end of the cache time interval. You can rotate (update) the customer-managed key at a later time.


If you rotate the key, you must keep the old key available for 24 hours.

This feature does not encrypt data stored outside the control plane. To encrypt data in your workspace storage account, refer to Customer-managed keys for DBFS root.

You can enable customer-managed keys using Azure Key Vault vaults or Azure Key Vault HSMs: