Configure customer-managed keys for DBFS root


This feature is available only in the Premium Plan.

For additional control of your data, you can add your own key to protect and control access to some types of data. Azure Databricks has two customer-managed key features that involve different types of data and locations. For a comparison, see Customer-managed keys for encryption.

By default, the storage account is encrypted with Microsoft-managed keys. After you add a customer-managed key for DBFS root, Azure Databricks uses your key to encrypt all the data in the workspace’s root Blob storage.

  • The root Blob storage contains your workspace’s DBFS root, which is the default storage location in DBFS. Databricks File System (DBFS) is a distributed file system mounted into an Azure Databricks workspace and available on Azure Databricks clusters. DBFS is implemented as a Blob storage instance in your Azure Databricks workspace’s managed resource group. The DBFS root storage includes MLFlow Models and Delta Live Table data in your DBFS root (but not for DBFS mounts).
  • The root Blob storage also includes your workspace’s system data (not directly accessible to you using DBFS paths), which includes job results, Databricks SQL results, notebook revisions, and some other workspace data.


This feature affects your DBFS root but is not used for encrypting data on any additional DBFS mounts such as DBFS mounts of additional Blob or ADLS storage.

You must use Azure Key Vault to store your customer-managed keys. You can either create your own keys and store them in the key vault, or you can use the Azure Key Vault APIs to generate keys.

There are three ways of enabling customer-managed keys for your DBFS storage: