Customer-managed keys for managed services
Note
This feature requires the Premium plan.
For additional control of your data, you can add your own key to protect and control access to some types of data. Azure Databricks has three customer-managed key features for different types of data and locations. To compare them, see Customer-managed keys for encryption.
Managed services data in the Azure Databricks control plane is encrypted at rest. You can add a customer-managed key for managed services to help protect and control access to the following types of encrypted data:
- Notebook source in the Azure Databricks control plane
- Notebook results for notebooks run interactively (not as jobs) that are stored in the control plane. By default, larger results are also stored in your workspace root bucket. You can configure Azure Databricks to store all interactive notebook results in your cloud account.
- Secrets stored by the secret manager APIs.
- Databricks SQL queries and query history.
- Personal access tokens (PAT) or other credentials used to set up Git integration with Databricks Git folders.
After you add a customer-managed key for managed services encryption for a workspace, Azure Databricks uses your key to control access to the key that encrypts future write operations to your workspace's managed services data. Existing data is not re-encrypted. The data encryption key is cached in memory for several read and write operations and evicted from memory at a regular interval. New requests for that data require another request to your cloud service's key management system. If you delete or revoke your key, reading or writing to the protected data fails at the end of the cache time interval. You can rotate (update) the customer-managed key at a later time.
Important
If you rotate the key, you must keep the old key available for 24 hours.
This feature does not encrypt data stored outside the control plane. To encrypt data in your workspace storage account, refer to Customer-managed keys for DBFS root.
You can enable customer-managed keys using Azure Key Vault vaults or Azure Key Vault HSMs: