Customer-managed keys for DBFS root

For additional control of your data, you can add your own key to protect and control access to some types of data. Azure Databricks has two customer-managed key features that involve different types of data and locations. For a comparison, see Customer-managed keys for encryption.

By default, the storage account is encrypted with Azure-managed keys. After you add a customer-managed key for DBFS root, Azure Databricks uses your key to encrypt all the data in the workspace's root Blob storage.

• The root Blob storage contains your workspace's DBFS root, which is the default storage location in DBFS. Databricks File System (DBFS) is a distributed file system mounted into an Azure Databricks workspace and available on Azure Databricks clusters. DBFS is implemented as a Blob storage instance in your Azure Databricks workspace's managed resource group. The DBFS root storage includes MLflow Models and Delta Live Table data in your DBFS root (but not for DBFS mounts).
• The root Blob storage also includes your workspace's system data (not directly accessible to you using DBFS paths), which includes job results, Databricks SQL results, notebook revisions, and some other workspace data.

You must use Azure Key Vault to store your customer-managed keys. You can store your keys in Azure Key Vault vaults.

The Key Vault must be in the same Azure tenant as your Azure Databricks workspace.

You can enable customer-managed keys using Azure Key Vault vaults for your DBFS storage in three different ways:

• Configure customer-managed keys for DBFS using the Azure portal
• Configure customer-managed keys for DBFS using the Azure CLI
• Configure customer-managed keys for DBFS using PowerShell