Configure HSM customer-managed keys for DBFS using PowerShell

Note

This feature is available only in the Premium plan.

You can use PowerShell to configure your own encryption key to encrypt the workspace storage account. This article describes how to configure your own key from Azure Key Vault Managed HSM. For instructions on using a key from Azure Key Vault vaults, see Configure customer-managed keys for DBFS using PowerShell.

Important

The Key Vault must be in the same Azure tenant as your Azure Databricks workspace.

For more information about customer-managed keys for DBFS, see Customer-managed keys for DBFS root.

Install the Azure Databricks PowerShell module

  1. Install Azure PowerShell.
  2. Install the Azure Databricks PowerShell module.

Prepare a new or existing Azure Databricks workspace for encryption

Replace the placeholder values in brackets with your own values. The <workspace-name> is the resource name as displayed in the Azure portal.

Prepare encryption when you create a workspace:

$workspace = New-AzDatabricksWorkspace -Name <workspace-name> -Location <workspace-location> -ResourceGroupName <resource-group> -Sku premium -PrepareEncryption

Prepare an existing workspace for encryption:

$workspace = Update-AzDatabricksWorkspace -Name <workspace-name> -ResourceGroupName <resource-group> -PrepareEncryption

For more information about PowerShell cmdlets for Azure Databricks workspaces, see the Az.Databricks reference.

Create an Azure Key Vault Managed HSM and an HSM key

You can use an existing Azure Key Vault Managed HSM or create and activate a new one following Quickstart: Provision and activate a Managed HSM using PowerShell. The Azure Key Vault Managed HSM must have Purge Protection enabled.

To create an HSM key, follow Create an HSM key.

Configure the Managed HSM role assignment

Configure a role assignment for the Key Vault Managed HSM so that your Azure Databricks workspace has permission to access it. Replace the placeholder values in brackets with your own values.

New-AzKeyVaultRoleAssignment -HsmName <hsm-name> `
    -RoleDefinitionName "Managed HSM Crypto Service Encryption User" `
    -ObjectId $workspace.StorageAccountIdentityPrincipalId

Configure DBFS encryption with customer-managed keys

Configure your Azure Databricks workspace to use the key you created in your Azure Key Vault. Replace the placeholder values in brackets with your own values.

Update-AzDatabricksWorkspace -ResourceGroupName <resource-group> `
    -Name <workspace-name>
    -EncryptionKeySource Microsoft.Keyvault `
    -EncryptionKeyName <key-name> `
    -EncryptionKeyVersion <key-version> `
    -EncryptionKeyVaultUri <hsm-uri>

Disable customer-managed keys

When you disable customer-managed keys, your storage account is once again encrypted with Azure-managed keys.

Replace the placeholder values in brackets with your own values and use the variables defined in the previous steps.

Update-AzDatabricksWorkspace -Name <workspace-name> -ResourceGroupName <resource-group> -EncryptionKeySource Default