Feedback

Customer-managed keys for encryption

  • Article
  • 2 minutes to read

Important

This feature is in Public Preview.

Note

This feature requires the Premium Plan.

For some types of data, Azure Databricks supports adding a customer-managed key to help protect and control access to encrypted data. Azure Databricks has two customer-managed key features for different types of data:

The following table lists which customer-managed key features are used for which types of data.

Type of data Location Customer-managed key feature
Notebook source and metadata Control plane Managed services
Secrets stored by the secret manager APIs Control plane Managed services
Databricks SQL queries and query history Control plane Managed services
Customer-accessible DBFS root data Your workspace’s DBFS root in your workspace root Blob storage in your Azure subscription. This also includes workspace libraries and the FileStore area. DBFS root
Job results Workspace root Blob storage instance in your Azure subscription DBFS root
Databricks SQL results Workspace root Blob storage instance in your Azure subscription DBFS root
Interactive notebook results By default, when you run a notebook interactively (rather than as a job) results are stored in the control plane for performance with some large results stored in your workspace root Blob storage in your Azure subscription. You can choose to configure Azure Databricks to store all interactive notebook results in your Azure subscription. For partial results in the control plane, use a customer-managed key for managed services. For results in the root Blob storage, which you can configure for all result storage, use a customer-managed key for DBFS root.
Other workspace system data in the root Blob storage that is inaccessible through DBFS, such as notebook revisions. Workspace root Blob storage in your Azure subscription DBFS root

For additional security for your workspace’s root Blob storage instance in your Azure subscription, you can enable double encryption for the DBFS root.