Configure customer-managed keys for DBFS root

Note

This feature is available only in the Azure Databricks Premium Plan.

Databricks File System (DBFS) is a distributed file system mounted into an Azure Databricks workspace and available on Azure Databricks clusters. DBFS is implemented as a storage account in your Azure Databricks workspace’s managed resource group. The default storage location in DBFS is known as the DBFS root. By default, the storage account is encrypted with Microsoft-managed keys.

With customer-managed keys (CMK) for the DBFS root, you can use your own encryption key to encrypt the DBFS storage account. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Customer-managed keys offer greater flexibility to manage access controls.

You must use Azure Key Vault to store your customer-managed keys. You can either create your own keys and store them in the key vault, or you can use the Azure Key Vault APIs to generate keys.

There are three ways of enabling customer-managed keys for your DBFS storage: