Configure customer-managed keys for DBFS using the Azure portal


This feature is available only in the Azure Databricks Premium Plan.

You can use the Azure portal to configure your own encryption key to encrypt the DBFS root storage account. You must use Azure Key Vault to store the key.

For more information about customer-managed keys for DBFS, see Configure customer-managed keys for DBFS root.

Create a key in Azure Key Vault


If you already have an existing key vault in the same region and same Azure Active Directory (Azure AD) tenant as your Azure Databricks workspace, you can skip the first step in this procedure. However, be aware that when you use the Azure portal to assign a customer-managed key for DBFS root encryption, the system enables the Soft Delete and Do Not Purge properties by default for your key vault. For more information about these properties, see Azure Key Vault soft-delete overview.

  1. Create a key vault following the instructions in Quickstart: Set and retrieve a key from Azure Key Vault using the Azure portal.

    The Azure Databricks workspace and the key vault must be in the same region and the same Azure Active Directory (Azure AD) tenant, but they can be in different subscriptions.

  2. Create a key in the key vault, continuing to follow the instructions in the Quickstart.

    DBFS root storage supports RSA and RSA-HSM keys of sizes 2048, 3072 and 4096. For more information about keys, see About Key Vault keys.

  3. Once your key is created, copy and paste the Key Identifier into a text editor. You will need it when you configure your key for Azure Databricks.

Encrypt the DBFS root storage account using your key

  1. Go to your Azure Databricks service resource in the Azure portal.

  2. In the left menu, under Settings, select Encryption.

    Encryption option for Azure Databricks

  3. Select Use your own key, enter your key’s Key Identifier, and select the Subscription that contains the key.

    Enable customer-managed keys in Azure portal

  4. Click Save to save your key configuration.


    Only users with the key vault Contributor role or higher for the key vault can save.

When the encryption is enabled, the system enables Soft-Delete and Purge Protection on the key vault, creates a managed identity on the DBFS root, and adds an access policy for this identity in the key vault.

Regenerate (rotate) keys

When you regenerate a key, you must return to the Encryption page in your Azure Databricks service resource, update the Key Identifier field with your new key identifier, and click Save. This applies to new versions of the same key as well as new keys.


If you delete the key that is used for encryption, the data in the DBFS root cannot be accessed. You can use the Azure Key Vault APIs to recover deleted keys.