Customer-managed keys for encryption

Preview

This feature is in Public Preview.

Note

Customer-managed key features require your workspace to be on the E2 version of the Databricks platform. These features require the Enterprise pricing tier.

Some services and data support adding a customer-managed key to help protect and control access to encrypted data. Databricks has two customer-managed key features that involve different types of data and locations:

The following table lists which customer-managed key features are used for which types of data.

Type of data

Location

Which customer-managed key feature to use

Notebook source and metadata

Control plane

Managed services

Secrets stored by the secret manager APIs

Control plane

Managed services

Databricks SQL queries and query history

Control plane

Managed services

The remote EBS volumes for Databricks Runtime cluster nodes and other compute resources.

Data plane in your AWS account. Applies only to compute resources in the Classic data plane, not the Serverless data plane.

Workspace storage

Customer-accessible DBFS root data

Your workspace’s DBFS root in your workspace root S3 bucket in your AWS account. This also includes workspace libraries and the FileStore area.

Workspace storage

Job results

Workspace root S3 bucket in your AWS account

Workspace storage

Databricks SQL query results

Workspace root S3 bucket in your AWS account

Workspace storage

Interactive notebook results

By default, when you run a notebook interactively (rather than as a job) results are stored in the control plane for performance with some large results stored in your workspace root S3 bucket in your AWS account. You can choose to configure Databricks to store all interactive notebook results in your AWS account.

For partial results in the control plane, use a customer-managed key for managed services. For results in the root S3 bucket, which you can configure for all result storage, use a customer-managed key for workspace storage.