Lakebase Customer-Managed Keys (CMK) enables enterprises to control encryption across both storage and compute layers of Databricks' Lakebase Postgres architecture. Using a hierarchical Envelope Encryption model, customer keys from AWS KMS, Azure Key Vault, or Google Cloud KMS never leave the customer's cloud environment — Databricks only receives wrapped key versions. The system covers persistent storage (WAL segments, data files) and ephemeral compute data (OS caches, temp files). Key rotation is seamless and revocation cryptographically renders data inaccessible while terminating active compute instances. Configuration follows the Databricks Account-to-Workspace delegation model, and all cryptographic operations are logged in the cloud provider's audit service. CMK is available for Enterprise tier customers.
Table of contents
The Architecture of Lakebase EncryptionThe Key HierarchyCMK in Practice: Storage and ComputeImplementing CMK in the Lakebase WorkflowSecurity AuditabilityGet Started with Enhanced Data SovereigntySort: