Customer-managed keys in Fabric SQL Database (Preview)
Customer-managed keys in Fabric SQL Database – a major step forward in empowering organizations to take control of their data security and compliance.
Why customer-managed keys matter
Microsoft Fabric already encrypts all data-at-rest using Microsoft-managed keys. But for organizations with strict data governance policies or regulatory requirements, CMK offers an additional layer of control and flexibility.
With CMK, you can use your own Azure Key Vault keys to encrypt SQL database data in Fabric workspaces, giving you:
- Key ownership and rotation control.
- Granular access management.
- Auditability of key usage.
- Compliance with industry-specific encryption standards.
Seamless integration with Transparent Data Encryption
Once CMK is configured for a Fabric workspace, Transparent Data Encryption is automatically enabled for all SQL databases (including tempdb) in that workspace. This means:
- Real-time encryption and decryption of data, backups, and transaction logs.
- Encryption at the page level using a symmetric Database Encryption Key (DEK).
- DEK protection via the customer-managed asymmetric key from Azure Key Vault.
No manual steps are required encryption begins automatically and applies to both existing and newly created databases.
What our customers are saying about Customer-managed keys
Using Fabric is a key part of our operations, and features such as customer managed keys play an important role in supporting our clients who have high security and regulatory standards. This capability gives them more flexibility and assurance when it comes to managing data encryption. The setup process is straightforward and does not require extensive technical effort.
Ivan van Rooyen – Data and AI Practice Lead
Customer-managed keys in Fabric SQL Database have empowered us to securely develop AI project notebooks, data flows, and Airflow orchestration. Beyond security, it provided us with early insights into Fabric’s evolving capabilities, helping us align our architecture with upcoming features and plan confidently for future innovation.
Vikram Hodachalli – Architect
Get started
Follow the steps on Customer-managed keys for Fabric workspaces – Microsoft Fabric | Microsoft Learn to enable encryption using customer-managed keys.
Query to verify successful CMK encryption
Once you enable CMK in the workspace the existing database will be encrypted or when you create a new database in a workspace that has CMK enabled. To verify if your database is successfully encrypted, run the following query.
SELECT DB_NAME(database_id) as DatabaseName, * FROM sys.dm_database_encryption_keys WHERE database_id <> 2
A database is encrypted if the encryption_state_desc field displays “ENCRYPTED” (or “ENCRYPTION_IN_PROGRESS” during encryption) with ASYMMETRIC_KEY as encryptor_type; otherwise, it will not show up in this DMV if the database is not encrypted.
Learn more
Data encryption in SQL database
Customer-managed keys for Fabric workspaces
We hope you enjoy this new offer; we look forward to your feedback as we continue to enhance data security in Microsoft Fabric.
