Customer Managed Keys in OneLake: Strengthening Data Protection and Control
One of the highly requested features in Microsoft Fabric is now available: the ability to encrypt data in OneLake using your own keys. As organizations face growing data volumes and tighter regulatory expectations, Customer-Managed Keys (CMK) offer a powerful way to enforce enterprise-grade security and ensure strict ownership of encryption keys and access.
With Microsoft’s OneLake, we’ve built a unified data lake that’s open, secure, and ready for enterprise scale. Now, with support for CMK, we’re giving customers the power to take encryption into their own hands.
Why Customer Managed Keys Matter
By default, Microsoft encrypts all data at rest in OneLake using Microsoft-managed keys (MMK). While this provides a strong baseline of security, many organizations – especially those in regulated industries like finance, healthcare, and government – require more control over encryption. CMK addresses this need by allowing customers to use their own keys, stored in Azure Key Vault, to encrypt data in OneLake.
Imagine a financial services firm that needs to demonstrate full control over data encryption to auditors. With CMK, they can show that only their security team has access to the encryption key—and that revoking the key will fail access to sensitive data.
Or consider a healthcare provider that needs to rotate encryption keys every 90 days. With CMK, they can automate key rotation policies in Azure Key Vault and maintain compliance without disrupting analytics workflows. This capability not only enhances data sovereignty and compliance but also empowers customers to implement their own key rotation policies, revoke access when needed, and monitor key usage independently.
Getting Started
Enabling Customer Managed Keys (CMK) in OneLake is a straightforward process that puts encryption control directly in your hands. Here’s how to get started:
- Set Up Your Azure Key Vault and Key: begin by creating or identifying an existing Azure Key Vault in your subscription. This is where your Key Encryption Key (KEK) will reside. Ensure the vault is configured with the appropriate access policies to allow Fabric workspace to use the key. Make note of the key’s URI—this will be required when enabling CMK.
- Enable CMK: Navigate to your workspace settings in Microsoft Fabric. Under the encryption section, turn on ‘Apply Customer-managed key’ and provide the Key Vault URI. Once saved, all data written to OneLake in that workspace will be protected using your key.
- Monitor and Manage: use Azure Key Vault monitoring tools to track key usage, configure alerts, and manage key rotation policies. If needed, you can revoke access to the key at any time—OneLake will automatically block read/write operations within an hour, ensuring your data remains secure.
To learn more, refer to the Customer-managed keys for Fabric workspaces documentation.
Key Features and Benefits
- Workspace-Level Support: Customers can enable Customer Managed Keys (CMK) at the workspace level for more granular control. This allows organizations to selectively encrypt only the workspaces that require enhanced data protection, offering flexibility without enforcing a one-size-fits-all approach
- Key Revocation and Rotation: Customers can revoke or rotate their Key at any time. If access to the Key is revoked, OneLake will fail read/write operations within an hour, effectively locking down the data.
- Fallback to MMK: If CMK is disabled, OneLake automatically reverts to using Microsoft-managed keys, ensuring continuous encryption and data protection.
Try It Today
Customer Managed Key support in OneLake (preview) is now available in limited regions. Try out it out today and ensure your data-at-rest meets your organization’s compliance and governance standards!
