Encrypt data at rest in your Fabric workspaces using customer-managed keys (Preview)
As organizations advance in their cloud platform journey, ensuring robust data security remains fundamental. Encryption plays a crucial role in defense-in-depth strategies used to safeguard sensitive information by adding a layer of protection against unauthorized access. In addition to strengthening your security posture, encryption helps you adhere to your organization’s internal security, data governance and compliance efforts. Industry and government regulations such as HIPAA, PCI, and FedRAMP, lay out specific safeguards regarding data protection and encryption requirements. In such cases, encryption is not just critical – it’s mandatory!
By default, Fabric encrypts all data at rest using Microsoft-managed keys and data in transit with at least TLS 1.2. Today, we’re announcing the preview of customer managed keys, giving you more control over how your data at rest is encrypted. Customer-managed keys (CMK) are encryption keys that you create, own, and manage in your Azure Key Vault (AKV). Customer managed keys are a powerful way to enhance control over your data, as you create and directly control the lifecycle, access and usage of these keys. This added layer of control is especially valuable for organizations with strict compliance requirements or heightened security needs.
Encrypt data-at-rest in your Fabric workspaces using customer-managed keys
Customer managed keys feature utilizes the envelope encryption method, also referred to as wrapping, to add a second layer of encryption. When you specify a CMK, that key is used to protect and control access to the data encryption key (DEK), the key that encrypts your data. The Key Encryption Key, CMK in this case, never leaves your Key Vault, ensuring that you retain full control at all times.
In Fabric, you can set up encryption using CMK at the workspace level. Once enabled, all customer content stored in that workspace is encrypted using the specified CMK. CMK integrates with AKV’s access policies and role-based access control (RBAC), allowing you flexibility to define granular permissions based on your organization’s security model. If you choose to disable CMK encryption later, the workspace will revert to using Microsoft-managed keys. You can also revoke the key at any time—Fabric will block access to the encrypted data within 30 minutes of revocation. With workspace level granularity and control, you elevate the security of your data in Fabric.
Set up encryption for your Fabric workspace using customer-managed keys
Workspace admins can set up encryption using customer managed keys in workspace settings in the Fabric portal. Refer to the encryption documentation for a step-by-step guide.
Few points to consider
CMK feature for Fabric workspaces is rolling out this week and will be available in select regions, supporting a limited set of Fabric items only. For details, check out the considerations section in the encryption documentation.
If you have data in other cloud storage services (ADLS Gen2, AWS S3, GCS) with CMK, you can access data from Microsoft Fabric using OneLake shortcuts as you could previously.
Get started today
At Fabric, we are committed to keeping your data secure and supporting you in reaching your security goals. Encryption using customer-managed keys is a step towards offering you complete control of the keys used to encrypt your data at the workspace level and meet the required compliance standards.
We encourage you to test and share your feedback as we iterate to improve the experience. To learn more, please refer to the customer-managed keys for Fabric workspaces documentation.
