Bringing Customer-Managed Keys to Fabric Warehouse and SQL Analytics Endpoint
With this release, customers gain greater control and assurance over the encryption of their most critical analytical workloads.
The Value of Customer-Managed Keys
Fabric already ensures that your data is encrypted at rest using Microsoft-managed keys. But for many organizations—especially in regulated industries—encryption alone isn’t enough. They need the ability to control and manage the keys that protect their data, aligning with internal compliance requirements, regulatory standards, and governance best practices.
- Customer Managed Keys: Store encryption keys in Azure Key Vault and use them to protect Fabric Warehouse and SQL Analytics Endpoint.
- Enhance security posture: Ensure encryption policies are enforced with customer-controlled lifecycle operations such as rotation and revocation.
- Meet compliance needs: Satisfy strict regulatory or contractual requirements for key management.
What Gets Encrypted
This Preview is an important first step in extending CMK protection beyond Fabric Workspaces into the core of Fabric Warehouse and SQL Analytics Endpoint.
- Current: CMK encrypts metadata—SQL objects like tables, views, stored procedures, and functions. This ensures that the logical structure and intellectual property of your database is protected under your control.
- Upcoming Enhancements: We’ll extend CMK coverage to include saved queries and other operational artifacts, further strengthening encryption coverage.
- Ongoing: All Fabric data at rest, including OneLake storage, continues to be encrypted. With CMK, you now decide which keys protect this data.
The Benefits for Your Organization
- Security Beyond OneLake: Not only is your raw data encrypted, but also the Warehouse metadata that defines how your data estate is structured.
- Granular Control: Rotate, disable, or revoke keys at any time, knowing that Fabric Warehouse and SQL Analytics Endpoint will honor those changes.
- Enterprise-Ready Governance: Ensure your Fabric workloads align with the same governance controls you apply across other Azure services like Storage, Synapse, and Key Vault.
Getting Started
To enable CMK for Fabric Warehouse and SQL Analytics Endpoint:
- Create or use an existing key in Azure Key Vault.
- Create a SPN to impersonate the communication between Fabric and Azure Key Vault.
- Enable CMK from your Fabric Workspace security settings.
4.After you complete the initial configuration, you can validate the progress on the same screen:
5. When the encryption progress completes, you will see the CMK status changing to Active:
Encryption, Now in Your Hands
We’re extending the power of Customer-Managed Keys into Fabric Warehouse and SQL Analytics Endpoint. This means encryption is no longer something managed only by the platform—it’s controlled by you. By integrating with Azure Key Vault, you decide which keys protect your metadata, when they should rotate, and if they should ever be revoked.
This is about more than compliance. It’s about trust, transparency, and control. Your organization holds the keys, and Fabric ensures that every piece of Warehouse metadata encrypted at rest honors those choices. As we continue to expand coverage to saved queries and beyond, the principle remains the same: we provide the encryption, you own the key.
For more details, refer to our documentation.
