Data security and encryption

This article introduces data security configurations to help protect your data.

For information about securing access to your data, see Data governance guide.

Overview of data security and encryption

Databricks provides encryption features to help protect your data. Not all security features are available on all pricing tiers. The following table contains an overview of the features and how they align to pricing plans.

Feature

Pricing tier

Customer-managed keys for encryption

Premium

Workspace settings for data security

Standard

Enable customer-managed keys for encryption

  • Customer-managed keys for managed services: Managed services data in the Databricks control plane is encrypted at rest. You can add a customer-managed key for managed services to help protect and control access to the following types of encrypted data:

    • Notebook source files that are stored in the control plane.

    • Notebook results for notebooks that are stored in the control plane.

    • Secrets stored by the secret manager APIs.

    • Databricks SQL queries and query history.

    • Personal access tokens or other credentials used to set up Git integration with Databricks Repos.

  • Customer-managed keys for workspace storage: Databricks supports adding a customer-managed key for workspace storage to help protect and control access to data. You can configure your own key to encrypt the data on the GCS bucket associated with the Google Cloud project that you specified when you created your workspace. The same key is also used to encrypt your cluster’s GCE persistent disks.

For details of which customer-managed key features in Databricks protect different types kinds of data, see Customer-managed keys for encryption.

Encrypt traffic between cluster worker nodes

By default, the data exchanged between worker nodes in a cluster is encrypted. Google encrypts data in transit at one or more network layers when data moves outside physical boundaries not controlled by Google or on behalf of Google. All VM-to-VM traffic within a VPC network and peered VPC networks is encrypted. For more information, see the Google whitepaper Encryption in transit.

Manage workspace settings

Databricks workspace administrators can manage their workspace’s security settings, such as the ability to download notebooks and enforcing the user isolation cluster access mode. For more information, see Manage your workspace.