Customer-managed keys for workspace storage


This feature is in Public Preview.

While Databricks might encrypt other data, you can add a customer-managed key for workspace storage to protect and control access to the following types of encrypted data:

  • Your workspace’s two GCS buckets: If you add a workspace storage encryption key, Databricks encrypts the data on the two GCS buckets associated with the Google Cloud project that you specified when you created your workspace. These are sometimes called the workspace’s root GCS buckets. One bucket contains your workspace’s DBFS root, which includes workspace libraries and the FileStore area, MLflow Models, and Delta Live Table data in your DBFS root (not DBFS mounts). Another bucket includes your workspace’s system data, which includes job results, Databricks SQL results, notebook revisions, and some other workspace data.

  • Your cluster’s GCE persistent disks: The workspace storage encryption key is also used to encrypt the GCE persistent disks of Databricks Runtime cluster nodes and other compute resources in the data plane.

This feature requires the Premium plan.

This feature does not affect data in the control plane.


  • You cannot add a customer-managed key to an existing workspace.

  • You cannot at a later time update the workspace to use a different customer-managed key Cloud KMS ID.

How to add a key

You can add your own key to protect and control access to some types of data. Databricks has two customer-managed key features that involve different types of data and locations.

You can add a key that can be used for workspace storage, for managed services in the control plane, or both use cases with a single key at the same time.

There are multiple ways that you can add a customer-managed key: