Skip to main content

Security & Trust Center

Your data security is our top priority

 

 

Multi-Key Protection: Encrypting your data at rest within Databricks

Databricks Multi-Key Protection is a key encryption hierarchy that implements fine-grained encryption of customer data when it is at rest in the Databricks account.

Currently, Databricks has implemented Multi-Key Protection to securely encrypt customer data at rest in Default Storage, a Databricks-managed cloud storage solution designed for customers who prefer a simpler data lakehouse infrastructure, available now to customers starting with express setup.

Databricks Multi-Key Protection

What is Databricks Multi-Key Protection?

Databricks Multi-Key Protection is a key encryption hierarchy that secures data at rest in the Databricks account with multiple levels of isolation and the ability to provide a customer-managed key (CMK).

 

Encryption process

1. Databricks maintains a Databricks-managed key (DMK) that serves as the root of our encryption hierarchy.

2. Optional: A customer can provide a customer-managed key (CMK) that encrypts the root of their key hierarchy. If revoked, data becomes undecryptable to any Databricks process.

3. The DMK is used with the CMK (if provided) to encrypt individual catalog keys in Unity Catalog.

4. Object-level keys are created for objects within that catalog, such as table keys, volume keys and model keys. Those keys are encrypted with the catalog key.

5. The ephemeral keys that encrypt actual data files are created based on the object key. These file-level keys are always derived in-memory on trusted compute and are not persisted to disk.

Benefits of Databricks Multi-Key Protection

Full control of customer data

Customers can revoke access to their CMK at any time. This makes all data undecryptable to any Databricks process.

Isolation at rest

File-level key granularity provides cryptographic isolation, even across files within a single Delta table, volume or model.

Mitigate unauthorized direct access to storage

Your data in Databricks is only accessible through Databricks endpoints to users and systems authenticated and authorized by Unity Catalog. Even if someone gains direct access to cloud storage, they can’t decrypt the data without going through the governed Databricks path.