Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

A new Data Days event is coming soon! This time we’re going bigger than ever. Fabric, Power BI, SQL, AI and more. Don't miss out.

pivanho
‎11-19-2025 07:00 AM

Customer-managed keys in Fabric SQL Database (Preview)

Customer-managed keys in Fabric SQL Database - a major step forward in empowering organizations to take control of their data security and compliance.

Why customer-managed keys matter

Microsoft Fabric already encrypts all data-at-rest using Microsoft-managed keys. But for organizations with strict data governance policies or regulatory requirements, CMK offers an additional layer of control and flexibility.

With CMK, you can use your own Azure Key Vault keys to encrypt SQL database data in Fabric workspaces, giving you:

  • Key ownership and rotation control.
  • Granular access management.
  • Auditability of key usage.
  • Compliance with industry-specific encryption standards.

Seamless integration with Transparent Data Encryption

Once CMK is configured for a Fabric workspace, Transparent Data Encryption is automatically enabled for all SQL databases (including tempdb) in that workspace. This means:

  • Real-time encryption and decryption of data, backups, and transaction logs.
  • Encryption at the page level using a symmetric Database Encryption Key (DEK).
  • DEK protection via the customer-managed asymmetric key from Azure Key Vault.

Customer-managed_keys_in_Fabric_SQL_Database_PreviewCustomer-managed_keys_in_Fabric_SQL_Database_Preview

No manual steps are required encryption begins automatically and applies to both existing and newly created databases.

What our customers are saying about Customer-managed keys

Using Fabric is a key part of our operations, and features such as customer managed keys play an important role in supporting our clients who have high security and regulatory standards. This capability gives them more flexibility and assurance when it comes to managing data encryption. The setup process is straightforward and does not require extensive technical effort.

Customer-managed_keys_in_Fabric_SQL_Database_PreviewCustomer-managed_keys_in_Fabric_SQL_Database_Preview

Ivan van Rooyen - Data and AI Practice Lead

Customer-managed keys in Fabric SQL Database have empowered us to securely develop AI project notebooks, data flows, and Airflow orchestration. Beyond security, it provided us with early insights into Fabric’s evolving capabilities, helping us align our architecture with upcoming features and plan confidently for future innovation.

Customer-managed_keys_in_Fabric_SQL_Database_PreviewCustomer-managed_keys_in_Fabric_SQL_Database_Preview

Vikram Hodachalli - Architect

Get started

Follow the steps on Customer-managed keys for Fabric workspaces - Microsoft Fabric | Microsoft Learn to enable encryption using customer-managed keys.

Query to verify successful CMK encryption

Once you enable CMK in the workspace the existing database will be encrypted or when you create a new database in a workspace that has CMK enabled. To verify if your database is successfully encrypted, run the following query.

SELECT DB_NAME(database_id) as DatabaseName, * 
FROM sys.dm_database_encryption_keys 
WHERE database_id <> 2

A database is encrypted if the encryption_state_desc field displays "ENCRYPTED" (or "ENCRYPTION_IN_PROGRESS" during encryption) with ASYMMETRIC_KEY as encryptor_type; otherwise, it will not show up in this DMV if the database is not encrypted.

Customer-managed_keys_in_Fabric_SQL_Database_PreviewCustomer-managed_keys_in_Fabric_SQL_Database_Preview

Learn more

Data encryption in SQL database

Customer-managed keys for Fabric workspaces

We hope you enjoy this new offer; we look forward to your feedback as we continue to enhance data security in Microsoft Fabric.

0