Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Did you hear? There's a new SQL AI Developer certification (DP-800). Start preparing now and be one of the first to get certified. Register now

pivanho
‎03-26-2026 11:00 AM

Customer-managed keys (CMK) in Fabric SQL Database (Generally Available)

If you haven’t already, check out Arun Ulag’s hero blog “FabCon and SQLCon 2026: Unifying databases and Fabric on a single, complete platform” for a complete look at all of our FabCon and SQLCon announcements across both Fabric and our database offerings. 

Customer-managed keys (CMK) in Fabric SQL Database is a major step forward in empowering organizations to take control of their data security and compliance.

Why customer-managed keys matter

Microsoft Fabric already encrypts all data-at-rest using Microsoft-managed keys. But for organizations with strict data governance policies or regulatory requirements, CMK offers an additional layer of control and flexibility.

With CMK, you can use your own Azure Key Vault keys to encrypt SQL database data in Fabric workspaces, giving you:

  • Key ownership and rotation control.
  • Granular access management.
  • Auditability of key usage.
  • Compliance with industry-specific encryption standards.

Seamless integration with Transparent Data Encryption

Once CMK is configured for a Fabric workspace, Transparent Data Encryption is automatically enabled for all SQL databases (including tempdb) in that workspace. This means:
  • Real-time encryption and decryption of data, backups, and transaction logs.
  • Encryption at the page level using a symmetric Database Encryption Key (DEK).
  • DEK protection via the customer-managed asymmetric key from Azure Key Vault.
Diagram_illustrating_encryption_process_for_Azure_SQL_data_protected_by_TDE._ItDiagram_illustrating_encryption_process_for_Azure_SQL_data_protected_by_TDE._It

Figure: Encryption process for Azure SQL data protected by TDE.

No manual steps are required. Encryption begins automatically and applies to both existing and newly created databases.

Get started

Follow the steps on Customer-managed keys for Fabric workspaces to enable encryption using customer-managed keys.

Query to verify successful CMK encryption

After you enable CMK for the workspace, Fabric automatically encrypts (1) any existing SQL databases in that workspace and (2) any new SQL databases you create in that workspace going forward. To confirm that a specific database is encrypted, run the following query:

SELECT DB_NAME(database_id) as DatabaseName, *

FROM sys.dm_database_encryption_keys

WHERE database_id <> 2

A database is encrypted if the encryption_state_desc field displays “ENCRYPTED” (or “ENCRYPTION_IN_PROGRESS” during encryption) with ASYMMETRIC_KEY as encryptor_type; otherwise, it will not show up in this DMV if the database is not encrypted.

Screenshot_of_query_result_set_of_the_SYS.DM_DATABASE_ENCRYPTION_KEYS_DMV._NotabScreenshot_of_query_result_set_of_the_SYS.DM_DATABASE_ENCRYPTION_KEYS_DMV._Notab

Figure: Result set of the query to verify if your database is successfully encrypted.

Learn more

We hope you enjoy this new offer; we look forward to your feedback as we continue to enhance data security in Microsoft Fabric. Please leave your thoughts in the comment section!

0