Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to: ✅ Warehouse in Microsoft Fabric
Fabric Data Warehouse encrypts all data at rest by default, ensuring that your information is protected through Microsoft-managed keys.
In addition, you can enhance your security posture by using customer-managed keys (CMK), giving you direct control over the encryption keys that protect your data and metadata.
When you enable CMK for a workspace that contains a Fabric Data Warehouse, both OneLake data and warehouse metadata are protected using your Azure Key Vault-hosted encryption keys. With customer-managed keys, you can connect your Fabric workspace directly to your own Azure Key Vault. You maintain complete control over key creation, access, and rotation, ensuring compliance with your organization's security and governance policies.
To get started configuring CMK for your Fabric workspace, see Customer-managed keys for Fabric workspaces.
How data encryption works in Fabric Data Warehouse
Fabric Data Warehouse follows a multi-layered encryption model to ensure your data remains protected at rest and transient in use.
SQL Frontend: Encrypts metadata (tables, views, functions, stored procedures).
Backend Compute Pool: Uses ephemeral caches; no data is left at rest.
OneLake: All persisted data is encrypted.
SQL front-end layer encryption
When CMK is enabled for the workspace, Fabric Data Warehouse also uses your customer-managed key to encrypt metadata such as table definitions, stored procedures, functions, and schema information.
This ensures that both your data in OneLake and personal data-bearing metadata in the warehouse are encrypted with your own key.
Backend compute pool layer encryption
Fabric's compute backend processes queries in an ephemeral, cache-based environment. No data is ever left at rest in these caches. Because Fabric Warehouse evicts all backend cache content after use, transient data never persists beyond the session lifetime.
Because of their short-lived nature, backend caches are only encrypted with Microsoft-managed keys and are not subject to encryption by CMK, for performance reasons. Backend caches are automatically cleared and regenerated as part of normal compute operations.
OneLake layer encryption
All data stored in OneLake is encrypted at rest using Microsoft-managed keys by default.
When CMK is enabled, your customer-managed key (stored in Azure Key Vault) is used to encrypt the data encryption keys (DEKs), providing an additional envelope of protection. You maintain control over key rotation, access policies, and auditing.
Important
In CMK-enabled workspaces, all OneLake data is encrypted using your customer-managed keys.
Limitations
Before enabling CMK for your Fabric Data Warehouse, review the following considerations:
Key propagation delay: When a key is rotated, updated, or replaced in Azure Key Vault, there can be a propagation delay before Fabric's SQL layer. In certain conditions, this delay can take up to 20 minutes before SQL connections are re-established with the new key.
Backend caching: Data processed by Fabric's backend compute pool is not encrypted with CMK at rest due to its short-lived, in-memory nature. Fabric automatically evicts cached data after each use.
Service availability during key revocation: If the CMK becomes inaccessible or revoked, read and write operations in the workspace fail until access to the key is restored.
DMV support: Since the CMK configuration is established and configured at workspace level, you cannot use
sys.dm_database_encryption_keysto view the encryption status of the database; that happens exclusively at Workspace Level.Firewall restrictions: CMK is not supported when the Azure Key Vault firewall is enabled.
Queries in the Fabric portal query editor Object Explorer are not encrypted with CMK.