topic Take Control: Customer-Managed Keys for Lakebase Postgres in Announcements https://community.databricks.com/t5/announcements/take-control-customer-managed-keys-for-lakebase-postgres/m-p/155338#M752 <P><SPAN>Lakebase Postgres now supports </SPAN><STRONG>customer‑managed keys (CMK)</STRONG><SPAN>, so security teams can keep encryption keys in their own cloud KMS (AWS KMS, Azure Key Vault, or Google Cloud KMS) while Databricks runs Lakebase as a managed service.</SPAN></P> <P><FONT size="4"><STRONG>Key highlights</STRONG></FONT></P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Your keys, your KMS</STRONG><SPAN> – Use your own CMK in your cloud KMS instead of Databricks‑managed keys, keeping control of the root of trust for Lakebase Postgres.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>End‑to‑end protection</STRONG><SPAN> – Encrypt both long‑term Lakebase storage and ephemeral compute caches, not just database files, under the same CMK.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Cryptographic “kill switch”</STRONG><SPAN> – Using your CMK in KMS as a kill switch makes Lakebase data cryptographically inaccessible and terminates active compute, giving high‑compliance teams a technical failsafe.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Envelope encryption at scale</STRONG><SPAN> – Lakebase uses a CMK → KEK → DEK hierarchy, so your CMK never leaves KMS, while data keys can be rotated and managed without re‑encrypting all data.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Clear admin workflow</STRONG><SPAN> – Account admins register the CMK once, bind it to a workspace, and all Lakebase projects in that workspace inherit it; rotation and audit remain in your cloud provider.</SPAN><SPAN><BR /></SPAN></LI> </UL> <P><SPAN>In the full post, you’ll see how Lakebase CMK combines Lakebase’s decoupled storage/compute architecture with customer‑owned keys to meet stricter data sovereignty and compliance requirements for Postgres workloads.</SPAN></P> <P class="p8i6j01 paragraph"><A style="background-color: #ff3621; color: white; padding: 10px 20px; text-decoration: none; border-radius: 5px; font-weight: bold; display: inline-block;" href="https://www.databricks.com/blog/take-control-customer-managed-keys-lakebase-postgres?utm_source=bambu&amp;utm_medium=social&amp;utm_campaign=advocacy" target="_blank" rel="noopener"><span class="lia-unicode-emoji" title=":link:">🔗</span>&nbsp;Read the full post here&nbsp;<span class="lia-unicode-emoji" title=":backhand_index_pointing_left:">👈</span></A></P> Thu, 23 Apr 2026 13:38:30 GMT Tushar_Parekar 2026-04-23T13:38:30Z Take Control: Customer-Managed Keys for Lakebase Postgres https://community.databricks.com/t5/announcements/take-control-customer-managed-keys-for-lakebase-postgres/m-p/155338#M752 <P><SPAN>Lakebase Postgres now supports </SPAN><STRONG>customer‑managed keys (CMK)</STRONG><SPAN>, so security teams can keep encryption keys in their own cloud KMS (AWS KMS, Azure Key Vault, or Google Cloud KMS) while Databricks runs Lakebase as a managed service.</SPAN></P> <P><FONT size="4"><STRONG>Key highlights</STRONG></FONT></P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Your keys, your KMS</STRONG><SPAN> – Use your own CMK in your cloud KMS instead of Databricks‑managed keys, keeping control of the root of trust for Lakebase Postgres.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>End‑to‑end protection</STRONG><SPAN> – Encrypt both long‑term Lakebase storage and ephemeral compute caches, not just database files, under the same CMK.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Cryptographic “kill switch”</STRONG><SPAN> – Using your CMK in KMS as a kill switch makes Lakebase data cryptographically inaccessible and terminates active compute, giving high‑compliance teams a technical failsafe.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Envelope encryption at scale</STRONG><SPAN> – Lakebase uses a CMK → KEK → DEK hierarchy, so your CMK never leaves KMS, while data keys can be rotated and managed without re‑encrypting all data.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Clear admin workflow</STRONG><SPAN> – Account admins register the CMK once, bind it to a workspace, and all Lakebase projects in that workspace inherit it; rotation and audit remain in your cloud provider.</SPAN><SPAN><BR /></SPAN></LI> </UL> <P><SPAN>In the full post, you’ll see how Lakebase CMK combines Lakebase’s decoupled storage/compute architecture with customer‑owned keys to meet stricter data sovereignty and compliance requirements for Postgres workloads.</SPAN></P> <P class="p8i6j01 paragraph"><A style="background-color: #ff3621; color: white; padding: 10px 20px; text-decoration: none; border-radius: 5px; font-weight: bold; display: inline-block;" href="https://www.databricks.com/blog/take-control-customer-managed-keys-lakebase-postgres?utm_source=bambu&amp;utm_medium=social&amp;utm_campaign=advocacy" target="_blank" rel="noopener"><span class="lia-unicode-emoji" title=":link:">🔗</span>&nbsp;Read the full post here&nbsp;<span class="lia-unicode-emoji" title=":backhand_index_pointing_left:">👈</span></A></P> Thu, 23 Apr 2026 13:38:30 GMT https://community.databricks.com/t5/announcements/take-control-customer-managed-keys-for-lakebase-postgres/m-p/155338#M752 Tushar_Parekar 2026-04-23T13:38:30Z