Important:-
This feature is in Public Preview.
Note:-
This feature requires the Azure Databricks Premium Plan
For additional control of your data, you can add your key to protect and control access to some data types.
Azure Databricks has two customer-managed critical features for different data and locations.
To compare them, see Customer-managed keys for encryption.
Managed services data in the Azure Databricks control-plane is encrypted at rest.
You can add a customer-managed key for managed services to help protect and control access to the following types of encrypted data:
After adding customer-managed key encryption for a workspace, Azure Databricks uses your key to control access to the key that encrypts future write operations to your workspace’s managed services data. Existing data is not re-encrypted. The data encryption key is cached in memory for several read and write operations and evicted from memory at a regular interval. New requests for that data require another request to your cloud service’s key management system. If you delete or revoke your key, reading or writing to the protected data fails at the end of the cache time interval.
You can rotate (update) the customer-managed key at a later time. See Rotate the key.
Note:_
This feature does not encrypt data stored outside of the control plane.
To encrypt data in your workspace’s root Blob storage, see Configure customer-managed keys for DBFS root.
A thread with a similar topic - https://community.databricks.com/s/question/0D53f00001Tdk4rCAB/are-notebooks-encrypted-even-if-no-cm...