Lakebase Postgres now supports customerโmanaged keys (CMK), so security teams can keep encryption keys in their own cloud KMS (AWS KMS, Azure Key Vault, or Google Cloud KMS) while Databricks runs Lakebase as a managed service.
Key highlights
- Your keys, your KMS โ Use your own CMK in your cloud KMS instead of Databricksโmanaged keys, keeping control of the root of trust for Lakebase Postgres.
- Endโtoโend protection โ Encrypt both longโterm Lakebase storage and ephemeral compute caches, not just database files, under the same CMK.
- Cryptographic โkill switchโ โ Using your CMK in KMS as a kill switch makes Lakebase data cryptographically inaccessible and terminates active compute, giving highโcompliance teams a technical failsafe.
- Envelope encryption at scale โ Lakebase uses a CMK โ KEK โ DEK hierarchy, so your CMK never leaves KMS, while data keys can be rotated and managed without reโencrypting all data.
- Clear admin workflow โ Account admins register the CMK once, bind it to a workspace, and all Lakebase projects in that workspace inherit it; rotation and audit remain in your cloud provider.
In the full post, youโll see how Lakebase CMK combines Lakebaseโs decoupled storage/compute architecture with customerโowned keys to meet stricter data sovereignty and compliance requirements for Postgres workloads.
๐ Read the full post here ๐
