Lakebase Postgres now supports customer‑managed keys (CMK), so security teams can keep encryption keys in their own cloud KMS (AWS KMS, Azure Key Vault, or Google Cloud KMS) while Databricks runs Lakebase as a managed service.
Key highlights
- Your keys, your KMS – Use your own CMK in your cloud KMS instead of Databricks‑managed keys, keeping control of the root of trust for Lakebase Postgres.
- End‑to‑end protection – Encrypt both long‑term Lakebase storage and ephemeral compute caches, not just database files, under the same CMK.
- Cryptographic “kill switch” – Using your CMK in KMS as a kill switch makes Lakebase data cryptographically inaccessible and terminates active compute, giving high‑compliance teams a technical failsafe.
- Envelope encryption at scale – Lakebase uses a CMK → KEK → DEK hierarchy, so your CMK never leaves KMS, while data keys can be rotated and managed without re‑encrypting all data.
- Clear admin workflow – Account admins register the CMK once, bind it to a workspace, and all Lakebase projects in that workspace inherit it; rotation and audit remain in your cloud provider.
In the full post, you’ll see how Lakebase CMK combines Lakebase’s decoupled storage/compute architecture with customer‑owned keys to meet stricter data sovereignty and compliance requirements for Postgres workloads.
🔗 Read the full post here 👈
