encryption-keys

Encryption and Key Management in Azure and Microsoft Fabric

Encryption is a critical component of any secure data architecture, and both Azure and Microsoft Fabric provide robust options for managing encryption keys. In this section, we cover Azure-native practices and the current and future capabilities related to Bring Your Own Key (BYOK) in Microsoft Fabric and OneLake.

Azure Key Management

Microsoft Azure provides comprehensive support for encryption at rest and in transit using both Microsoft-managed and customer-managed keys (CMK). Azure Key Vault is the primary service for managing keys, secrets, and certificates.

Key considerations:

• Use customer-managed keys (CMK) with Azure Storage, Azure SQL Database, Azure Synapse Analytics, and more.
• Customer-managed keys are stored in Azure Key Vault or Azure Dedicated HSM.
• CMK can be used for encrypting blob data in Azure Storage using server-side encryption with CMK (SSE with CMK).
• Azure supports automatic key rotation and audit logging via Azure Monitor.

When deploying at scale:

• Use a federated model with multiple Key Vaults to avoid throttling limits.
• Enable soft delete and purge protection for secure recovery.
• Use Azure RBAC over legacy access policies for fine-grained permissions.
• Monitor Key Vault usage using Azure Monitor and Log Analytics.

Bring Your Own Key (BYOK) in Microsoft Fabric

Microsoft Fabric's OneLake follows a similar hierarchical and secure approach to data storage as Azure Data Lake Storage Gen2. OneLake data is encrypted at rest using Microsoft-managed keys (MMK) by default.

Microsoft has announced planned support for Bring Your Own Key (BYOK) for OneLake. This will allow organizations to manage their own encryption keys for data stored in OneLake Lakehouses, Warehouses, and other data items. With BYOK in OneLake:

• Organizations will be able to integrate OneLake security with Azure Key Vault or Dedicated HSM.
• BYOK will support scenarios where regulatory, compliance, or sovereignty requirements demand customer control of the encryption keys.
• Future updates will allow granular key assignment per domain, workspace, or item level.

Note: As of July 2025, BYOK for OneLake is in the preview announcement phase and not yet generally available. For preview participation, check https://aka.ms/onelakesecuritypreview.

Recommendations

• Use Azure Key Vault Premium when HSM-backed keys are required (FIPS 140-2 Level 2).
• Segment key usage across environments and workloads to prevent lateral movement or excessive access.
• Prepare to migrate OneLake storage to customer-managed keys as soon as BYOK becomes available in Fabric.
• Automate key rotation and policy enforcement using Azure Policy and Microsoft Entra roles.
• Avoid sharing Key Vaults across applications or tenants to maintain security boundaries.

For more details on key usage monitoring and alerting, refer to Monitoring and alerting for Azure Key Vault.