Remediation

Note: These remediations assume that an Azure Key Vault already exists in the subscription.

From Azure CLI

Create a dedicated key:

az keyvault key create --vault-name {{key-vault-name}} --name {{key-name}} --protection {{key-protection-type}}

Assign permissions to Databricks:

az keyvault set-policy \
    --name {{key-vault-name}} \
    --resource-group {{resource-group-name}} \
    --spn {{databricks-spn}} \
    --key-permissions get wrapKey unwrapKey

Enable encryption with CMK:

az databricks workspace update \
    --name {{databricks-workspace-name}} \
    --resource-group {{resource-group-name}} \
    --key-source "Microsoft.KeyVault" \
    --key-name {{key-name}} \
    --keyvault-uri {{key-vault-uri}}

From PowerShell

$key = Add-AzKeyVaultKey `
    -VaultName {{key-vault-name}} `
    -Name {{key-name}} `
    -Destination {{key-protection-type}}

Set-AzDatabricksWorkspace `
    -ResourceGroupName "{{resource-group-name}}" `
    -WorkspaceName "{{databricks-workspace-name}}" `
    -EncryptionKeySource "Microsoft.KeyVault" `
    -KeyVaultUri $key.Id

From Azure CLI​

From PowerShell​

From Azure CLI

From PowerShell