Take Control: Customer-Managed Keys for Lakebase Postgres

2026-04-20 · Source: Databricks · Field: Technology & Digital — Cloud Computing & IT Infrastructure, Cybersecurity & Data Privacy · Depth: Intermediate, short

Summary

Lakebase Customer Managed Keys (CMK) provides enterprises in highly regulated environments with control over their data's root of trust by integrating with cloud Key Management Services (KMS) like AWS KMS, Azure Key Vault, or Google Cloud KMS. Unlike traditional databases that encrypt only storage, Lakebase CMK extends encryption across both persistent storage and ephemeral compute layers, addressing the unique challenges of Lakebase's decoupled architecture. It employs a hierarchical Envelope Encryption model, where data keys (DEKs) are encrypted by Key Encryption Keys (KEKs), which are in turn protected by the customer's CMK residing in their cloud KMS. This architecture enables seamless key rotation, timely revocation, and ensures Databricks never accesses plaintext customer keys.

Key takeaway

For CTOs and VP of Engineering overseeing data security in highly regulated environments, Lakebase CMK offers critical cryptographic control over Postgres workloads. You can enforce data sovereignty by managing your own encryption keys in your cloud KMS, ensuring that both persistent storage and ephemeral compute data are protected under your direct control, with full auditability via your cloud provider's logs.

Key insights

Lakebase CMK offers comprehensive, customer-controlled encryption for both storage and ephemeral compute via hierarchical Envelope Encryption.

Principles

• Root of trust resides in customer's KMS.
• Separate storage and compute layers require dual encryption.
• Envelope Encryption enables scalable key management.

Method

Lakebase CMK uses a three-level key hierarchy: Customer Managed Key (CMK) in cloud KMS, Key Encryption Key (KEK) by Databricks, and Data Encryption Keys (DEKs) for data segments.

In practice

• Encrypts WAL segments and data files in storage.
• Protects ephemeral compute data with per-boot keys.
• Supports seamless key rotation without downtime.

Topics

• Customer Managed Keys
• Envelope Encryption
• Lakebase Postgres
• Cloud Key Management Service
• Storage and Compute Encryption

Best for: CTO, VP of Engineering/Data, Security Engineer, IT Professional, MLOps Engineer

Related on AIssential

• If Rotating Secrets Requires a Ticket, It’s Not a Process — It’s a Problem — Uncontrolled access in MLOps platforms, often due to ad-hoc practices, creates systemic operability and security risks.
• Verifying and optimizing post-quantum cryptography at Amazon — Automated reasoning reconciles cryptographic security, performance, and maintainability through formal verification and optimization.
• A hotel check-in system left a million passports and driver’s licenses open for anyone to see — Basic cybersecurity misconfigurations, not sophisticated attacks, frequently cause significant data exposure incidents.
• Google API Keys Weren't Secrets. But then Gemini Changed the Rules. — Shared API key infrastructure between public and private services creates critical privilege escalation risks.
• Reclaiming Freedom: Who Holds Veto Over Your Data Stack — Control over tools dictates user freedom; open, adaptable systems with structural guardrails are crucial for data sovereignty.
• Article: Designing Continuous Authorization for Sensitive Cloud Systems — Continuous authorization evaluates real-time risk for every sensitive data operation, moving beyond static login-time permissions.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Databricks.