diff --git a/.github/actions/devcontainer_run_command/action.yml b/.github/actions/devcontainer_run_command/action.yml
index ba790c563c..8f22e448da 100644
--- a/.github/actions/devcontainer_run_command/action.yml
+++ b/.github/actions/devcontainer_run_command/action.yml
@@ -133,6 +133,18 @@ inputs:
     description: "Application Gateway SKU"
     required: false
     default: ""
+  ENABLE_CMK_ENCRYPTION:
+    description: "A boolean indicating if we should enable CMK on supported resources"
+    required: false
+    default: "false"
+  ENCRYPTION_KV_NAME:
+    description: ""
+    required: false
+    default: "The name of the keyvault that will be created for CMK"
+  EXTERNAL_KEY_STORE_ID:
+    description: "The Azure Resource ID for an external key store to use for CMK"
+    required: false
+    default: ""
 
 runs:
   using: composite
@@ -254,6 +266,9 @@ runs:
             && inputs.RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE) || 5 }}" \
           -e TF_VAR_firewall_sku=${{ inputs.FIREWALL_SKU }} \
           -e TF_VAR_app_gateway_sku=${{ inputs.APP_GATEWAY_SKU }} \
+          -e TF_VAR_enable_cmk_encryption="${{ inputs.ENABLE_CMK_ENCRYPTION }}" \
+          -e TF_VAR_encryption_kv_name="${{ inputs.ENCRYPTION_KV_NAME }}" \
+          -e TF_VAR_external_key_store_id="${{ inputs.EXTERNAL_KEY_STORE_ID }}" \
           -e E2E_TESTS_NUMBER_PROCESSES="${{ inputs.E2E_TESTS_NUMBER_PROCESSES }}" \
           '${{ inputs.CI_CACHE_ACR_NAME }}${{ env.ACR_DOMAIN_SUFFIX }}/tredev:${{ inputs.DEVCONTAINER_TAG }}' \
         bash -c -x "./command.sh"
diff --git a/.github/workflows/build_validation_develop.yml b/.github/workflows/build_validation_develop.yml
index a9364293d8..a71466e492 100644
--- a/.github/workflows/build_validation_develop.yml
+++ b/.github/workflows/build_validation_develop.yml
@@ -57,11 +57,6 @@ jobs:
         with:
           terraform_version: "1.9.8"
 
-      - uses: hashicorp/setup-terraform@v3
-        if: ${{ steps.filter.outputs.terraform == 'true' }}
-        with:
-          terraform_version: "1.9.8"
-
       - name: Terraform format check
         if: ${{ steps.filter.outputs.terraform == 'true' }}
         run: terraform fmt -check -recursive
diff --git a/.github/workflows/deploy_tre.yml b/.github/workflows/deploy_tre.yml
index bddea6979f..c9ea4e3e0a 100644
--- a/.github/workflows/deploy_tre.yml
+++ b/.github/workflows/deploy_tre.yml
@@ -57,3 +57,5 @@ jobs:
       TEST_ACCOUNT_CLIENT_SECRET: "${{ secrets.TEST_ACCOUNT_CLIENT_SECRET }}"
       TRE_ID: ${{ secrets.TRE_ID }}
       CI_CACHE_ACR_NAME: ${{ secrets.ACR_NAME }}
+      ENCRYPTION_KV_NAME: ${{ secrets.ENCRYPTION_KV_NAME }}
+      EXTERNAL_KEY_STORE_ID: ${{ secrets.EXTERNAL_KEY_STORE_ID }}
diff --git a/.github/workflows/deploy_tre_branch.yml b/.github/workflows/deploy_tre_branch.yml
index a6b65f9196..0f6567add6 100644
--- a/.github/workflows/deploy_tre_branch.yml
+++ b/.github/workflows/deploy_tre_branch.yml
@@ -88,3 +88,5 @@ jobs:
       TEST_ACCOUNT_CLIENT_SECRET: "${{ secrets.TEST_ACCOUNT_CLIENT_SECRET }}"
       TRE_ID: ${{ format('tre{0}', needs.prepare-not-main.outputs.refid) }}
       CI_CACHE_ACR_NAME: ${{ secrets.ACR_NAME }}
+      ENCRYPTION_KV_NAME: ${{ format('tre{0}mgmt', needs.prepare-not-main.outputs.refid) }}
+      EXTERNAL_KEY_STORE_ID: ${{ secrets.EXTERNAL_KEY_STORE_ID }}
diff --git a/.github/workflows/deploy_tre_reusable.yml b/.github/workflows/deploy_tre_reusable.yml
index 3942f9c4cb..55234ed2cb 100644
--- a/.github/workflows/deploy_tre_reusable.yml
+++ b/.github/workflows/deploy_tre_reusable.yml
@@ -90,6 +90,12 @@ on:  # yamllint disable-line rule:truthy
       AZURE_CREDENTIALS:
         description: ""
         required: true
+      ENCRYPTION_KV_NAME:
+        description: ""
+        required: false
+      EXTERNAL_KEY_STORE_ID:
+        description: ""
+        required: false
 
 # This will prevent multiple runs of this entire workflow.
 # We should NOT cancel in progress runs as that can destabilize the environment.
@@ -246,6 +252,9 @@ jobs:
           TERRAFORM_STATE_CONTAINER_NAME: ${{ vars.TERRAFORM_STATE_CONTAINER_NAME }}
           MGMT_RESOURCE_GROUP_NAME: ${{ secrets.MGMT_RESOURCE_GROUP_NAME }}
           MGMT_STORAGE_ACCOUNT_NAME: ${{ secrets.MGMT_STORAGE_ACCOUNT_NAME }}
+          ENABLE_CMK_ENCRYPTION: ${{ vars.ENABLE_CMK_ENCRYPTION }}
+          ENCRYPTION_KV_NAME: ${{ secrets.ENCRYPTION_KV_NAME }}
+          EXTERNAL_KEY_STORE_ID: ${{ secrets.EXTERNAL_KEY_STORE_ID }}
 
       - name: ACR Login
         # failure in the first attempt indicates a new ACR, so we need to try again after it's been created
@@ -359,6 +368,9 @@ jobs:
           RP_BUNDLE_VALUES: ${{ vars.RP_BUNDLE_VALUES }}
           FIREWALL_SKU: ${{ vars.FIREWALL_SKU}}
           APP_GATEWAY_SKU: ${{ vars.APP_GATEWAY_SKU }}
+          ENABLE_CMK_ENCRYPTION: ${{ vars.ENABLE_CMK_ENCRYPTION }}
+          ENCRYPTION_KV_NAME: ${{ secrets.ENCRYPTION_KV_NAME }}
+          EXTERNAL_KEY_STORE_ID: ${{ secrets.EXTERNAL_KEY_STORE_ID }}
 
       - name: API Healthcheck
         uses: ./.github/actions/devcontainer_run_command
diff --git a/.github/workflows/pr_comment_bot.yml b/.github/workflows/pr_comment_bot.yml
index cfc14dc739..3771dfbbfb 100644
--- a/.github/workflows/pr_comment_bot.yml
+++ b/.github/workflows/pr_comment_bot.yml
@@ -185,3 +185,4 @@ jobs:
       TEST_ACCOUNT_CLIENT_SECRET: "${{ secrets.TEST_ACCOUNT_CLIENT_SECRET }}"
       TRE_ID: ${{ format('tre{0}', needs.pr_comment.outputs.prRefId) }}
       CI_CACHE_ACR_NAME: ${{ secrets.ACR_NAME }}
+      ENCRYPTION_KV_NAME: ${{ format('tre{0}mgmt', needs.pr_comment.outputs.prRefId) }}
diff --git a/config_schema.json b/config_schema.json
index 8885822acb..d2235f74ab 100644
--- a/config_schema.json
+++ b/config_schema.json
@@ -51,6 +51,14 @@
           "description": "The Azure subscription ID for all resources.",
           "type": "string",
           "pattern": "^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$"
+        },
+        "encryption_kv_name": {
+          "description": "Name of Key Vault for encryption keys.",
+          "type": "string"
+        },
+        "external_key_store_id": {
+          "description": "ID of external Key Vault to store CMKs.",
+          "type": "string"
         }
       },
       "required": [
@@ -96,6 +104,10 @@
         "custom_domain": {
           "description": "Custom domain name.",
           "type": "string"
+        },
+        "enable_cmk_encryption": {
+          "description": "Enables customer-managed key encryption for all supported resources.",
+          "type": "boolean"
         }
       }
     },
diff --git a/core/terraform/variables.tf b/core/terraform/variables.tf
index 1f1004d8bb..8a6c034aaa 100644
--- a/core/terraform/variables.tf
+++ b/core/terraform/variables.tf
@@ -228,6 +228,14 @@ variable "enable_cmk_encryption" {
   type        = bool
   description = "A boolean indicating if customer managed keys will be used for encryption of supporting resources"
   default     = false
+
+  validation {
+    condition = var.enable_cmk_encryption == false || (var.enable_cmk_encryption == true && (
+      (try(length(var.external_key_store_id), 0) > 0 && try(length(var.encryption_kv_name), 0) == 0) ||
+      (try(length(var.external_key_store_id), 0) == 0 && try(length(var.encryption_kv_name), 0) > 0)
+    ))
+    error_message = "Exactly one of 'external_key_store_id' or 'encryption_kv_name' must be non-empty when enable_cmk_encryption is true."
+  }
 }
 
 variable "external_key_store_id" {
diff --git a/core/version.txt b/core/version.txt
index 8e1395bd35..6dd4954d0d 100644
--- a/core/version.txt
+++ b/core/version.txt
@@ -1 +1 @@
-__version__ = "0.12.3"
+__version__ = "0.12.4"
diff --git a/devops/terraform/variables.tf b/devops/terraform/variables.tf
index 9c9ad2bfbe..4b2131dbc9 100644
--- a/devops/terraform/variables.tf
+++ b/devops/terraform/variables.tf
@@ -28,6 +28,14 @@ variable "enable_cmk_encryption" {
   type        = bool
   description = "A boolean indicating if customer managed keys will be used for encryption of supporting resources"
   default     = false
+
+  validation {
+    condition = var.enable_cmk_encryption == false || (var.enable_cmk_encryption == true && (
+      (try(length(var.external_key_store_id), 0) > 0 && try(length(var.encryption_kv_name), 0) == 0) ||
+      (try(length(var.external_key_store_id), 0) == 0 && try(length(var.encryption_kv_name), 0) > 0)
+    ))
+    error_message = "Exactly one of 'external_key_store_id' or 'encryption_kv_name' must be non-empty when enable_cmk_encryption is true."
+  }
 }
 
 variable "external_key_store_id" {
diff --git a/devops/version.txt b/devops/version.txt
index 86716a713a..a779a44262 100644
--- a/devops/version.txt
+++ b/devops/version.txt
@@ -1 +1 @@
-__version__ = "0.5.5"
+__version__ = "0.5.6"
diff --git a/docs/tre-admins/environment-variables.md b/docs/tre-admins/environment-variables.md
index 04395b9ec9..144fb92e0e 100644
--- a/docs/tre-admins/environment-variables.md
+++ b/docs/tre-admins/environment-variables.md
@@ -44,7 +44,8 @@
 | `FIREWALL_SKU` | Optional. The SKU of the Azure Firewall instance. Default value is `Standard`. Allowed values [`Basic`, `Standard`, `Premium`]. See [Azure Firewall SKU feature comparison](https://learn.microsoft.com/en-us/azure/firewall/choose-firewall-sku). |
 | `APP_GATEWAY_SKU` | Optional. The SKU of the Application Gateway. Default value is `Standard_v2`. Allowed values [`Standard_v2`, `WAF_v2`] |
 | `CUSTOM_DOMAIN` | Optional. Custom domain name to access the Azure TRE portal. See [Custom domain name](custom-domain.md). |
-| `ENABLE_CMK_ENCRYPTION` | If set to `true`, customer-managed key encryption will be enabled for all supported resources. |
+| `ENABLE_CMK_ENCRYPTION` | Optional. Default is `false`, if set to `true` customer-managed key encryption will be enabled for all supported resources. |
+
 ## For authentication in `/config.yaml`
 
   | Variable | Description |
@@ -60,6 +61,7 @@
   | `WORKSPACE_API_CLIENT_SECRET` | Each workspace is secured behind it's own AD Application. This is the secret for that application.|
 
 ## For CI/CD pipelines in github environment secrets
+
   | Variable | Description |
   | -------- | ----------- |
   | `AZURE_CREDENTIALS`| Credentials used to authorize CI/CD workflows to provision resources for the TRE workspaces and workspace services. This is basically your ARM client credentials in json format. Read more about how to create it and its format [here](./setup-instructions/workflows.md##create-a-service principal-for-provisioning-resources)|
diff --git a/docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md b/docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md
index 0c360b5f93..e03c63272d 100644
--- a/docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md
+++ b/docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md
@@ -66,6 +66,8 @@ Configure the following secrets in your github environment:
 | `MGMT_RESOURCE_GROUP_NAME` | The name of the shared resource group for all Azure TRE core resources. |
 | `MGMT_STORAGE_ACCOUNT_NAME` | The name of the storage account to hold the Terraform state and other deployment artifacts. E.g. `mystorageaccount`. |
 | `ACR_NAME` | A globally unique name for the Azure Container Registry (ACR) that will be created to store deployment images. |
+| `EXTERNAL_KEY_STORE_ID` | Optional. The ID of the external Key Vault to store CMKs in. Should not be set if `ENCRYPTION_KV_NAME` is set and only required if `ENABLE_CMK_ENCRYPTION` is true. |
+| `ENCRYPTION_KV_NAME` | Optional. The name of the Key Vault for encryption keys. Should not be set if `EXTERNAL_KEY_STORE_ID` is set and only required if `ENABLE_CMK_ENCRYPTION` is true. |
 
 
 ### Configure Core Variables
@@ -86,6 +88,7 @@ Configure the following **variables** in your github environment:
 | `FIREWALL_SKU` | Optional. The SKU of the Azure Firewall instance. Default value is `Standard`. Allowed values [`Basic`, `Standard`, `Premium`]. See [Azure Firewall SKU feature comparison](https://learn.microsoft.com/en-us/azure/firewall/choose-firewall-sku). |
 | `APP_GATEWAY_SKU` | Optional. The SKU of the Application Gateway. Default value is `Standard_v2`. Allowed values [`Standard_v2`, `WAF_v2`] |
 | `CUSTOM_DOMAIN` | Optional. Custom domain name to access the Azure TRE portal. See [Custom domain name](../custom-domain.md). |
+| `ENABLE_CMK_ENCRYPTION` | Optional. Default is `false`, if set to `true` customer-managed key encryption will be enabled for all supported resources. |
 
 ### Configure Authentication Secrets
 
diff --git a/docs/tre-admins/setup-instructions/workflows.md b/docs/tre-admins/setup-instructions/workflows.md
index dfc21b8de5..eabc62332d 100644
--- a/docs/tre-admins/setup-instructions/workflows.md
+++ b/docs/tre-admins/setup-instructions/workflows.md
@@ -147,7 +147,7 @@ Configure variables used in the deployment workflow:
 | `ENABLE_SWAGGER` | Optional. Determines whether the Swagger interface for the API will be available. Default value is `false`. |
 | `FIREWALL_SKU` | Optional. The SKU of the Azure Firewall instance. Default value is `Standard`. Allowed values [`Basic`, `Standard`, `Premium`]. See [Azure Firewall SKU feature comparison](https://learn.microsoft.com/en-us/azure/firewall/choose-firewall-sku). |
 | `APP_GATEWAY_SKU` | Optional. The SKU of the Application Gateway. Default value is `Standard_v2`. Allowed values [`Standard_v2`, `WAF_v2`] |
-
+| `ENABLE_CMK_ENCRYPTION` | Optional. Default is `false`, if set to `true` customer-managed key encryption will be enabled for all supported resources. |
 
 ### Deploy the TRE using the workflow