diff --git a/core/terraform/airlock/airlock_processor.tf b/core/terraform/airlock/airlock_processor.tf
index 88f5a37aed..5416d858ad 100644
--- a/core/terraform/airlock/airlock_processor.tf
+++ b/core/terraform/airlock/airlock_processor.tf
@@ -24,6 +24,8 @@ resource "azurerm_storage_account" "sa_airlock_processor_func_app" {
   location                         = var.location
   account_tier                     = "Standard"
   account_replication_type         = "LRS"
+  table_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
+  queue_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   allow_nested_items_to_be_public  = false
   cross_tenant_replication_enabled = false
   tags                             = var.tre_core_tags
diff --git a/core/terraform/airlock/storage_accounts.tf b/core/terraform/airlock/storage_accounts.tf
index 70cd58996e..74bcd3fb30 100644
--- a/core/terraform/airlock/storage_accounts.tf
+++ b/core/terraform/airlock/storage_accounts.tf
@@ -7,6 +7,8 @@ resource "azurerm_storage_account" "sa_import_external" {
   resource_group_name              = var.resource_group_name
   account_tier                     = "Standard"
   account_replication_type         = "LRS"
+  table_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
+  queue_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   cross_tenant_replication_enabled = false
 
   # Don't allow anonymous access (unrelated to the 'public' networking rules)
@@ -71,6 +73,8 @@ resource "azurerm_storage_account" "sa_export_approved" {
   resource_group_name              = var.resource_group_name
   account_tier                     = "Standard"
   account_replication_type         = "LRS"
+  table_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
+  queue_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   cross_tenant_replication_enabled = false
 
   # Don't allow anonymous access (unrelated to the 'public' networking rules)
@@ -135,6 +139,8 @@ resource "azurerm_storage_account" "sa_import_in_progress" {
   resource_group_name              = var.resource_group_name
   account_tier                     = "Standard"
   account_replication_type         = "LRS"
+  table_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
+  queue_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   allow_nested_items_to_be_public  = false
   cross_tenant_replication_enabled = false
 
@@ -229,6 +235,8 @@ resource "azurerm_storage_account" "sa_import_rejected" {
   resource_group_name              = var.resource_group_name
   account_tier                     = "Standard"
   account_replication_type         = "LRS"
+  table_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
+  queue_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   allow_nested_items_to_be_public  = false
   cross_tenant_replication_enabled = false
 
@@ -297,6 +305,8 @@ resource "azurerm_storage_account" "sa_import_blocked" {
   resource_group_name              = var.resource_group_name
   account_tier                     = "Standard"
   account_replication_type         = "LRS"
+  table_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
+  queue_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   allow_nested_items_to_be_public  = false
   cross_tenant_replication_enabled = false
 
diff --git a/core/terraform/appgateway/staticweb.tf b/core/terraform/appgateway/staticweb.tf
index 4a9dee49a5..c0ff13ea11 100644
--- a/core/terraform/appgateway/staticweb.tf
+++ b/core/terraform/appgateway/staticweb.tf
@@ -6,6 +6,8 @@ resource "azurerm_storage_account" "staticweb" {
   account_kind                     = "StorageV2"
   account_tier                     = "Standard"
   account_replication_type         = "LRS"
+  table_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
+  queue_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   enable_https_traffic_only        = true
   allow_nested_items_to_be_public  = false
   cross_tenant_replication_enabled = false
diff --git a/core/terraform/azure-monitor/azure-monitor.tf b/core/terraform/azure-monitor/azure-monitor.tf
index 795a0a2af4..de19ac16b2 100644
--- a/core/terraform/azure-monitor/azure-monitor.tf
+++ b/core/terraform/azure-monitor/azure-monitor.tf
@@ -20,6 +20,8 @@ resource "azurerm_storage_account" "az_monitor" {
   account_kind                     = "StorageV2"
   account_tier                     = "Standard"
   account_replication_type         = "LRS"
+  table_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
+  queue_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   allow_nested_items_to_be_public  = false
   cross_tenant_replication_enabled = false
   tags                             = var.tre_core_tags
diff --git a/core/terraform/storage.tf b/core/terraform/storage.tf
index fc9e552eec..4fa985104e 100644
--- a/core/terraform/storage.tf
+++ b/core/terraform/storage.tf
@@ -4,6 +4,8 @@ resource "azurerm_storage_account" "stg" {
   location                         = azurerm_resource_group.core.location
   account_tier                     = "Standard"
   account_replication_type         = "LRS"
+  table_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
+  queue_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   allow_nested_items_to_be_public  = false
   cross_tenant_replication_enabled = false
 
diff --git a/core/version.txt b/core/version.txt
index 5dae1332b4..20cc868f1e 100644
--- a/core/version.txt
+++ b/core/version.txt
@@ -1 +1 @@
-__version__ = "0.11.8"
+__version__ = "0.11.9"
diff --git a/devops/terraform/bootstrap.sh b/devops/terraform/bootstrap.sh
index d0671c3a18..8f67d0b47e 100755
--- a/devops/terraform/bootstrap.sh
+++ b/devops/terraform/bootstrap.sh
@@ -12,11 +12,16 @@ az group create --resource-group "$TF_VAR_mgmt_resource_group_name" --location "
 if ! az storage account show --resource-group "$TF_VAR_mgmt_resource_group_name" --name "$TF_VAR_mgmt_storage_account_name" --query "name" -o none 2>/dev/null; then
   # only run `az storage account create` if doesn't exist (to prevent error from occuring if storage account was originally created without infrastructure encryption enabled)
 
+  # Set default encryption types based on enable_cmk
+  encryption_type=$([ "${TF_VAR_enable_cmk_encryption:-false}" = true ] && echo "Account" || echo "Service")
+
   # shellcheck disable=SC2154
   az storage account create --resource-group "$TF_VAR_mgmt_resource_group_name" \
     --name "$TF_VAR_mgmt_storage_account_name" --location "$LOCATION" \
     --allow-blob-public-access false \
     --kind StorageV2 --sku Standard_LRS -o table \
+    --encryption-key-type-for-queue "$encryption_type" \
+    --encryption-key-type-for-table "$encryption_type" \
     --require-infrastructure-encryption true
 else
   echo "Storage account already exists..."
diff --git a/devops/terraform/main.tf b/devops/terraform/main.tf
index ec0ff94722..bd178f37d0 100644
--- a/devops/terraform/main.tf
+++ b/devops/terraform/main.tf
@@ -27,6 +27,8 @@ resource "azurerm_storage_account" "state_storage" {
   account_tier                     = "Standard"
   account_kind                     = "StorageV2"
   account_replication_type         = "LRS"
+  table_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
+  queue_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   cross_tenant_replication_enabled = false
   allow_nested_items_to_be_public  = false
   shared_access_key_enabled        = false