Encrypting Virtual Machine Disks with BitLocker
Question
Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company has an on-premises data center and an Azure subscription. The on-premises data center contains a Hardware Security Module (HSM).
Your network contains an Active Directory domain that is synchronized to an Azure Active Directory (Azure AD) tenant.
The company is developing an application named Application1. Application1 will be hosted in Azure by using 10 virtual machines that run Windows Server 2016.
Five virtual machines will be in the West Europe Azure region and five virtual machines will be in the East US Azure region. The virtual machines will store sensitive company information. All the virtual machines will use managed disks.
You need to recommend a solution to encrypt the virtual machine disks by using BitLocker Drive Encryption (BitLocker).
Solution: Export a security key from the on-premises HSM. Create one Azure AD service principal. Configure the virtual machines to use Azure Storage Service
Encryption.
Does this meet the goal?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B.B
We use the Azure Premium Key Vault with Hardware Security Modules (HSM) backed keys.
The Key Vault has to be in the same region as the VM that will be encrypted.
https://www.ciraltos.com/azure-disk-encryption-v2/No, this solution does not meet the goal of encrypting the virtual machine disks by using BitLocker Drive Encryption.
The proposed solution recommends exporting a security key from the on-premises HSM, creating one Azure AD service principal, and configuring the virtual machines to use Azure Storage Service Encryption. However, Azure Storage Service Encryption does not use BitLocker Drive Encryption.
Azure Storage Service Encryption provides encryption for data at rest in Azure storage accounts, but it does not encrypt virtual machine disks using BitLocker. To encrypt virtual machine disks using BitLocker, you can use Azure Disk Encryption.
Azure Disk Encryption enables you to encrypt Windows and Linux virtual machine disks using BitLocker and dm-crypt technology, respectively. You can use Azure Disk Encryption to encrypt both new and existing virtual machines by specifying encryption settings when you create or update a virtual machine. Azure Disk Encryption is integrated with Azure Key Vault to help you safeguard and manage encryption keys.
Therefore, the recommended solution does not meet the goal of encrypting the virtual machine disks by using BitLocker Drive Encryption, and the answer is B. No.
