Azure Storage Encryption Keys: Types for Data Engineering
Question
Richard is a Cloud Security Engineer of Whizlabs Inc.
As part of the enterprise data lake project, he is assigned to implement encryption strategy & key/secrets for Azure data storage.
The project's data sources are ERP, CRM/SAP systems containing static files stored in Azure file storage.
The key should be stored in the Azure Key vault or Key vault HSM.
As part of the server-side encryption (SSE) feature of Azure storage, he'd be required to specify the encryption key type while enabling the encryption in the Azure storage account.
Which of the following kinds of Azure storage encryption keys can he use in this scenario?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: C.
As Richard is implementing encryption strategy and key/secrets for Azure data storage as part of the enterprise data lake project, he needs to consider the type of encryption key to use while enabling encryption in the Azure storage account.
Azure Storage provides Server-side encryption (SSE) to help protect data at rest. SSE automatically encrypts data when writing it to Azure Storage and decrypts it when reading it. SSE can be enabled on Azure Blobs, Azure Files, and Azure Queues. SSE uses advanced encryption standard (AES) 256-bit encryption.
While enabling SSE, Richard can choose one of the following types of encryption keys:
A. Microsoft-managed encryption keys: With this option, Microsoft manages the encryption keys for the user. Microsoft automatically handles the key management tasks, such as key rotation and key versioning, for the user. This option is the easiest to use, and there is no additional cost to use it. However, the user has limited control over the keys.
B. Customer-provided encryption keys: With this option, the user can bring their own keys to encrypt and decrypt data. The user is responsible for managing and securing the keys, including key rotation, key versioning, and key backups. This option provides more control over the keys than Microsoft-managed encryption keys. However, the user needs to pay for Azure Key Vault or Key Vault HSM to store and manage the keys.
C. Customer-managed encryption keys: With this option, the user can generate and manage encryption keys using Azure Key Vault or Key Vault HSM. This option provides the most control over the keys. The user can rotate the keys, manage the key versions, and take backups of the keys. This option requires the user to pay for Azure Key Vault or Key Vault HSM to store and manage the keys.
D. Microsoft-managed and Customer-provided encryption keys: With this option, the user can use both Microsoft-managed and customer-provided encryption keys for different scenarios. For example, the user can use Microsoft-managed encryption keys for development and testing environments and customer-provided encryption keys for production environments. This option provides the flexibility to use different types of keys for different scenarios.
In Richard's scenario, as he needs to store the encryption key in Azure Key Vault or Key Vault HSM, he can choose either customer-provided or customer-managed encryption keys. Both options will require the user to pay for Azure Key Vault or Key Vault HSM. However, if Richard needs to have more control over the encryption keys, he can choose customer-managed encryption keys. On the other hand, if Richard prefers to have Microsoft manage the keys and does not require much control over the keys, he can choose Microsoft-managed encryption keys.
