Configure Azure Key Vault Settings for Azure Disk Encryption and Azure Backup

Enable Azure Disk Encryption on VM1 using Azure Key Vault

Prev Question Next Question

Question

You have an Azure subscription that contains a virtual machine named VM1.

You create an Azure key vault that has the following configurations:

-> Name: Vault5

-> Region: West US

-> Resource group: RG1

You need to use Vault5 to enable Azure Disk Encryption on VM1. The solution must support backing up VM1 by using Azure Backup.

Which key vault settings should you configure?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

A

https://docs.microsoft.com/en-us/azure/key-vault/key-vault-secure-your-key-vault

The correct answer for the given scenario is A. Access policies.

Explanation:

Azure Disk Encryption is a feature that helps protect and safeguard data on virtual machines (VMs) by encrypting the OS and data disks. It uses industry-standard encryption algorithms and keys that are protected by Azure Key Vault. Azure Backup is a cloud-based backup solution that enables you to protect and restore data in the Microsoft cloud.

To enable Azure Disk Encryption on VM1 using Vault5, you need to configure access policies on the key vault. Access policies define the permissions for a security principal (user, group, or application) to access a key vault and its contents, including keys, secrets, and certificates.

To enable Azure Disk Encryption, you need to grant the appropriate permissions to the VM's service principal or managed identity so that it can access the key vault and retrieve the encryption keys for the VM's disks. The following permissions are required:

  1. Get, WrapKey, and UnwrapKey permissions on the key vault.
  2. List and Get permissions on the key vault's key, certificate, and secret objects.

To configure access policies on Vault5, follow these steps:

  1. In the Azure portal, navigate to the Vault5 key vault.
  2. Click on the Access policies blade.
  3. Click on the Add Access Policy button.
  4. Select the appropriate template for your scenario (for example, Disk Encryption for VMs), or create a custom policy.
  5. Select the service principal or managed identity that represents the VM, and grant the required permissions.
  6. Save the access policy.

Once you have configured the access policies, you can enable Azure Disk Encryption on VM1 by following the Azure Disk Encryption workflow in the Azure portal. During the encryption process, the VM's service principal or managed identity will retrieve the encryption keys from the Vault5 key vault.

To support backing up VM1 using Azure Backup, you need to configure the backup policy for the VM and specify the backup vault where the backups will be stored. This process is separate from the configuration of the key vault, and does not require any specific key vault settings to be configured.

Prev Question Next Question