How to Implement Encryption with Custom Key in Azure Storage Account
Question
You need to create an Azure Storage account that uses a custom encryption key.
What do you need to implement the encryption?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.A
You can use your own encryption key to protect the data in your storage account. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data.
You must use either Azure Key Vault or Azure Key Vault Managed Hardware Security Model (HSM) (preview) to store your customer-managed keys.
To create an Azure Storage account that uses a custom encryption key, you will need to implement Azure Key Vault. Azure Key Vault is a cloud-based service that helps safeguard cryptographic keys and secrets used by cloud applications and services. It allows you to securely store and manage sensitive information such as keys, passwords, certificates, and other secrets.
Option A: A certificate issued by an integrated certification authority (CA) and stored in Azure Key Vault This option is correct. You can use a certificate issued by an integrated certification authority (CA) and stored in Azure Key Vault to implement encryption. In this case, the certificate acts as the encryption key. You can upload the certificate to Azure Key Vault and then use it to encrypt and decrypt data in the Azure Storage account.
Option B: A managed identity that is configured to access the storage account This option is incorrect. A managed identity is an Azure service principal that can access Azure resources. It does not provide encryption capabilities.
Option C: An Azure Active Directory Premium subscription This option is incorrect. Azure Active Directory Premium is an identity management service that provides advanced features such as self-service password reset, group-based access management, and conditional access policies. It does not provide encryption capabilities.
Option D: An Azure Key Vault in the same Azure region as the storage account This option is partially correct. You will need an Azure Key Vault to implement encryption, but it does not necessarily need to be in the same Azure region as the storage account. However, having the Key Vault in the same region can reduce latency and improve performance.
In summary, to implement encryption for an Azure Storage account using a custom encryption key, you will need to use Azure Key Vault and upload a certificate issued by an integrated certification authority (CA) to act as the encryption key.
