You are managing storage accounts for your organization. You need to ensure that all data at rest is encrypted. Which encryption option is enabled by default in Azure Storage?

  1. Transparent Data Encryption (TDE)
  2. Application-level encryption
  3. Storage Service Encryption (SSE) ✓
  4. Bring Your Own Key (BYOK)

Correct answer: Storage Service Encryption (SSE)

Option C is correct because Azure Storage Service Encryption (SSE), also called Azure Storage encryption, is automatically enabled for all Azure Storage accounts and encrypts all data at rest using 256-bit AES encryption without any configuration required. Option A is wrong because Transparent Data Encryption (TDE) is a feature of Azure SQL Database and Azure Synapse, not a general Azure Storage encryption mechanism. Option B is wrong because application-level encryption is a custom, client-side approach that developers implement themselves and is not a built-in default feature of Azure Storage. Option D is wrong because Bring Your Own Key (BYOK) is an optional enhancement to SSE that allows customers to supply their own encryption keys via Azure Key Vault, but it must be explicitly configured and is not the default.

Topic: · azure storage, encryption at rest, storage service encryption, az-104

Practice Microsoft Azure Administrator (AZ-104) Questions Free