You need to ensure that sensitive data stored in Azure Blob Storage is encrypted at rest and in transit, with encryption keys managed by your organization. What solution meets these requirements?

  1. Enable Azure Storage Service Encryption with customer-managed keys in Key Vault ✓
  2. Enable storage service encryption with Azure-managed keys
  3. Use transparent data encryption (TDE) on Azure SQL Database
  4. Implement client-side encryption and use Azure Key Vault for key management

Correct answer: Enable Azure Storage Service Encryption with customer-managed keys in Key Vault

Option A is correct because Azure Storage Service Encryption (SSE) with customer-managed keys (CMK) stored in Azure Key Vault satisfies both requirements: data is encrypted at rest by default, data in transit is protected via HTTPS/TLS, and the organization retains full ownership and control of the encryption keys. Option B is incorrect because using Azure-managed keys means Microsoft controls the key lifecycle, not the organization, so the key-management requirement is not met. Option C is incorrect because Transparent Data Encryption (TDE) applies to Azure SQL Database, not Blob Storage. Option D is partially valid but unnecessary for Blob Storage since SSE with CMK already covers both at-rest and in-transit encryption without requiring a separate client-side encryption layer, making it more complex and redundant.

Topic: · azure storage encryption, customer-managed keys, key vault, data protection

Practice Microsoft Azure Solutions Architect (AZ-305) Questions Free