You are developing a Java application to be deployed in Azure. The application stores sensitive data in Azure Cosmos DB.
You need to configure Always Encrypted to encrypt the sensitive data inside the application.
What should you do first?
You are developing a Java application to be deployed in Azure. The application stores sensitive data in Azure Cosmos DB.
You need to configure Always Encrypted to encrypt the sensitive data inside the application.
What should you do first?
In order to configure Always Encrypted for a Java application in Azure that stores sensitive data in Azure Cosmos DB, the first step is to create a customer-managed key (CMK) and store it in Azure Key Vault. This key will be used to secure the data encryption keys (DEKs) which will subsequently be used to encrypt and decrypt the sensitive data within the application. Azure Key Vault provides the necessary management and security for the CMK, ensuring that the sensitive data remains protected.
B. Create a customer-managed key (CMK) and store the key in a new Azure Key Vault instance. In order to configure Always Encrypted for the Java application, you need to first create a customer-managed key (CMK) using Azure Key Vault. This key will be used to encrypt and decrypt the sensitive data stored in Cosmos DB. After creating the key, you should store it in a new Azure Key Vault instance, which will be used to manage and secure the key. Once you have the key stored in Key vault, you can use Azure Cosmos DB SDK to encrypt the sensitive data and store it in Cosmos DB. It's important to note that Always Encrypted in Azure Cosmos DB is a client-side encryption feature that encrypts and decrypts sensitive data inside the application and not in the Azure Cosmos DB service.
Don't post ChatGPT answers here. They are not always correct, even if they look logical.
CMK does not encrypt the data. It wraps the DEK. But CMK is produced first. So the answer is correct, but the explanation is usual ChatGPT shit.
https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-always-encrypted?tabs=dotnet
=> https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-always-encrypted?tabs=dotnet#setup-azure-key-vault
Got this on 6/28/2023 and passed with 850. Answer is correct.
A of course. Why do you talk about Azure Key Vault ? The statement of the question does not address that.
Answer B requires that a new Key Vault has been created.
As the question asks what to do first I would select answer A. "This policy must be provided when the container is created and it is immutable. In the current release, you can't update the encryption policy." => https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-always-encrypted?tabs=dotnet#encryption-policy
From your link: "Similar to an indexing policy, an encryption policy is a container-level specification describing how JSON properties should be encrypted. This policy must be provided when the container is created and it is immutable. In the current release, you can't update the encryption policy." No one cares about json properties but for the sensitive data stored on Cosmos DB, so A is a non sense
Steps for always encrypted based on this link: https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-always-encrypted?tabs=dotn 1) create customer managed key stored in azure key vault 2) create a data encryption key from the SDK and wrap it with the key vault customer managed key 3) create a container with encryption policy 4) read and write encryption data