DRAG DROP -
You are designing an AI solution that will analyze media data. The data will be stored in Azure Blob storage.
You need to ensure that the storage account is encrypted by using a key generated by the hardware security module (HSM) of your company.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-encryption-keys-portal https://docs.microsoft.com/en-us/azure/key-vault/key-vault-hsm-protected-keys
I believe the answer is: 1: generate an encryption key 2: upload a key to key vault 3: enable customer encryption keys
can you please describe why u think that...
It is a user generated key. You don't want it to be lost, hence store it in the Key Vault. Also, the service using encryption will try to find it in the Key Vault by default since that is the recommended best practice.
I don't agree because key will be generated and stored in HSM.
I don't agree because key will be generated and stored in HSM.
It is a user generated key. You don't want it to be lost, hence store it in the Key Vault. Also, the service using encryption will try to find it in the Key Vault by default since that is the recommended best practice.
I don't agree because key will be generated and stored in HSM.
I don't agree because key will be generated and stored in HSM.
answer is: 1: generate an encryption key 2: upload a key to key vault 3: enable customer encryption keys
Why does it say upload "A" key to key vault and not "The" key (that was encrypted)? Typo? I think not! The links shared in the comments here provide descriptions of how things get done but is it precisely addressing the given scenario?
https://docs.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-key-vault-hsm contains same answer as mentioned in the question - HSM is the clue here
agreed with exam taker5. Proof is there : https://docs.microsoft.com/en-us/azure/storage/common/storage-encryption-keys-portal
yes this proves exam_taker5's answer
agree with you
If you go to Azure Portal and select your storage account then select Encryption option from Settings this how you will get option in sequence: 1. Encryption Type: Microsoft-managed keys or Customer-managed keys Once you select "Customer-managed keys" you will get add option called 'Key Selection' 2. Key Selection has two options for "Encryption Key" 1. Select from 'key vault' ( where you need to identity your key vault & Encryption key it will allow you to create a new 'key vault' & 'Encryption Key' or upload existing key ' 2. Enter key URI ( If you already have URI for key vault & keys). Summary : 1. Enable Customer Encryption Keys 2. Generate Encryption Key 3. Upload key to Azure vault.
Agreed again
Link provided in solution should be updated to do this: https://docs.microsoft.com/en-us/azure/key-vault/keys/hsm-protected-keys as the previous link doesn't work anymore
Agree to Bharat, key needs to be uploaded to key vault as it's user generated
from this link here https://docs.microsoft.com/en-us/azure/storage/common/storage-encryption-keys-portal I think we create the vault which is the storage endpoint, upload the keys same as add keys and then enable encryption or Configure encryption with customer-managed keys.
First, query for the key vault URI by calling az keyvault show, and for the key version by calling az keyvault key list-versions. Then call az storage account update to update the storage account's encryption settings to use the new version of the key, as shown in the previous example. https://docs.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-key-vault-hsm