Discover the key requirements and implications of using full double encryption in Azure AI Search. Learn how it affects index size, query performance, and security best practices.
Table of Contents
Question
The Xerigon Corporation has an application that uses Azure AI Search. They want to use server-side full double encryption.
Which of the following requirements and implications when using full encryption are true? (Choose all that apply.)
A. Xerigon must use Microsoft-managed keys and Azure Key Vault.
B. The Azure key vault must be in the same region that stores the data for the Azure AI Search.
C. Full double encryption decreases index size.
D. Query performance will increase.
E. Full double encryption increases index size.
F. Xerigon must use customer-managed keys and Azure Key Vault.
G. Query performance will decrease.
H. The Azure key vault can be in a different subscription than the Azure AI Search.
I. Full double encryption is only available on Standard and Storage Optimized tiers.
Answer
E. Full double encryption increases index size.
F. Xerigon must use customer-managed keys and Azure Key Vault.
G. Query performance will decrease.
Explanation
The following are requirements and implications when using full encryption:
- Xerigon must use customer-managed keys and Azure Key Vault.
- Full double encryption increases index size.
- Query performance will decrease.
Server-side full encryption requires that the tenant use customer-managed keys (CMKs), not Microsoft-managed keys, and must use Azure Key Vault to store the keys. Server-side full encryption is referred to as full double encryption or CMK encryption because you are encrypting the content first with your CMK and then with the Microsoft-managed key. This action will increase, not decrease, the size of the index, and will degrade query performance by increasing the query runtimes by 30-60%. Microsoft does not recommend using CMK encryption on indexes that are frequently used.
Full double encryption is also available on the Basic tier and any billable storage tier, such as Basic Standard and Storage Optimized. It is not available on the Free tier.
The Azure key vault no longer has to be in the same region as the data for the Azure AI Search. Therefore, the CMK or full double encryption can happen in any region. However, the Azure AI Search service and Azure Key Vault must be in the same subscription.
Microsoft Azure AI Engineer Associate AI-102 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Microsoft Azure AI Engineer Associate AI-102 exam and earn Microsoft Azure AI Engineer Associate AI-102 certification.