AZ-500: Why Can't You Use Transparent Data Encryption for Individual Column Encryption?

Home » Exam » AZ-500 » AZ-500: Why Can’t You Use Transparent Data Encryption for Individual Column Encryption?

Table of Contents

What Is the Difference Between TDE and Always Encrypted for Azure Database Security?
Question
Answer
Explanation
Understanding Transparent Data Encryption (TDE)
Why TDE Is Not for Column-Level Encryption
The Correct Tool for Column-Level Encryption

What Is the Difference Between TDE and Always Encrypted for Azure Database Security?

For your AZ-500 exam, understand that Transparent Data Encryption (TDE) encrypts the entire database at rest and cannot be used for individual column encryption. Learn the critical difference between TDE for encryption-at-rest and Always Encrypted for selective, column-level protection.

Question

You can configure Transparent Data Encryption for individual database columns containing your sensitive data.

A. FALSE
B. TRUE

Answer

A. FALSE

Explanation

The statement is A. FALSE. Transparent Data Encryption (TDE) is designed to encrypt entire database files at rest and does not provide the granularity to configure encryption for individual database columns.

TDE encrypts the storage of an entire database by using a symmetric key called the database encryption key (DEK).

Understanding Transparent Data Encryption (TDE)

TDE is a security feature that performs real-time I/O encryption and decryption of the database, log files, and backups. It is a foundational encryption-at-rest solution.

Scope of Encryption: TDE operates at the physical file level. When data is written from memory to the disk, the entire page is encrypted. When data is read from disk into memory, it is decrypted.
Transparency: The “transparent” aspect means that the encryption is completely invisible to the application, developers, and users querying the database. No application code changes are required to enable or use TDE. The database engine handles all encryption and decryption automatically.

Why TDE Is Not for Column-Level Encryption

Because TDE operates at the file level, it has no concept of database objects like tables or columns. It encrypts all data indiscriminately as it’s written to storage. Its purpose is to protect the data files from being accessed or restored to another server by an unauthorized party who gains access to the physical media or backups. Since the database engine works with decrypted data in memory, TDE does not protect data from privileged database users like administrators (DBAs).

The Correct Tool for Column-Level Encryption

The feature designed specifically for encrypting individual columns containing sensitive data is Always Encrypted.

Client-Side Encryption: Unlike TDE, Always Encrypted is a client-side technology. The data is encrypted by the client driver before it is sent to the database.
Granularity: It is explicitly configured on a per-column basis, allowing you to target only the columns that contain sensitive information (e.g., SocialSecurityNumber, CreditCardNumber).
Protection In Use: Because the database server never sees the plaintext data, Always Encrypted protects data even from high-privilege users like DBAs and cloud administrators.

Microsoft Certified Azure Security Engineer Associate AZ-500 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft Certified Azure Security Engineer Associate AZ-500 exam and earn Microsoft Certified Azure Security Engineer Associate AZ-500 certification.