Skip to Content

Microsoft AZ-500: Which Azure Storage Services Support Encryption with Azure Key Vault Keys?

By: Author Alex Lim

Posted on

Categories Exam

Learn which Azure storage services, including Azure Blob storage, Azure Files, Azure Table storage, and Azure Queue storage, can be encrypted using keys stored in Azure Key Vault. Prepare for the Microsoft AZ-500 certification exam with this detailed explanation.

Table of Contents

Question

You have an Azure subscription that contains an Azure key vault.

You create a storage account named storage1.

You plan to store data in the following storage1 services:

  • Azure Files
  • Azure Blob storage
  • Azure Table storage
  • Azure Queue storage

For which two services can you configure data encryption by using the keys stored in the key vault? Each correct answer presents a complete solution,

NOTE: Each correct selection is worth one point.

A. Blob storage
B. Table storage
C. Queue storage
D. Azure Files

Answer

The two Azure storage services that support data encryption using keys stored in Azure Key Vault are:

A. Azure Blob storage
D. Azure Files

Explanation

Azure Key Vault is a cloud service that provides secure storage and management of cryptographic keys, secrets, and certificates. It can be used to encrypt data stored in certain Azure storage services.

Azure Blob storage and Azure Files support server-side encryption using customer-managed keys stored in Azure Key Vault. This allows you to maintain control over the encryption keys and provides an additional layer of security for your data.

To enable this feature, you need to create a Key Vault, generate or import an encryption key, and then configure your storage account to use the key for encryption. When data is written to Blob storage or Azure Files, it is automatically encrypted using the specified key from the Key Vault.

Azure Table storage and Azure Queue storage do not currently support encryption using customer-managed keys from Azure Key Vault. However, data stored in these services is still protected by Azure Storage Service Encryption (SSE) using Microsoft-managed keys.

In summary, the correct answers are A (Azure Blob storage) and D (Azure Files), as these are the two storage services that can be configured to use keys stored in Azure Key Vault for data encryption.

Microsoft AZ-500 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft AZ-500 exam and earn Microsoft AZ-500 certification.