Exam AZ-104 topic 3 question 78 discussion

To prepare Vault1 for Azure Disk Encryption with a key encryption key (KEK): 1. **You need to have a key in the Key Vault.** This will be the KEK. Azure Disk Encryption uses BitLocker for Windows VMs, which requires a key for encrypting the data disk. If you're using a KEK, the BEK (BitLocker Encryption Key) will be wrapped by this KEK. So, you should: B. Create a new key. 2. **The key vault itself should be configured for Azure Disk Encryption.** This ensures the vault is set up to work with Azure VMs and their disks. Therefore: E. Select Azure Disk Encryption for volume encryption. So, the correct actions are B and E.

To prepare Azure Key Vault (Vault1) for Azure Disk Encryption using a key encryption key (KEK) on VM1, you should perform the following actions: B. Create a new key: You need to create a key in the key vault to be used as the KEK for Azure Disk Encryption. D. Configure a key rotation policy: Azure Disk Encryption typically requires key rotation. Configuring a key rotation policy is a best practice for managing encryption keys securely. The correct options are B and D. Option E, "Select Azure Disk Encryption for volume encryption," is not the correct choice in this scenario because this action should be performed on the virtual machine (VM1) and not on the Azure Key Vault (Vault1).

Tested in a Lab. Both B and E are done from the Key Vault resource. Object -> Keys -> Add Key Settings -> Access Configuration -> Check the Azure Disk Encryption for volume encryption

B. Create a new key. Azure Disk Encryption with KEK requires a cryptographic key in the Azure Key Vault. You must create or import a key into the key vault for this purpose. E. Select Azure Disk Encryption for volume encryption. You need to enable the Azure Disk Encryption option in the key vault to allow it to be used for disk encryption.

See rikininetysix answer

B. Should Cretae Key E. Shoudl Enable the key vulat to work on Disk encryption. Refer screenshot from my lab https://imgur.com/a/btYHf2q

To prepare Vault1 for Azure Disk Encryption using a Key Encryption Key (KEK), the following actions are required: B. Create a new key: Azure Disk Encryption with KEK requires a key in the Key Vault to encrypt the disk encryption key (DEK). Therefore, you need to create a key in the key vault. E. Select Azure Disk Encryption for volume encryption: You need to select Azure Disk Encryption as it will integrate the key vault with the disk encryption process. The correct answers are B and E.

B & E are correct

Correct Answers: B. Create a new key. E. Select Azure Disk Encryption for volume encryption.

B and E is correct

Azure Disk Encryption and auto-rotation Although Azure Key Vault now has key auto-rotation, it isn't currently compatible with Azure Disk Encryption. Specifically, Azure Disk Encryption will continue to use the original encryption key, even after it has been auto-rotated. Rotating an encryption key won't break Azure Disk Encryption, but disabling the "old" encryption key (in other words, the key Azure Disk Encryption is still using) will.

https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault?tabs=azure-portal Vault is already created you now need to configure it for Azure Disk Encryption. The steps to do this are in the doc. Azure portal Select your key vault and go to Access Policies. (E) Under "Enable Access to", select the box labeled Azure Disk Encryption for volume encryption. (A) Select Azure Virtual Machines for deployment and/or Azure Resource Manager for template deployment, if needed. Click Save.

https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault?tabs=azure-portal Steps: 1. Creating a resource group, if needed. 2. Creating a key vault. (B) 3. Setting key vault advanced access policies. (E) Set key vault advanced access policies The Azure platform needs access to the encryption keys or secrets in your key vault to make them available to the VM for booting and decrypting the volumes. If you didn't enable your key vault for disk encryption, deployment, or template deployment at the time of creation (as demonstrated in the previous step), you must update its advanced access policies. 1. Select your key vault and go to Access Policies. 2. Under "Enable Access to", select the box labeled Azure Disk Encryption for volume encryption. ((E)) 3. Select Azure Virtual Machines for deployment and/or Azure Resource Manager for template deployment, if needed. 4. Click Save.

1. Create the key 2. Enable "Azure Disk Encryption for volume encryption" to give access to the boot process. Configure key rotation does not have effect. "Although Azure Key Vault now has key auto-rotation, it isn't currently compatible with Azure Disk Encryption. Specifically, Azure Disk Encryption will continue to use the original encryption key, even after it has been auto-rotated. Rotating an encryption key won't break Azure Disk Encryption, but disabling the "old" encryption key (in other words, the key Azure Disk Encryption is still using) will."

A little bit vague, but B and D seems correct, depending on how you look at it: Relevant links: https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault?tabs=azure-portal https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-windows

ChatGPT "To prepare Azure Key Vault (Vault1) for Azure Disk Encryption using a key encryption key (KEK) on VM1, you need to perform the following actions: B. Create a new key: You should create a new key in Vault1. This key will serve as the KEK for encrypting the VM's disks. D. Configure a key rotation policy: It's a best practice to configure key rotation for your KEK to enhance security. This helps ensure that your encryption keys are periodically rotated, reducing the risk associated with long-lived keys. The other options (A, C, and E) are not directly related to preparing Vault1 for Azure Disk Encryption using a KEK, so they are not necessary for this specific scenario."