Exam AZ-104 topic 3 question 79 discussion

"You can protect your managed disks by using Azure Disk Encryption for Linux VMs, which uses DM-Crypt, or Azure Disk Encryption for Windows VMs, which uses Windows BitLocker, to protect both operating system disks and data disks with full volume encryption. Encryption keys and secrets are safeguarded in your Azure Key Vault subscription. By using the Azure Backup service, you can back up and restore encrypted virtual machines (VMs) that use Key Encryption Key (KEK) configuration." https://learn.microsoft.com/en-us/azure/security/fundamentals/encryption-overview

Store and use the encryption key in KV1: ADE integrates with Azure Key Vault to store and manage encryption keys (customer-managed keys). Maintain encryption if VM1 is downloaded from Azure: ADE uses BitLocker for Windows and DM-Crypt for Linux, ensuring encryption persists even if the VM disks are exported or downloaded. Encrypt both the operating system disk and the data disks: ADE supports encrypting both OS and data disks.

Answer C

C is corerct

https://learn.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-portal-quickstart CMK in this article.

not found CMK in Azure VM.

C is correct

When Azure Disk Encryption uses Platform Managed Key, if a VM is downloaded in this case, will the VMs be readable? I mean when the key is platform managed. I understand when customer managed key is used, downloaded VM from Azure is not readable, because the key is in the Vault. But not sure of the platform managed key, is it in Azure or within the VM?

You should use C. Azure Disk Encryption. Azure Disk Encryption (ADE) encrypts the OS and data disks of Azure virtual machines (VMs) inside your VMs by using the DM-Crypt feature of Linux or the BitLocker feature of Windows. ADE is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets, with the option to encrypt with a key encryption key (KEK). This means it can store and use the encryption key in KV1, as per your requirement. Moreover, Azure Disk Encryption maintains encryption if the VM is downloaded from Azure. This is because the encryption keys are stored in Azure Key Vault and not on the local machine. Therefore, even if the VM is downloaded, the data remains encrypted. Finally, Azure Disk Encryption can encrypt both the operating system disk and the data disks, which is another one of your requirements. So, Azure Disk Encryption meets all your specified requirements. https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-overview. https://learn.microsoft.com/en-us/azure/virtual-machines/disk-encryption-overview.

Given the requirements, the best fit would be: C. Azure Disk Encryption This solution encrypts both the OS and data disks, allows for the keys to be stored in Azure Key Vault, and maintains encryption if the VM is downloaded from Azure.

C seems to be correct: https://learn.microsoft.com/en-us/azure/security/fundamentals/encryption-overview

Has anyone done the test to confirm this new question?

ChatGPT: Let's evaluate each of the provided options in the context of the given requirements: A. Customer-managed keys: Customer-managed keys are used for Azure Disk Encryption, which is a suitable choice for this scenario. This option allows you to store and manage the encryption keys in Azure Key Vault, which aligns with the requirement to use the encryption key from KV1. B. Confidential disk encryption: Confidential disk encryption is not a standard Azure feature or encryption method. It doesn't directly apply to encrypting Azure virtual machines and their disks. Therefore, this option is not appropriate for the scenario. C. Azure Disk Encryption: Azure Disk Encryption is the correct encryption method in this scenario. It enables you to encrypt both the operating system disk and data disks of a virtual machine using either Microsoft-managed or customer-managed keys from Azure Key Vault. D. Encryption at host: Encryption at host refers to Azure Confidential Computing, a different feature focused on securing data in use, not data at rest as required in this scenario. This option is not suitable for encrypting virtual machines and their disks as specified.