Exam SC-100 topic 4 question 42 discussion

You can specify a customer-managed key to use for encrypting and decrypting data in Blob Storage and in Azure Files. A client making read write request against Blob Storage (or File) can include an encryption key on the request for granular control over blob encryption. https://docs.azure.cn/en-us/storage/common/storage-service-encryption#about-encryption-key-management

For Azure Data Lake Storage, encryption can be applied at multiple levels, but the container level is the most granular supported for customer-managed keys (CMK).

https://learn.microsoft.com/en-us/azure/storage/common/storage-service-encryption It says you can scope it to container or individual blob. However a blob can contain files but it depends on if blob = file. If yes, then A, if no then B. Blobs generally contain files for various purposes but does this make it a file in this context. If A was blob, that is fair. This version is not fair and misleading.

A. file level. By applying service-side encryption with customer-managed keys (CMKs) at the file level, you can ensure that each file can have its own unique encryption key, providing the highest level of granularity and security for your data

B looks good, as per https://learn.microsoft.com/en-us/azure/storage/common/storage-service-encryption

container is the correct option since encryption keys are managed at this level and can be applied to all files within the container.

Proporciona el nivel más granular de control sobre el cifrado de datos