Exam AZ-500 topic 1 question 43 discussion

1. column master key 2. column encryption key https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/overview-of-key-management-for-always-encrypted Always Encrypted uses two types of cryptographic keys to protect your data - one key to encrypt your data, and another key to encrypt the key that encrypts your data. The column encryption key encrypts your data, the column master key encrypts the column encryption key.

Column Encryption Key Column Master Key.

Answer: 1. Column encryption key 2. Column master key Reason: 1. Column Master Key (CMK): This is the root key used to protect the column encryption keys. It's typically stored in a secure location like Azure Key Vault. Developers need access to this key to be able to decrypt the column encryption keys. 2. Column Encryption Key (CEK): This key is used to encrypt the actual data in the database columns. It's protected by the column master key. Reference: https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/overview-of-key-management-for-always-encrypted https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/overview-of-key-management-for-always-encrypted?view=sql-server-ver16

1. column master key 2. column encryption key https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/overview-of-key-management-for-always-encrypted Always Encrypted uses two types of cryptographic keys to protect your data - one key to encrypt your data, and another key to encrypt the key that encrypts your data. The column encryption key encrypts your data, the column master key encrypts the column encryption key.

In exam 1/28/24

I do not think that a policy is required as it only needs 'specific permissions'. Please see the following. To access an encrypted column, your application needs to be able to access Azure Key Vault and it also needs specific permissions on the column master key to decrypt the column encryption key protecting the column. To manage keys for Always Encrypted, you need permissions to list and create column master keys in Azure Key Vault, and to perform cryptographic operations using the keys. https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/create-and-store-column-master-keys-always-encrypted?view=sql-server-ver16

The question is which information has to be made available to the application developer. As the column master key is stored in KeyVault, shouldn't the right answer then be 'A key vault access policy' instead of 'column master key', because other than the encryption key the master key will not be handed over directly to the app developer, but the latter has to fetch it from key vault, which will work only with an appropriate key vault access policy.

1. column master key 2. column encryption key

A. The column encryption key: This key is used to encrypt and decrypt the sensitive columns in the database. Application developers will need access to this key to perform encryption and decryption operations. F. The column master key: This key is used to protect the column encryption keys. It is stored in a trusted key store, such as Azure Key Vault. Application developers will need access to this key to access and manage the column encryption keys.

On 2-March-2023, I passed AZ-500 with flying colur. This question was in exam. Some question were on Defender EASM as well.

In Exam 10/18/2022. One case study, no lab.

Answer is correct.

Correct answer. In 12/18/21 exams

Correct- Column Encryption Key and Column Master Key.

correct answer

Answer is correct