Exam AZ-305 topic 2 question 19 discussion

A. RSA 3072 RSA 3072 provides a higher level of encryption strength compared to RSA 2048. While RSA 4096 offers even stronger encryption, it is not supported by Azure SQL Database and Azure SQL Managed Instance for TDE protectors. By choosing RSA 3072 for the TDE protector, you ensure strong encryption for your Azure SQL Managed Instance while complying with the platform's requirements. This will help protect sensitive data and maintain compliance with relevant security standards and regulations.

The Answer is A and here is why... Per https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-tde-overview?view=azuresql&tabs=azure-portal, if the TDE uses the system managed key, it uses a built in certificate for encryption, hence AES 256 if the TDE uses a customer managed key, then it uses an asymmetric RSA key at 2048 or 3072 And since the question says TDE is using the customer managed key... the answer is A Viola!

TDE protector can only be an asymmetric, RSA, or RSA HSM key. The supported key lengths are 2048 bits and 3072 bits. https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview?view=azuresql#requirements-for-configuring-tde-protector

RSA (2048, 3072, 4096) is an asymmetric encryption algorithm used primarily for key encryption and signing, not for bulk data encryption like TDE. The correct answer is still B. AES 256

A is correct

Actualmente RSA 4096 ya es compatible con Azure SQL Database

Was on my exam today - 4th Jan 2024

it was a exam Question

RSA 3072, because is custom managed

There are a lot of confusing elements in this question. At first it mentions on-premise SQL Server, which would allow AES or RSA ... However, the system is to be migrated over to Azure. And here the requirements for customer managed TDE are pretty clear and are listed here: https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview?view=azuresql#requirements-for-configuring-tde-protector AES can be enabled as an additional Infrastructure encryption to have two layers, but that was not the question here.

https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview?source=recommendations&view=azuresql#requirements-for-configuring-tde-protector A. 3072

A is the answer. https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview?view=azuresql#requirements-for-configuring-tde-protector TDE protector can only be an asymmetric, RSA, or RSA HSM key. The supported key lengths are 2048 bytes and 3072 bytes.

https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview?view=azuresql#requirements-for-configuring-tde-protector

Answer A because Azure SQL Database and Azure Synapse Analytics support RSA 3072-bit key length for customer managed TDE with Bring Your Own Key (BYOK) configurations

A. RSA 3072 ( TDE protector can only be an asymmetric, RSA, or RSA HSM key. The supported key lengths are 2048 bytes and 3072 bytes.)

A. RSA 3072

A. RSA 3072