Microsoft Azure Security Engineer Associate AZ-500 Practice Question
You manage an Azure SQL logical server that hosts the production database SalesDB. Transparent Data Encryption (TDE) is enabled and currently uses the Microsoft-managed service key. Your company now requires that all databases use a customer-managed key (CMK) stored in Azure Key Vault, but downtime and full data re-encryption must be avoided. Which action should you perform to meet the requirement?
Import the customer-managed key into the SalesDB master database and regenerate the database encryption key.
Set the TDE protector for the logical server to the customer-managed key in Azure Key Vault.
Turn off TDE for SalesDB, then enable it again using the key from Azure Key Vault.
Use Azure Database Migration Service to copy SalesDB to a new database that is encrypted with the customer-managed key.
To switch from the Microsoft-managed service key to a customer-managed key without triggering a full data re-encryption, change the server-level TDE protector to reference the key stored in Azure Key Vault. When the server TDE protector is updated, Azure SQL simply re-wraps the existing database encryption key (DEK) with the new protector; the data and log files remain encrypted with the same DEK, so no lengthy re-encryption occurs and the database stays online. Disabling TDE and re-enabling it would decrypt all pages and then re-encrypt them with a new key, violating the requirement to avoid a full re-encryption even though the operation is online. Migrating the database or importing the key into the master database is unnecessary and does not configure TDE to use the CMK.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Transparent Data Encryption (TDE) in Azure SQL?
Open an interactive chat with Bash
What is a customer-managed key (CMK) in Azure Key Vault?
Open an interactive chat with Bash
How does changing the TDE protector avoid full data re-encryption?
Open an interactive chat with Bash
Microsoft Azure Security Engineer Associate AZ-500
Secure compute, storage, and databases
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .