An online retailer must comply with PCI DSS by ensuring that all customer and payment data stored in its cloud-hosted relational database remain unreadable if someone obtains a copy of the storage files. The solution must encrypt the entire database without requiring application code changes and should introduce minimal overhead while queries execute. Which approach BEST fulfills these requirements?
Enable the platform's transparent data encryption (TDE) feature and manage the encryption key in the cloud KMS.
Require every client connection to use TLS 1.3 with perfect forward secrecy.
Encrypt nightly CSV exports with PGP before moving them to object-storage archives.
Hash the primary key columns before inserting records, leaving the remaining fields unencrypted.
The most suitable technique is transparent data encryption (TDE) with keys stored in the cloud provider's key-management service. TDE encrypts every database and log file on disk as well as backups, so the data are protected at rest. Because the encryption and decryption happen automatically at the storage layer, applications continue to run the same SQL statements, and industry tests show only a small (roughly 2-4 %) performance impact, meeting the "minimal overhead" constraint.
Hashing primary keys safeguards only one column and is not reversible, leaving most sensitive data-and the database files themselves-in plaintext. Encrypting nightly CSV exports protects archival copies but leaves the live database files unencrypted, so it does not meet the requirement for continual encryption at rest. Requiring TLS 1.3 secures data in transit between clients and the database server but offers no protection for data stored on disk. Therefore, TDE is the only option that satisfies all stated goals.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Transparent Data Encryption (TDE)?
Open an interactive chat with Bash
What does 'encryption at rest' mean?
Open an interactive chat with Bash
What is a Cloud Key Management Service (KMS)?
Open an interactive chat with Bash
CompTIA Data+ DA0-002 (V2)
Data Governance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .