Search Tutorials


AZ-204 - Data Encryption with Storage Accounts and SQL Database | JavaInUse

AZ-204 - Data Encryption with Storage Accounts and SQL Database

Secure App Configuration

Application settings, connection strings, and secrets should never be stored in code or config files. Azure provides several services for secure configuration management.

Azure App Configuration

Azure App Configuration

A centralized service for managing application settings and feature flags. Supports key-value pairs with labels, snapshots, and Key Vault references for secrets.

Azure Key Vault

A cloud service for securely storing and accessing secrets, keys, and certificates. Applications retrieve secrets at runtime rather than embedding them in code.

Managed Identity

Use managed identities to authenticate to Azure Key Vault and other services without storing credentials. System-assigned identities are tied to a specific resource; user-assigned identities can be shared across resources.

Data Encryption and Storage Accounts

Azure Storage encrypts all data at rest by default using Storage Service Encryption (SSE) with 256-bit AES. You can choose between Microsoft-managed keys (MMK) or customer-managed keys (CMK).

Encryption Options

OptionKey ManagementUse Case
Microsoft-Managed Keys (MMK)Azure manages key rotation and storageDefault; zero management overhead
Customer-Managed Keys (CMK)Keys stored in Azure Key Vault; you control rotationRegulatory compliance, custom key lifecycle
Customer-Provided KeysKey provided with each requestBlob Storage only; maximum control per-request

Encryption in Transit

Azure Storage enforces HTTPS by default. The "Secure Transfer Required" setting ensures all requests use HTTPS or SMB 3.0 with encryption.

Data Encryption and SQL Databases

Transparent Data Encryption (TDE)

TDE

Encrypts the entire SQL database at rest (data files, log files, tempdb) without requiring changes to application code. Enabled by default for Azure SQL Database.

Key Point: TDE encrypts at the page level -- data is encrypted on disk and decrypted when read into memory.

Always Encrypted

Always Encrypted

Encrypts sensitive columns in SQL Database so that data is encrypted both at rest AND in use. The database engine never sees plaintext values -- decryption happens only in the client application.

Use Case: Protecting sensitive data (SSN, credit card numbers) from database administrators.

TDE vs. Always Encrypted

FeatureTDEAlways Encrypted
Encryption ScopeEntire database at restSpecific columns, at rest and in use
Code ChangesNone requiredClient driver changes needed
DBA AccessDBA can see data in memoryDBA cannot see plaintext
DefaultEnabled by defaultMust be explicitly configured

Configuring Customer-Managed Key (CMK) with Azure Key Vault

To use CMK for Storage Account encryption, create a key in Azure Key Vault, then configure the storage account to use that key. The storage account accesses the key vault using a managed identity.

Steps

  1. Create an Azure Key Vault with soft delete and purge protection enabled
  2. Create or import a key in the vault
  3. Assign the storage account's managed identity access to the key vault
  4. Configure the storage account to use the CMK from the vault

Key Terms

TermDefinition
Azure Key VaultA cloud service for securely storing secrets, keys, and certificates with access controlled by RBAC and access policies.
TDE (Transparent Data Encryption)Encrypts an entire SQL database at rest without application code changes. Enabled by default for Azure SQL.
Always EncryptedColumn-level encryption for SQL databases where data is encrypted at rest, in transit, and in use. Only the client application can decrypt.
Customer-Managed Key (CMK)An encryption key stored in Azure Key Vault, giving the customer full control over key rotation and lifecycle.
Managed IdentityAn automatically managed identity in Entra ID used by Azure resources to authenticate to services like Key Vault without stored credentials.
SSE (Storage Service Encryption)Automatic 256-bit AES encryption of all data at rest in Azure Storage.
Exam Tips:
  • TDE = whole database encryption at rest, no code changes, enabled by default.
  • Always Encrypted = column-level encryption, DBA cannot see plaintext, requires client driver changes.
  • Azure Storage encryption at rest is always enabled -- you cannot disable it.
  • CMK requires Key Vault with soft delete and purge protection enabled.
  • Managed Identity is the best way to authenticate to Key Vault (no stored credentials).
  • User Delegation SAS + Managed Identity = most secure storage access pattern.

Practice Questions

Q1. Which SQL Database encryption feature prevents database administrators from seeing plaintext data?

  • Transparent Data Encryption (TDE)
  • Always Encrypted
  • Dynamic Data Masking
  • Row-Level Security

Answer: B

Always Encrypted ensures that data is encrypted at rest, in transit, and in use. The database engine never sees plaintext -- only the client application with the correct key can decrypt the data.

Q2. Which encryption is enabled by default for Azure SQL Database?

  • Always Encrypted
  • TDE (Transparent Data Encryption)
  • Column-level encryption
  • No encryption by default

Answer: B

TDE is enabled by default for all new Azure SQL databases. It encrypts the entire database at rest without requiring any application code changes.

Q3. What Key Vault features must be enabled before using CMK for Storage Account encryption?

  • Soft delete and purge protection
  • Network isolation and private endpoints
  • RBAC and managed identity
  • HSM and key rotation

Answer: A

Azure Key Vault must have soft delete and purge protection enabled to be used with customer-managed keys (CMK) for storage encryption. This prevents accidental or malicious key deletion.

Q4. How does a storage account authenticate to Azure Key Vault when using CMK?

  • Using a connection string
  • Using a SAS token
  • Using a managed identity
  • Using an API key

Answer: C

The storage account uses a managed identity to authenticate to Azure Key Vault. This eliminates the need to store any credentials and is the recommended authentication method.

Q5. Can Azure Storage encryption at rest be disabled?

  • Yes, from the Azure Portal
  • Yes, using Azure CLI
  • No, it is always enabled
  • Yes, but only for Blob Storage

Answer: C

Azure Storage encryption at rest (SSE) is always enabled and cannot be disabled. All data in Azure Storage is encrypted using 256-bit AES encryption.

AZ-204 Developing Azure Solutions - Table of Contents

Master all exam topics with comprehensive study guides and practice questions.

Containers ACI, ACR, Docker, Web Apps Function App Triggers, bindings, monitoring Azure Storage Accounts Blobs, SAS, AzCopy, lifecycle CosmosDB Consistency, replication, change feed Azure Authentication Entra ID, Microsoft Graph, identity Data Encryption Storage encryption, SQL, Key Vault Application Insights Monitoring, metrics, logs, traces Consuming Azure Services API Management, Swagger, OpenAPI Event-Based Solutions Event Grid, Event Hub Application Messaging Storage Queues, Service Bus

Popular Posts

1Z0-830 Java SE 21 Developer Certification Prepare with Notes and Real Time Practice Tests 1Z0-819 Java SE 11 Developer Certification Prepare with Notes and Real Time Practice Tests 1Z0-829 Java SE 17 Developer Certification Prepare with Notes and Real Time Practice Tests AWS AI Practitioner Certification Prepare with Notes and Real Time Practice Tests AZ-204 Azure Developer Associate Certification Prepare with Notes and Real Time Practice Tests AZ-305 Azure Solutions Architect Expert Certification Prepare with Notes and Real Time Practice Tests AZ-400 Azure DevOps Engineer Expert Certification Prepare with Notes and Real Time Practice Tests DP-100 Azure Data Scientist Associate Certification Prepare with Notes and Real Time Practice Tests AZ-900 Azure Fundamentals Certification Prepare with Notes and Real Time Practice Tests PL-300 Power BI Data Analyst Certification Prepare with Notes and Real Time Practice Tests Spring Professional Certification Prepare with Notes and Real Time Practice Tests Azure AI Foundry Hello World What is Azure AI Foundry Azure AI Agent Hello World Set up and run your first agent Foundry vs Hub Projects When to choose Foundry or hub-based Build Agents with SDK Threads, messages, runs in Python Bing Web Search Agent Ground agents with real-time data Function Calling Agent Custom functions & tool integration Spring Boot + Azure Key Vault Hello World Example Fetch secrets from Azure Key Vault in Spring Boot Spring Boot + Elasticsearch + Azure Key Vault Example Secure Elasticsearch config using Azure Key Vault Spring Boot Azure AD (Entra ID) OAuth 2.0 Authentication Connect Spring Boot to Azure AD using OAuth2 Deploy Spring Boot App to Azure App Service Host Spring Boot application on Azure App Service Secure Azure App Service using Azure API Management Protect deployed Spring Boot app with API Management Deploy Spring Boot JAR to Azure App Service Deploy executable JAR directly to Azure Deploy Spring Boot + MySQL to Azure App Service Host Spring Boot with MySQL database on Azure Spring Boot + Azure Managed Identity Example Access Azure Key Vault using Managed Identity Secure Spring Boot Azure Web App with Managed Identity + App Registration Secure Spring Boot app via Azure Portal configuration Elasticsearch 8 Security - Integrate Azure AD OIDC Integrate Azure AD OIDC with Elasticsearch & Kibana