Encrypting Data at Rest: Azure Services for On-premises Data Migration | AZ-301 Exam Solution

CE

To meet the given requirements, you need to recommend Azure services that can encrypt data at rest and allow the company to use their own encryption keys. The two services that meet these criteria are Azure Blob storage and Azure Files.

Azure Blob storage is a fully managed, highly scalable service for storing large amounts of unstructured data such as text or binary data. You can use Azure Blob storage to store files, images, videos, and other unstructured data. You can encrypt data stored in Azure Blob storage by using either Azure Storage Service Encryption (SSE) or Azure Key Vault. SSE automatically encrypts data at rest and decrypts it when accessed, while Azure Key Vault provides more granular control over encryption keys. With Azure Key Vault, you can bring your own encryption keys (BYOK) and use them to encrypt data stored in Azure Blob storage.

Azure Files is a fully managed cloud file share service that allows you to set up highly available network file shares that can be accessed from anywhere using the Server Message Block (SMB) protocol. Azure Files also supports encryption of data at rest, and you can use Azure Key Vault to manage and bring your own encryption keys (BYOK) to encrypt your data. Azure Files also integrates with Azure Active Directory to provide role-based access control and support for domain-joined machines.

Azure Table storage, Azure Backup, and Azure Queue storage do not provide BYOK functionality. Azure Table storage is a NoSQL key-value store that stores large amounts of structured data. Azure Backup is a service that backs up on-premises or cloud data to Azure. Azure Queue storage is a messaging service for cloud-based applications.

In summary, to meet the given requirements of encrypting all data at rest and using the company's own encryption keys, you can recommend Azure Blob storage or Azure Files.