Exam-Answer

Home / Microsoft / AZ-301 / Question 40

Prev Question
Next Question

Question 40

Your company has an on-premises data center and an Azure subscription. The on-premises data center contains a Hardware Security Module (HSM).

Your network contains an Active Directory domain that is synchronized to an Azure Active Directory (Azure AD) tenant.

The company is developing an application named Application1. Application1 will be hosted in Azure by using 10 virtual machines that run Windows Server 2016.

Five virtual machines will be in the West Europe Azure region and five virtual machines will be in the East US Azure region. The virtual machines will store sensitive company information. All the virtual machines will use managed disks.

You need to recommend a solution to encrypt the virtual machine disks by using BitLocker Drive Encryption (BitLocker).

Solution:

Deploy one Azure key vault to each region

Export two security keys from the on-premises HSM

Import the security keys from the HSM into each Azure key vault

Create two Azure AD service principals

Configure the virtual machines to use Azure Disk Encryption

Specify a different service principal for the virtual machines in each region

Does this meet the goal?

Answers


Advertisement

Explanation

We use the Azure Premium Key Vault with Hardware Security Modules (HSM) backed keys.

The Key Vault has to be in the same region as the VM that will be encrypted.

Note: If you want to use a key encryption key (KEK) for an additional layer of security for encryption keys, add a KEK to your key vault. Use the Add-

AzKeyVaultKey cmdlet to create a key encryption key in the key vault. You can also import a KEK from your on-premises key management HSM.

References

Comments

Load more
Prev Question
Next Question