Microsoft Azure Architect Design (AZ-301) Practice Exam

What encryption solution should be used to ensure data is always encrypted at rest in Azure virtual machines?

• A. BitLocker Drive Encryption
• B. Azure Storage Service Encryption
• C. client-side encryption
• D. Azure Disk Encryption

The correct answer is: Azure Disk Encryption

Using Azure Disk Encryption is the most suitable solution to ensure that data is always encrypted at rest in Azure virtual machines. This feature enables you to encrypt the operating system and data disks of your virtual machines using BitLocker for Windows and DM-Crypt for Linux. By leveraging Azure Disk Encryption, you can protect your data at rest with strong encryption while simplifying key management through Azure Key Vault integration. Azure Disk Encryption operates at the VM level, ensuring that the entire virtual machine's disks are encrypted. This approach meets compliance requirements and strengthens data security, especially in scenarios involving sensitive or regulated information. While BitLocker Drive Encryption is relevant for encrypting Windows operating systems, it operates locally and does not manage the encryption of virtual disks in the Azure environment. Azure Storage Service Encryption is aimed primarily at encrypting data stored in Azure Storage accounts and is not specifically designed for virtual machine disks. Client-side encryption refers to encrypting data before it is sent to Azure, which can be useful for additional security but does not ensure encryption at rest for virtual machine disks. Therefore, Azure Disk Encryption stands out as the comprehensive solution for protecting data at rest within Azure virtual machines.