Your organization uses Azure Synapse Analytics dedicated SQL pool. You need to ensure that all data at rest in the SQL pool is encrypted using a customer-managed key stored in Azure Key Vault. What should you configure?
Trap 1: Implement Always Encrypted with column encryption keys stored in…
Always Encrypted encrypts data at the column level and is managed by client drivers, not a server-level encryption for the entire pool.
Trap 2: Configure Dynamic Data Masking to obfuscate sensitive data.
Dynamic Data Masking hides data from non-privileged users but does not encrypt it.
Trap 3: Enable Azure Storage Service Encryption with a customer-managed key.
Azure Storage Service Encryption is used for Azure Storage, not for Azure Synapse dedicated SQL pool.
- A
Implement Always Encrypted with column encryption keys stored in Azure Key Vault.
Why wrong: Always Encrypted encrypts data at the column level and is managed by client drivers, not a server-level encryption for the entire pool.
- B
Configure Dynamic Data Masking to obfuscate sensitive data.
Why wrong: Dynamic Data Masking hides data from non-privileged users but does not encrypt it.
- C
Enable Azure Storage Service Encryption with a customer-managed key.
Why wrong: Azure Storage Service Encryption is used for Azure Storage, not for Azure Synapse dedicated SQL pool.
- D
Enable Transparent Data Encryption (TDE) with a customer-managed key in Azure Key Vault.
TDE with customer-managed key provides encryption at rest for the entire database, meeting the requirement.