Exam CV1-003 topic 1 question 11 discussion

x) A. Ensure all database queries are encrypted -> you can encrypt databases, not "queries" because you need data in clear. Only password should be encrypted via hashing(it is a one way solution, just for integrity!), but any other type of data just need physical encryption X) B. Create an IPSec tunnel between the database server and its clients -> ipsec it is for site-to-site, you can't use it with "clients" X) C. Enable protocol encryption between the storage and the hypervisor -> "hypervisor encryption" is different from "VM encryption". But doesn't exist an encryption protocol between "storage" and "hypervisor" V) D. Enable volume encryption on the storage X) E. Enable OS encryption -> can be a solution, but maybe data are saved on different storage, so if you encrypt "OS" you didn't match the solution. Then: you can't encrypt "OS", i.g. bitlocker on windows encrypts disks not OS

D. Enable volume encryption on the storage. This will encrypt the data at rest, protecting it in case the physical storage is lost or stolen, and also meet the requirement of the server being able to be rebooted for patching without manual intervention

Correct: A database server can use Transport Layer Security (TLS) to encrypt data that is transmitted across a network between an instance of database and a client application. TLS is performed within the protocol layer and is available to all supported Server Clients. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine?view=sql-server-ver15