ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam DP-420 All Questions

View all questions & answers for the DP-420 exam
Go to Exam

Exam DP-420 topic 5 question 21 discussion

Actual exam question from Microsoft's DP-420
Question #: 21
Topic #: 5
[All DP-420 Questions]

HOTSPOT -
You have a container named container1 in an Azure Cosmos DB Core (SQL) API account named account1.
You configure container1 to use Always Encrypted by using an encryption policy as shown in the C# and the Java exhibits. (Click the C# tab to view the encryption policy in C#.

Click the Java tab to see the encryption policy in Java.)

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: No -
The creditcard property uses randomized encryption.
Randomized encryption is more secure, but prevents queries from filtering on encrypted properties.

Box 2: Yes -
The SSN property uses deterministic encryption.
Using deterministic encryption allows queries to perform equality filters on encrypted properties.

Box 3: Yes -
Reading documents when only a subset of properties can be decrypted.
In situations where the client does not have access to all the CMK used to encrypt properties, only a subset of properties can be decrypted when data is read back. For example, if property1 was encrypted with key1 and property2 was encrypted with key2, a client application that only has access to key1 can still read data, but not property2. In such a case, you must read your data through SQL queries and project away the properties that the client can't decrypt: SELECT c.property1, c.property3 FROM c.
Reference:
https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-always-encrypted
by imando at June 11, 2023, 2:34 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
[Removed]
Highly Voted 1 year, 9 months ago
NYN Both paths are encrypted using the same key id "encryptionkey". The application either has access to both or access to none. https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-always-encrypted#reading-documents-when-only-a-subset-of-properties-can-be-decrypted
upvoted 7 times
...
skynetbcn
Most Recent 8 months ago
If the third question is generic, the answer is yes. If it refers to the json provided in the question, the answer is no
upvoted 1 times
skynetbcn
8 months ago
not json, c# code...
upvoted 1 times
...
...
imando
2 years ago
NYY is correct it seems
upvoted 2 times
[Removed]
1 year, 1 month ago
Third option is also YES, here is why: While the encryption types do not dictate read permissions, an application's access can be configured to only decrypt certain properties if it has the appropriate encryption key. If the application has the encryption key for the creditcard property but not for the SSN property, then it would be able to read creditcard but not SSN.
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel