You have an Azure key vault named KV1. You need to implement a process that will digitally sign the blobs stored in Azure Storage. What is required in KV1 to sign the blobs?
Should be C. Distinction is between encrypting and signing. To encrypt, a secret is sufficient. To sign something, it needs to be related to an entity. A key nor a secret are capable to hold a reference to an entity, a certificate can.
the following example support the answer that certificate in azure key vault can be used to sign a doc
https://www.rahulpnath.com/blog/signing-a-pdf-file-using-azure-key-vault/
Shoud A.
both encrypting and signing. will need a Key .
(notes a certificate contains a private key, but the certificate mainly used for TLS/SSL),
but for encrypting and signing. you use a private key. (should not use secret for encrypt).
https://docs.microsoft.com/en-us/rest/api/keyvault/keys/encrypt/encrypt
https://docs.microsoft.com/en-us/rest/api/keyvault/keys/sign/sign
if you are using Azure CLI.
https://docs.microsoft.com/en-us/cli/azure/keyvault/key?view=azure-cli-latest#az-keyvault-key-encrypt
C / Certificate should be correct anser.
Looking at the wording ,
What is required in KV1 to sign the blobs?
SECRET is not stored "in" KV1. Its Certificate which is stored in KV1 that needs to be used for signing. You definitely need SECRET to access the KV1 but the question here it not about accessing KV1, its about what is needed to be stored in KV1 to sign.
Following is different use case, but utilize the same concept.
https://www.risual.com/2019/02/add-ssl-cert-to-azure-blob-storage-website/
I'm going with C (certificate). I think the cert is required to prove that the signature is from you and not someone else.
"To create a digital signature, you need a signing certificate, which proves identity. When you send a digitally-signed macro or document, you also send your certificate and public key"
https://support.microsoft.com/en-us/office/digital-signatures-and-certificates-8186cd15-e7ac-4a16-8597-22bd163e8e96
OK. I'm now voting that you need a key. This document from the blob storage SDK shows you how to perform a "sign" operation and it only requires the key from the vault
Scroll down to the "sign" section
https://azuresdkdocs.blob.core.windows.net/$web/javascript/azure-keyvault-keys/4.0.0/index.html
This is a tough one. Initially I answered that you needed the certificate but upon further digging, I found this very clear tutorial on what you need to sign files. The last section shows you need the secret associated with the signing certificate.
https://www.ssl.com/how-to/code-signing-with-azure-key-vault/
C. Keys are used to generate certificate or secret. It can be managed or bring your own key. A secret is used to protect a password or perform authentication. A secret is anything that you want to tightly control access to, such as API encryption keys, passwords, or certificates. Vault provides encryption services that are gated by authentication and authorization methods. Certificate is used to sign something.
any expert from the security domain will say "key" and it is backed by the Microsoft doc
https://docs.microsoft.com/en-us/rest/api/keyvault/sign/sign
a good way to answer this kind of question is to check the restful api request parameters.
This section is not available anymore. Please use the main Exam Page.AZ-303 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
jacovedo
Highly Voted 4 years, 6 months agodandirindan
4 years, 4 months agojiantao_john_pan
4 years, 6 months agokanweng
3 years, 2 months agogangas
Highly Voted 4 years, 5 months agogangas
4 years, 5 months agosandeepmalik
Most Recent 3 years, 2 months agokanweng
3 years, 2 months agoMist3
3 years, 4 months agoplmmsg
3 years, 5 months agoRoamingDBA
3 years, 5 months agoMr_RJ
3 years, 5 months agoAberdeenAngus
3 years, 6 months agoSN9827
3 years, 6 months agoKunterbunt
3 years, 6 months agoScubaDiver123456
3 years, 6 months agoScubaDiver123456
3 years, 6 months agodonathon
3 years, 7 months agoAaaashish
3 years, 7 months agovaisat
3 years, 7 months agoTheAzureArchitect
3 years, 6 months agopoplovic
3 years, 7 months ago