Exam AZ-301 topic 3 question 3 discussion

It's correct: "Azure Disk Encryption (...) uses the Bitlocker feature (...) and (...) to help you control and manage the disk encryption keys and secrets." https://docs.microsoft.com/en-gb/azure/virtual-machines/windows/disk-encryption-overview. I.e. Bitlocker is the "tool", not the solution. D is correct.

D is correct as in the below link: https://azure.microsoft.com/en-us/blog/preview-server-side-encryption-with-customer-managed-keys-for-azure-managed-disks/ "Customers also benefit from Azure disk encryption (ADE) that leverages the BitLocker feature of Windows and the DM-Crypt feature of Linux to encrypt Managed Disks with customer managed keys within the guest virtual machine."

D. Azure Disk Encryption

Requirements: - The use of encryption keys is audited. - All the data is encrypted at rest always. - You manage the encryption keys, not Microsoft. Possible Answers: A. BitLocker Drive Encryption (BitLocker) > I think this would fullfil all requirements as well, although I am not sure about the key-usage auditing part. B. Azure Storage Service Encryption > Can be ruled out as we are using managed disks. C. client-side encryption > Doesn't make sense for managed disks, can be ruled out. D. Azure Disk Encryption > Fullfills all requirements. Keys are stored in Key Vault. To audit the encryption key usage, Key Vault monitoring can be used. Conclusion: > I am varying between A. & D. but still would choose D. as it seems the more azure-native approach. Am I missing something regarding BitLocker?

The Correct Answer is D.

Its D, I did it in lab

I'm guessing the rationale here is what is the service applicable to all VM types - which would be Azure disk encryption. Then features of Azure disk encryption are Bitlocker for Windows and DM_crypt for Linux - both of which can BYO key.

how about Server-side encryption with customer-managed keys? B is also feasible

Answer is D. See https://docs.microsoft.com/en-us/azure/virtual-machines/windows/managed-disks-overview#azure-disk-encryption

Azure Disk Encryption requires an Azure Key Vault to control and manage disk encryption keys and secrets. Would this answer still qualify under the requirement that "You manage the encryption keys, not Microsoft."? I would think no. If so, that means 'D' isn't the right answer.

Reference below tells that for windows machine azure disk encryption uses bitlocker for encryption. There was no specification there was windows and linux machines, question is to vague. https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-overview

Bitlocker does all of that. You can use it in azure, it works on managed disks, you can control the key. No reason why not