Exam AZ-204 topic 4 question 59 discussion

B. Create a customer-managed key (CMK) and store the key in a new Azure Key Vault instance. In order to configure Always Encrypted for the Java application, you need to first create a customer-managed key (CMK) using Azure Key Vault. This key will be used to encrypt and decrypt the sensitive data stored in Cosmos DB. After creating the key, you should store it in a new Azure Key Vault instance, which will be used to manage and secure the key. Once you have the key stored in Key vault, you can use Azure Cosmos DB SDK to encrypt the sensitive data and store it in Cosmos DB. It's important to note that Always Encrypted in Azure Cosmos DB is a client-side encryption feature that encrypts and decrypts sensitive data inside the application and not in the Azure Cosmos DB service.

https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-always-encrypted?tabs=dotnet

B. Create a customer-managed key (CMK) and store the key in a new Azure Key Vault instance.

Steps for always encrypted based on this link: https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-always-encrypted?tabs=dotn 1) create customer managed key stored in azure key vault 2) create a data encryption key from the SDK and wrap it with the key vault customer managed key 3) create a container with encryption policy 4) read and write encryption data

A of course. Why do you talk about Azure Key Vault ? The statement of the question does not address that.

Got this on 6/28/2023 and passed with 850. Answer is correct.

As the question asks what to do first I would select answer A. "This policy must be provided when the container is created and it is immutable. In the current release, you can't update the encryption policy." => https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-always-encrypted?tabs=dotnet#encryption-policy