Encryption
- At-rest: Storage Service Encryption (SSE) with Microsoft or customer-managed keys.
- In-transit: TLS 1.2 enforced; disable older TLS versions.
- TDE: Transparent Data Encryption for Azure SQL (automatic, always-on).
- Always Encrypted: client-side encryption for sensitive columns (SSN, credit cards).
Key Vault
- Access model: RBAC (recommended) or vault access policies.
- Soft delete: 7-90 day retention for deleted vaults and objects.
- Purge protection: prevents permanent deletion during retention period.
- Key rotation: automate with Event Grid notifications and Azure Functions.
Practice Key Vault & Encryption Questions
Put your knowledge to the test with practice questions.