Question
What is the difference between TDE and Always Encrypted?
Click to reveal answer
Answer
TDE encrypts the entire database at rest (transparent to apps). Always Encrypted encrypts specific columns client-side; even DBAs cannot see plaintext.
Click to flip back
All Data & Application Security Flashcards
Q: What is the difference between TDE and Always Encrypted?
A: TDE encrypts the entire database at rest (transparent to apps). Always Encrypted encrypts specific columns client-side; even DBAs cannot see plaintext.
Q: What is Key Vault purge protection?
A: Prevents permanent deletion of vault objects during the soft-delete retention period. Even with Owner permissions, purging is blocked.
Q: How do you secure an Azure Storage account?
A: Disable public blob access, require HTTPS, use private endpoints, enable soft delete, configure SAS with short expiration, and use customer-managed keys.
Q: What is Azure Information Protection?
A: A classification and labeling system that applies encryption, rights management, and visual markings to documents and emails based on sensitivity labels.
Q: What are the storage account encryption options?
A: Microsoft-managed keys (default, no config needed), Customer-managed keys in Key Vault, or Customer-provided keys (per-request with Blob storage).