From the course: Microsoft Azure Cosmos DB Developer Specialty (DP-420) Cert Prep: 5 Maintain an Azure Cosmos DB Solution by Microsoft Press

Unlock this course with a free trial

Join today to access over 24,800 courses taught by industry experts.

Choose between service-managed and customer-managed encryption keys

Choose between service-managed and customer-managed encryption keys - Azure Tutorial

From the course: Microsoft Azure Cosmos DB Developer Specialty (DP-420) Cert Prep: 5 Maintain an Azure Cosmos DB Solution by Microsoft Press

Start my 1-month free trial Buy for my team

Choose between service-managed and customer-managed encryption keys

- [Instructor] The DP-420 exam is going to ask you about how do you validate, particularly to your compliance team, that your Cosmos DB data is encrypted at rest? Given that you don't own the data centers, you're trusting Microsoft. Well, Microsoft gives us some control as customers. We've got what's called Storage Service Encryption, and what this gives us is the ability to just stay with the default option, that's the Service-Managed Key. This is where Microsoft applies AES-256 encryption to your Cosmos DB data at rest in the Azure data centers. Now, when your data is called into action, the Service-Managed Key automatically decrypts the data. But when it's at rest and not in use, it is encrypted. Now, to help customers who have further compliance requirements. Now, what you should note here is two things. CMK, or Customer-Managed Key, is not instead of the Service-Managed Key, it's optional on top of it, so you're double encrypting your data. Do you really want to do this? I would…

Contents