Microsoft Azure Architect Design (AZ-304) Practice Test

If a company wants to encrypt the disks of virtual machines using BitLocker, what solution should they implement if they have an on-premises HSM?

• A. Deploy one Azure Key Vault per region
• B. Export a security key from the on-premises HSM
• C. Configure to use Azure Storage Service Encryption
• D. Use Azure Disk Encryption with a single Azure AD service principal

The correct answer is: Deploy one Azure Key Vault per region

The correct answer in the context of encrypting disks of virtual machines using BitLocker with an on-premises Hardware Security Module (HSM) is to use Azure Key Vault effectively. Deploying one Azure Key Vault per region allows the company to manage their cryptographic keys centrally while also offering enhanced security and compliance features necessary for key management. By setting up Azure Key Vault, which integrates with BitLocker, the company can leverage Azure's capabilities to encrypt and control access to their keys, thus enabling secure encryption of VM disks. This is particularly important in scenarios where the company needs to maintain a secure environment that adheres to compliance requirements, as Azure Key Vault offers secure storage and management for cryptographic keys and secrets. In contrast, exporting a security key from the on-premises HSM would not be the ideal solution since it compromises the hardware isolation that HSMs provide. Configuring Azure Storage Service Encryption does not directly involve BitLocker, as it focuses on data-at-rest encryption rather than specific virtual machine disk encryption which BitLocker handles. Using Azure Disk Encryption with a single Azure AD service principal may not fully leverage the key management and regional strategies that are best practiced for an enterprise-scale scenario, particularly when integrating with an on-premises HSM.