312-50V11 · Question #980
BitLocker encryption has been implemented for all the Windows-based computers in an organization. You are concerned that someone might lose their cryptographic key. Therefore, a mechanism was implemen
The correct answer is A. Key archival. When organizations store cryptographic keys in a secure repository (such as Active Directory) so they can be retrieved if lost, this practice is called key archival.
Question
Options
- AKey archival
- BKey escrow.
- CCertificate rollover
- DKey renewal
How the community answered
(19 responses)- A84% (16)
- B11% (2)
- D5% (1)
Why each option
When organizations store cryptographic keys in a secure repository (such as Active Directory) so they can be retrieved if lost, this practice is called key archival.
Key archival is the cryptographic mechanism of storing a copy of a private or symmetric key in a secure, centralized repository - such as Active Directory - so it can be recovered by an authorized administrator. BitLocker uses this by backing recovery keys to AD DS, ensuring that if a user loses access, the key can be retrieved from the directory. This differs from escrow in that archival is primarily an organizational backup and recovery operation, not a third-party trust arrangement.
Key escrow specifically refers to an arrangement where keys are held by a neutral or trusted third party (often for legal/law enforcement access), not an internal organizational backup to Active Directory.
Certificate rollover is the process of replacing an expiring certificate with a new one before it expires, which has no relation to storing or recovering existing cryptographic keys.
Key renewal refers to extending or regenerating a key or certificate's validity period, not to archiving or recovering keys from a directory service.
Concept tested: BitLocker key archival in Active Directory
Source: https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-key-management-faq
Topics
Community Discussion
No community discussion yet for this question.