DP-300 Question #400: Real Exam Question with Answer & Explanation

Question

SIMULATION You need to encrypt the LastName column of the SalesLT.Customer table in db1 by using Always Encrypted. You must use the Windows Certificate Store. You may need to use SQL Server Management Studio and the Azure portal. Answer: Solution 1 [Less complex] Configure column encryption using Always Encrypted Wizard The Always Encrypted Wizard is a powerful tool that allows you to set the desired Always Encrypted configuration for selected database columns. Depending on the current configuration and the desired target configuration, the wizard can encrypt a column, decrypt it (remove encryption), or re-encrypt it (for example, using a new column encryption key or an encryption type that is different from the current type, configured for the column). Multiple columns can be configured in a single run of the wizard. Step 1: Open the Always Encrypted Wizard You can launch the wizard at three different levels: At a database level - if you want to encrypt multiple columns located in different tables. At a table level - if you want to encrypt multiple columns located in the same table. *-> At a column level - if you want to encrypt one specific column. [This option here] Step 2: Connect to your SQL Server with the Object Explorer component of SQL Server Management Studio. Step 3: To encrypt an individual column, navigate to the column, right-click on it, and then select Encrypt Columns. [Select the LastName column of the SalesLT.Customer table in db1] Step 4: Column Selection page In this page, you select columns you want to encrypt, re-encrypt, or decrypt, and you define the target encryption configuration for the selected columns. Step 5: If you want the wizard to encrypt or re-encrypt one or more columns using a new column encryption key, pick a key containing (New) in its name. The wizard will generate the key. Step 6: Master Key Configuration page If you have selected an autogenerated column encryption key for any column on the previous page, in this page you need to either select an existing column master key or configure a new column master key that will encrypt the column encryption key. When configuring a new column master key, you can either pick an existing key in Windows Certificate Store or in Azure Key Vault and have the wizard to create just a metadata object for the key in the database, or you can choose to generate both the key and the metadata object describing the key in the database. Step 7: Click "Next" and follow the wizard's instructions to complete the process. Solution 2 [A bit more complex. Use for reference] To encrypt a specific column using Always Encrypted with a Windows Certificate Store, you'll first need to set up a Column Master Key (CMK) [Task 1] and a Column Encryption Key (CEK) [Task 2]. The CMK will be protected by a certificate in the Windows Certificate Store, and the CEK will then be used to encrypt the data in your chosen column. Task 1: Set up a Column Master Key (CMK) Create a self-signed certificate using SQL Server Management Studio (SSMS) Provision Column Master Keys with the New Column Master Key Dialog The New Column Master Key dialog allows you to generate a column master key or pick an existing key in a key store, and create column master key metadata for the created or selected key in the database. Step 1: Using Object Explorer, navigate to the Security -> Always Encrypted Keys node under your database. Step 2: Right-click on the Column Master Keys node and select New Column Master Key.... Step 3: In the New Column Master Key dialog, enter the name of the column master key metadata object. Step 4: Select a key store: *-> Certificate Store - Current User - indicates the Current User certificate store location in the Windows Certificate Store, which is your personal store. [Select this one] Certificate Store - Local computer Azure Key Vault Etc. Step 5: If you're using SQL Server 2019 (15.x) and your SQL Server instance is configured with a secure enclave, you can select the Allow enclave computations checkbox to make the master key enclave-enabled. [Skip] Step 6: Pick an existing key in your key store, or click the Generate Key or Generate Certificate button, to create a key in the key store. [Pick existing] Step 7: Click OK and the new key appears in the list. Task 2: Create a Column Encryption Key (CEK) 1. In SSMS, navigate to "Always Encrypted Keys" -> "Column Encryption Keys". 2. Right-click and select "New Column Encryption Key". 3. Give the CEK a name. 4. Select the CMK you just created. [Created in Stage 1] 5. Click "OK". Task 3: Encrypt the data in your chosen column. 1. Right-click on the specific column you want to encrypt in Object Explorer. [Select the LastName column of the SalesLT.Customer table in db1] 2. Select "Tasks" -> "Encrypt Columns". 3. The Always Encrypted Wizard will guide you through the process: 4. Select the column you want to encrypt. [Select the LastName column of the SalesLT.Customer table in db1] 5. Choose the encryption type (Deterministic or Randomized). 6. Select the CEK you created. [Created in Stage 2] 7. Click "Next" and follow the wizard's instructions to complete the process. Reference: https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted- wizard https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/create-and-store- column-master-keys-always-encrypted

Options

• taskEncrypt the LastName column of the SalesLT.Customer table in db1 using Always Encrypted and a Column Master Key stored in the Windows Certificate Store.
• prerequisitesSQL Server Management Studio (SSMS) access and connectivity to db1, Azure portal access (if applicable for key management).