The solution must satisfy two distinct encryption key management requirements.

1. Insurance Claim Files: The requirement is for encryption keys to be "hosted on-premises." Azure Blob storage with customer-provided keys (CPK) meets this. With CPK, the client application provides the encryption key with each read/write request. Azure Storage uses the key for the operation but never stores it. This allows the key to be securely stored and managed in an on-premises Hardware Security Module (HSM).

2. Cardholder Data: The requirement is for "encryption keys managed by the company." Storing cardholder data in an Azure SQL Database encrypted with Transparent Data Encryption (TDE) using keys from an Azure Key Vault Managed HSM fulfills this. A Managed HSM provides a single-tenant, FIPS 140-2 Level 3 validated HSM where the company retains full and exclusive control over the key lifecycle, satisfying the "company-managed" requirement.

C. Azure Key Vault Managed HSM is a cloud service hosted in Azure, not on-premises. This configuration violates the requirement for insurance claim file keys to be hosted on-premises.

D. Microsoft-managed keys are created, stored, and managed by Microsoft, not the company. This configuration violates the requirement for cardholder data keys to be company-managed.

1. Customer-Provided Keys (for Answer A): Microsoft Learn. (2023). Provide an encryption key on a request to Blob storage. "When a client application presents an encryption key on the request

Azure Storage performs encryption and decryption transparently... The encryption key is not persisted in Azure Storage." This supports using keys managed entirely outside of Azure

such as on-premises.

2. TDE with Managed HSM (for Answer B): Microsoft Learn. (2024). Customer-managed transparent data encryption (TDE) - Azure SQL Database & Azure Synapse. "Customer-managed TDE... provides control over key lifecycle management... Azure Key Vault Managed HSM is a highly available and scalable single-tenant solution for managing cryptographic keys." This confirms it as a company-managed key solution.

3. Managed HSM Location (for why C is incorrect): Microsoft Learn. (2023). What is Azure Key Vault Managed HSM?. "Azure Key Vault Managed HSM is a fully managed

highly available

single-tenant

standards-compliant cloud service..." This clarifies that the service is not hosted on-premises.

4. Microsoft-Managed Keys (for why D is incorrect): Microsoft Learn. (2023). Azure Storage encryption for data at rest. "By default

all data in a storage account is encrypted using Microsoft-managed keys. With Microsoft-managed keys

Microsoft creates and manages the keys that are used to encrypt your data..." This shows the company does not manage these keys.