CompTIA Updated DS0-001 Exam Questions and Answers by mattias

The correct answer is D. Envelope encryption. CompTIA DataSys+ describes envelope encryption as a key management and data protection method that combines the efficiency of symmetric encryption with the security and manageability of hierarchical key structures. In this approach, data is first encrypted using a data encryption key (DEK), and then the DEK itself is encrypted (or “wrapped”) using a key encryption key (KEK), often referred to as a managed root key.

Envelope encryption is widely used in enterprise database systems and cloud platforms because it provides strong security while simplifying key rotation and management. Encrypting large volumes of data directly with a root or master key would be inefficient and risky. Instead, DataSys+ explains that symmetric DEKs are used for fast data encryption, while the root key is used only to protect the DEKs. If a root key must be rotated or compromised, only the wrapped DEKs need to be re-encrypted—not the underlying data.

Option A, asymmetric encryption, uses public and private key pairs but is computationally expensive and not typically used to encrypt large datasets directly. Option B, DEK-based encryption, is incomplete because it describes only the use of data encryption keys and does not account for the additional wrapping layer that defines envelope encryption. Option C, symmetric encryption, correctly describes how data is encrypted but does not include the managed key hierarchy required by the question.

CompTIA DataSys+ emphasizes envelope encryption as a best practice for data-at-rest protection, particularly in environments that require compliance, auditing, and centralized key management. It is commonly implemented using hardware security modules (HSMs) or cloud key management services.

Therefore, the method where data is encrypted with a DEK and then wrapped with a managed root key is envelope encryption, making option D the correct and fully verified answer.

The best option to configure IP addresses to allow access to the database is a firewall. A firewall is a network device or software that controls the incoming and outgoing traffic based on a set of rules or policies. A firewall can be used to filter the traffic by IP addresses, ports, protocols, or other criteria, and allow or deny access to the database accordingly. The other options are either not relevant or not sufficient for this task. For example, a static IP address is an IP address that does not change over time, but it does not determine the access to the database; a dynamic IP address is an IP address that changes periodically, but it does not control the traffic to the database; an IDNS is an Internet Domain Name System, which translates domain names into IP addresses, but it does not regulate the access to the database. References: CompTIA DataSys+ Course Outline, Domain 4.0 Data and Database Security, Objective 4.2 Given a scenario, implement security controls for databases.

The first thing that the database administrator should examine to troubleshoot the issue is the event log. The event log is a file that records the events and activities that occur on a system, such as database backups, errors, warnings, or failures. By examining the event log, the administrator can identify the cause and time of the backup failure, and also check for any other issues or anomalies that may affect the backup process or the backup quality. The other options are either not relevant or not the first priority for this task. For example, CPU usage, disk space, and OS performance may affect the performance or availability of the system, but not necessarily cause the backup failure; moreover, these factors can be checked after reviewing the event log for more information. References: CompTIA DataSys+ Course Outline, Domain 5.0 Business Continuity, Objective 5.2 Given a scenario, implement backup and restoration of database management systems.

The factor that the administrator should measure to analyze a database server’s disk throughput is IOPS. IOPS, or Input/Output Operations Per Second, is a metric that measures the number of read and write operations that a disk can perform in one second. IOPS indicates the performance or speed of a disk and how well it can handle multiple requests or transactions. Higher IOPS means higher disk throughput and lower latency. IOPS can be affected by various factors, such as disk type, size, speed, cache, RAID level, etc. The other options are either not related or not sufficient for this purpose. For example, RPfvl is not a valid acronym or metric; latency is the time delay between a request and a response; reads are the number of read operations performed by a disk. References: CompTIA DataSys+ Course Outline, Domain 3.0 Database Management and Maintenance, Objective 3.2 Given a scenario, monitor database performance.