Google Professional Data Engineer

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: Specify customer-supplied encryption key (CSEK) in the .boto configuration file. Use gsutil cp to upload each archival file to the Cloud Storage bucket. Save the CSEK in a different project that only the security team can access.

The correct answer is D. Options A and B involve using Google Cloud Key Management Service (KMS) to manage keys, which does not align with the Trust No One (TNO) approach because cloud provider staff could potentially access the keys stored in Google Cloud KMS. Option C is incorrect because Memorystore is essentially a cache service and not suitable for permanent storage of the encryption key. Option D specifies using a customer-supplied encryption key (CSEK) and saving the key in a different project that only the security team can access, achieving the TNO goal by ensuring that the cloud provider staff do not have access to the keys.

Author: LeetQuiz Editorial Team

Quick Answer

Answer-first summary for fast verification

Author: LeetQuiz Editorial Team

Comments (0)

No comments yet.

You are looking to archive data in Cloud Storage while ensuring maximum security due to the sensitivity of some of the data. To achieve this, you aim to implement the `Trust No One` (TNO) encryption strategy, which ensures that even the cloud provider staff cannot decrypt your data. What steps should you take to accomplish this?

Exam-Like

Use gcloud kms keys create to create a symmetric key. Then use gcloud kms encrypt to encrypt each archival file with the key and unique additional authenticated data (AAD). Use gsutil cp to upload each encrypted file to the Cloud Storage bucket, and keep the AAD outside of Google Cloud.

26.2%

Use gcloud kms keys create to create a symmetric key. Then use gcloud kms encrypt to encrypt each archival file with the key. Use gsutil cp to upload each encrypted file to the Cloud Storage bucket. Manually destroy the key previously used for encryption, and rotate the key once.

15.4%

Specify customer-supplied encryption key (CSEK) in the .boto configuration file. Use gsutil cp to upload each archival file to the Cloud Storage bucket. Save the CSEK in Cloud Memorystore as permanent storage of the secret.

15.4%

Specify customer-supplied encryption key (CSEK) in the .boto configuration file. Use gsutil cp to upload each archival file to the Cloud Storage bucket. Save the CSEK in a different project that only the security team can access.