Answer-first summary for fast verification
Answer: Create the encryption key in the on-premises HSM and link it to a Cloud External Key Manager (Cloud EKM) key. Associate the created Cloud EKM key while creating the BigQuery resources.
The correct answer is B. Cloud External Key Manager (Cloud EKM) allows you to use encryption keys managed in external key management systems, including on-premises HSMs, while using Google Cloud services. This means that the key material remains in your control and environment, and Google Cloud services use it via the Cloud EKM integration. This approach aligns with the requirement to generate and store encryption material only on your on-premises HSM.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
As a member of the data governance team, you are responsible for enforcing security requirements. Your current task involves encrypting all data stored in BigQuery, using an encryption key that your team manages. You are required to create a mechanism for generating and storing encryption material exclusively within your on-premises hardware security module (HSM). While achieving this, you also want to utilize Google-managed solutions. How should you proceed to meet these requirements?
A
Create the encryption key in the on-premises HSM, and import it into a Cloud Key Management Service (Cloud KMS) key. Associate the created Cloud KMS key while creating the BigQuery resources.
B
Create the encryption key in the on-premises HSM and link it to a Cloud External Key Manager (Cloud EKM) key. Associate the created Cloud EKM key while creating the BigQuery resources.
C
Create the encryption key in the on-premises HSM, and import it into Cloud Key Management Service (Cloud HSM) key. Associate the created Cloud HSM key while creating the BigQuery resources.
D
Create the encryption key in the on-premises HSM. Create BigQuery resources and encrypt data while ingesting them into BigQuery.
No comments yet.