A financial services company is looking to utilize BigQuery for their data warehousing and analytics needs. They have a requirement to store and manage encryption keys in a key management system that is deployed outside of a public cloud. The goal is to minimize the management overhead of key management while staying compliant. What would be your recommendation?