Answer-first summary for fast verification
Answer: Generate the encryption key in your on-premises HSM, link it to a Cloud External Key Manager (Cloud EKM) key, and use this Cloud KMS key when creating BigQuery resources.
The correct approach is to generate the encryption key in your on-premises HSM and link it to a Cloud External Key Manager (Cloud EKM) key, then associate this Cloud KMS key with your BigQuery resources. This method meets the requirement of using Google's managed solutions while keeping the encryption material on your on-premises HSM. Option A incorrectly suggests using Cloud KMS directly, which doesn't allow for on-premises HSM storage. Option C mistakenly involves Cloud HSM, which is not the requirement. Option D fails to utilize any Google managed key management service, missing the requirement to rely on Google's solutions.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
As part of the data governance team, you're implementing security measures that require encrypting all BigQuery data with a key managed by your team. The encryption material must be generated and stored exclusively on your on-premises hardware security module (HSM), yet you prefer using Google's managed solutions. How can you set up this encryption in BigQuery while adhering to these requirements?
A
Generate the encryption key in your on-premises HSM, import it into a Cloud Key Management Service (Cloud KMS) key, and use this Cloud KMS key when creating BigQuery resources.
B
Generate the encryption key in your on-premises HSM, link it to a Cloud External Key Manager (Cloud EKM) key, and use this Cloud KMS key when creating BigQuery resources.
C
Generate the encryption key in your on-premises HSM, import it into a Cloud HSM key, and use this Cloud HSM key when creating BigQuery resources.
D
Generate the encryption key in your on-premises HSM, then create and encrypt BigQuery resources during data ingestion.