Google Professional Data Engineer

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: Use gcloud kms keys create to create a symmetric key. Then use gcloud kms encrypt to encrypt each archival file with the key and unique additional authenticated data (AAD). Use gsutil cp to upload each encrypted file to the Cloud Storage bucket, and keep the AAD outside of Google Cloud.

The most secure approach to prevent the cloud provider staff from decrypting your data using the 'Trust No One' principle is to use Google Cloud KMS to create and manage your encryption keys, ensuring you retain control over the key material. By encrypting each file with a unique AAD and keeping this AAD outside of Google Cloud, you ensure that even if an attacker obtains the encryption key, they cannot decrypt the data without the corresponding AAD. This method adheres strictly to the 'Trust No One' principle by preventing the cloud provider from accessing your encryption keys or the AAD. Other options, such as manually destroying and rotating keys or storing the CSEK within the Google Cloud environment, do not fully comply with the 'Trust No One' principle as they either do not address the principle directly or still involve storing the key within Google Cloud.

Author: LeetQuiz Editorial Team

Quick Answer

Answer-first summary for fast verification

Author: LeetQuiz Editorial Team

Comments (0)

No comments yet.

To ensure the highest level of security for sensitive data stored in Cloud Storage using the 'Trust No One' (TNO) approach, which steps should you follow to prevent cloud provider staff from decrypting your data?

Real Exam

Specify customer-supplied encryption key (CSEK) in the .boto configuration file. Use gsutil cp to upload each archival file to the Cloud Storage bucket. Save the CSEK in Cloud Memorystore as permanent storage of the secret.

10.0%

Use gcloud kms keys create to create a symmetric key. Then use gcloud kms encrypt to encrypt each archival file with the key. Use gsutil cp to upload each encrypted file to the Cloud Storage bucket. Manually destroy the key previously used for encryption, and rotate the key once.

0.0%

Specify customer-supplied encryption key (CSEK) in the .boto configuration file. Use gsutil cp to upload each archival file to the Cloud Storage bucket. Save the CSEK in a different project that only the security team can access.

40.0%

Use gcloud kms keys create to create a symmetric key. Then use gcloud kms encrypt to encrypt each archival file with the key and unique additional authenticated data (AAD). Use gsutil cp to upload each encrypted file to the Cloud Storage bucket, and keep the AAD outside of Google Cloud.