To ensure the highest level of security for sensitive data stored in Cloud Storage using the 'Trust No One' (TNO) approach, which steps should you follow to prevent cloud provider staff from decrypting your data?

Real Exam

Specify customer-supplied encryption key (CSEK) in the .boto configuration file. Use gsutil cp to upload each archival file to the Cloud Storage bucket. Save the CSEK in Cloud Memorystore as permanent storage of the secret.

0.0%

Use gcloud kms keys create to create a symmetric key. Then use gcloud kms encrypt to encrypt each archival file with the key. Use gsutil cp to upload each encrypted file to the Cloud Storage bucket. Manually destroy the key previously used for encryption, and rotate the key once.

0.0%

Specify customer-supplied encryption key (CSEK) in the .boto configuration file. Use gsutil cp to upload each archival file to the Cloud Storage bucket. Save the CSEK in a different project that only the security team can access.

42.9%

Use gcloud kms keys create to create a symmetric key. Then use gcloud kms encrypt to encrypt each archival file with the key and unique additional authenticated data (AAD). Use gsutil cp to upload each encrypted file to the Cloud Storage bucket, and keep the AAD outside of Google Cloud.

57.1%

Google Professional Data Engineer

Get started today

Comments

To ensure the highest level of security for sensitive data stored in Cloud Storage using the 'Trust No One' (TNO) approach, which steps should you follow to prevent cloud provider staff from decrypting your data?