Answer-first summary for fast verification
Answer: Use customer-managed encryption keys to delete specific encryption keys.
The question requires implementing crypto-shredding (deleting encryption keys to render PII unreadable) while maximizing use of Google Cloud native services and minimizing operational overhead. Option C (customer-managed encryption keys) is the correct choice because CMEK allows organizations to manage their own encryption keys within Google Cloud Key Management Service, enabling the destruction of specific key versions to permanently destroy associated encrypted data. This approach leverages native Google Cloud services without requiring external key management infrastructure, thus minimizing operational overhead. Option A (client-side encryption) would require managing keys on-premises, increasing operational complexity. Option B (Cloud External Key Manager) involves external key management, which adds operational overhead. Option D (Google default encryption) does not allow customers to delete specific encryption keys, as Google manages the keys.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
You need to implement crypto-shredding to delete PII on Google Cloud while maximizing the use of native platform services and minimizing operational overhead. What is your recommended approach?
A
Use client-side encryption before sending data to Google Cloud, and delete encryption keys on-premises.
B
Use Cloud External Key Manager to delete specific encryption keys.
C
Use customer-managed encryption keys to delete specific encryption keys.
D
Use Google default encryption to delete specific encryption keys.
No comments yet.