A client requires encryption for sensitive data but does not want their encryption keys stored at rest in the same cloud provider as the data. Which two Google Cloud encryption solutions should you recommend?