Answer-first summary for fast verification
Answer: Customer-managed encryption keys
The question requires selecting an encryption key management option that supports all listed Google Cloud services (Compute Engine, GKE, Cloud Storage, BigQuery, and Pub/Sub) while complying with GDPR requirements for data protection by design. Customer-managed encryption keys (CMEK) is the optimal choice because it allows customers to create and manage their own encryption keys in Google Cloud KMS, with broad support across all the specified services as confirmed by Google's documentation. While Cloud External Key Manager (EKM) also supports these services and offers enhanced control through features like Key Access Justifications, CMEK is more straightforward, cost-effective, and widely adopted for GDPR compliance without requiring external key management infrastructure. Customer-supplied encryption keys (CSEK) is less suitable as it only supports Cloud Storage and Compute Engine, not all services. Google default encryption does not meet the requirement to manage the keys. The community discussion shows a consensus for B (59% votes), with references to Google's CMEK integration documentation validating its compatibility.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
You are implementing data protection by design in compliance with GDPR. During design reviews, you are required to manage the encryption key for a solution that uses Compute Engine, Google Kubernetes Engine, Cloud Storage, BigQuery, and Pub/Sub workloads. Which option should you select for this implementation?
A
Cloud External Key Manager
B
Customer-managed encryption keys
C
Customer-supplied encryption keys
D
Google default encryption
No comments yet.