Answer-first summary for fast verification
Answer: Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the encrypted DEK.
Option A is correct because it aligns with Google's envelope encryption best practices: generate the DEK locally to encrypt the data, use a KEK from Cloud KMS to encrypt (wrap) the DEK, and store the encrypted data and encrypted DEK. The KEK never leaves Cloud KMS, ensuring centralized key management and security. This approach minimizes exposure of sensitive keys and leverages Cloud KMS for secure KEK storage and operations. Option B is incorrect because storing the KEK violates the principle that KEKs should remain in Cloud KMS. Options C and D are incorrect as they involve generating the DEK in Cloud KMS or generating the KEK locally, which contradicts recommended practices where DEKs are generated locally for performance and security, and KEKs are managed centrally in Cloud KMS.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
You need to implement envelope encryption for application-level data encryption following Google's recommended practices. What is the required approach?
A
Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the encrypted DEK.
B
Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the KEK.
C
Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the encrypted DEK.
D
Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the KEK.
No comments yet.