Answer-first summary for fast verification
Answer: Change the encryption type on the bucket to CMEK, and rewrite the objects.
Option D is the correct answer because it directly addresses the requirement to re-encrypt existing files from GMEK to CMEK efficiently and at minimal cost. Google Cloud Storage allows changing the default encryption key on a bucket to CMEK and then rewriting the objects in-place, which re-encrypts them using the new key without downloading or re-uploading data. This avoids egress costs and minimizes time, as confirmed by the community consensus (e.g., upvoted comments referencing official documentation). Option A is incorrect as reuploading with a key file doesn't apply to CMEK and incurs unnecessary upload costs. Option B involves local encryption and upload, which is inefficient and costly due to data transfer. Option C, while technically possible, incurs egress charges for cross-region copying and is less efficient than in-place rewriting.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
Your organization has been storing files in Cloud Storage using Google-Managed Encryption Keys (GMEK). Due to a new internal policy, you must now use Customer-Managed Encryption Keys (CMEK). You need to re-encrypt the existing files quickly, efficiently, and at minimal cost.
What should you do?
A
Reupload the files to the same Cloud Storage bucket specifying a key file by using gsutil.
B
Encrypt the files locally, and then use gsutil to upload the files to a new bucket.
C
Copy the files to a new bucket with CMEK enabled in a secondary region.
D
Change the encryption type on the bucket to CMEK, and rewrite the objects.