Your organization runs a mission-critical workload in a highly regulated industry. Sensitive data is uploaded from endpoint computers to Cloud Storage and then processed by Compute Engine VMs. A compliance review has found that the current setup does not meet data protection requirements. You must implement a solution that fulfills the following:

• Manage the Data Encryption Key (DEK) outside of Google Cloud.
• Retain full control of encryption keys using a third-party provider.
• Encrypt the sensitive data before it is uploaded to Cloud Storage.
• Decrypt the data during processing within the Compute Engine VMs.
• Encrypt the data in memory while it is in use on the Compute Engine VMs.

What two actions should you take?