Answer-first summary for fast verification
Answer: Use Cloud External Key Management (EKM) that integrates with an external Hardware Security Module (HSM) system from supported vendors.
The question requires full control of encryption keys with keys generated and stored outside of Google Cloud, while integrating with Google services like BigQuery. Option C (Cloud External Key Management) is optimal because it allows using keys stored in external HSMs from supported vendors, giving organizations complete control over key generation and storage outside Google's infrastructure while maintaining integration with Google Cloud services. Option A (CSEK with raw keys in API calls) is insecure as it exposes raw keys. Option B (KMS with Google-managed HSM) does not meet the external storage requirement. Option D (KMS with imported key material) still stores keys in Google's infrastructure, not externally.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
Your organization requires full control over encryption keys for data at rest in Google Cloud. The keys must be generated and stored externally and integrate with multiple Google services, including BigQuery.
What should you do?
A
Use customer-supplied encryption keys (CSEK) with keys generated on trusted external systems. Provide the raw CSEK as part of the API call.
B
Create a KMS key that is stored on a Google managed FIPS 140-2 level 3 Hardware Security Module (HSM). Manage the Identity and Access Management (IAM) permissions settings, and set up the key rotation period.
C
Use Cloud External Key Management (EKM) that integrates with an external Hardware Security Module (HSM) system from supported vendors.
D
Create a Cloud Key Management Service (KMS) key with imported key material. Wrap the key for protection during import. Import the key generated on a trusted system in Cloud KMS.
No comments yet.