Answer-first summary for fast verification
Answer: Use the Cloud Key Management Service to manage the key encryption key (KEK).
The correct answer is B because Cloud Dataproc uses envelope encryption by default, where Google manages the Data Encryption Key (DEK) that directly encrypts the data, and the Key Encryption Key (KEK) is managed by the customer via Cloud Key Management Service (KMS). This aligns with the requirement to create, rotate, and destroy symmetric encryption keys stored in the cloud. Option A is incorrect because Google controls the DEK, not the customer. Options C and D are unsuitable as customer-supplied encryption keys (CSEK) require the customer to manage the keys entirely, which is more complex and doesn't leverage Cloud KMS for key lifecycle management, contradicting the scenario's need for cloud-stored keys and ease of management. The community discussion, with 73% selecting B and high upvotes on comments citing official documentation, supports this reasoning.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
Your company uses Cloud Dataproc for Spark and Hadoop jobs. You need to create, rotate, and destroy symmetric encryption keys for the persistent disks used by Cloud Dataproc. The keys must be storable in the cloud.
What should you do?
A
Use the Cloud Key Management Service to manage the data encryption key (DEK).
B
Use the Cloud Key Management Service to manage the key encryption key (KEK).
C
Use customer-supplied encryption keys to manage the data encryption key (DEK).
D
Use customer-supplied encryption keys to manage the key encryption key (KEK).
No comments yet.