Answer-first summary for fast verification
Answer: Use the gsutil command line tool to upload the object to Cloud Storage, and specify the location of the encryption key.
The correct answer is B because it aligns with Google Cloud's documentation for using Customer-Supplied Encryption Keys (CSEK) with Cloud Storage. CSEK requires specifying the encryption key during the upload process using command-line tools like gsutil or gcloud storage, as the Google Cloud Console does not support CSEK for uploads. Option A is incorrect because uploading the encryption key to Cloud Storage violates security best practices by exposing the key. Option C is incorrect as it implies generating the key in the GCP Console, which contradicts the requirement for customer-managed keys. Option D is partially correct in suggesting encryption before upload but is flawed because it includes using the Console, which is not supported for CSEK. The community discussion, with 64% favoring B and references to official documentation, supports this reasoning.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A customer's internal security team needs to manage their own encryption keys for data in Cloud Storage using customer-supplied encryption keys (CSEK). How should they accomplish this?
A
Upload the encryption key to a Cloud Storage bucket, and then upload the object to the same bucket.
B
Use the gsutil command line tool to upload the object to Cloud Storage, and specify the location of the encryption key.
C
Generate an encryption key in the Google Cloud Platform Console, and upload an object to Cloud Storage using the specified key.
D
Encrypt the object, then use the gsutil command line tool or the Google Cloud Platform Console to upload the object to Cloud Storage.