Practice Test 1 | Google Cloud Certified Professional Data Engineer | Dumps | Mock Test

Question 50

You are writing highly-confidential data related to customers’ personally identifiable information (PII). The security team is concerned about how secure the network connection between the instances and Google Storage buckets. Security team proposes to use encryption keys generated by security team.

Those keys will be rotated every 30 days for more security.

As a data engineer, what should you do to satisfy security team’s requirement?

A. Upload encryption key provided by security team to Cloud Key Management Service (KMS) and use the key to encrypt data when writing to Google Storage.
B. Create symmetric keys using Cloud Key Management Service (KMS) and use those to encrypt data when writing to Google Storage. Create new keys every 30 days.
C. Create asymmetric keys using Cloud Key Management Service (KMS) and use those to encrypt data when writing to Google Storage. Create new keys every 30 days.
D. Supply the encryption key provided by security team and reference it as part of the API service calls to encrypt data in Cloud Storage.

Answer

Answer: D.

Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine. If you supply your own encryption keys, Google uses your key to protect the Google- generated keys used to encrypt and decrypt your data.

When you use Customer-Supplied Encryption Keys in Cloud Storage, you provide a raw CSEK as part of an API call. This key is transmitted from the Google front end to the storage system’s memory. This key is used as the key encryption key in Google Cloud Storage for your data.

The raw CSEK is used to unwrap wrapped chunk keys, to create raw chunk keys in memory. These are used to decrypt data chunks stored in the storage systems. These keys are used as the data encryption keys (DEK) in Google Cloud Storage for your data.