Practice Test 3 | Google Cloud Certified Professional Cloud Architect | Dumps | Mock Test
You are a Cloud Architect in a medium-sized company. You have been summoned by the General Manager who has asked you to encrypt all data stored in Google Cloud and to put the encryption key in a safe place in the most convenient and cost effective way. You started laughing and you said it’s already being taken care of and you explained how.
Which of these is the correct explanation?
A. Google doesn’t manage data encryption and let the customers use Customer-managed encryption keys (CMEK)
B. Google automatically encrypts the files with a data encryption key (DEK) using SHA-256
C. Google automatically encrypts data with DEK and KEK using RSA-256
D. Google automatically encrypts data with DEK and KEK using KMS and AES256/AES128
Correct Answer: D
Google, by default, encrypts each chunk of data with a data encryption key DEK using AES256/AES128, symmetric cryptography.
DEKs are sent to KMS (the service for Key Management) encrypted with a key-encryption key KEK, and the wrapped DEKs are stored with the data chunks.
KEKs are kept in KMS and are not exportable; so, all encryption and decryption must be done within KMS. KEKs are rotated periodically and automatically.
- A is wrong because in GCP all the storage is encrypted.
- B is wrong because SHA-256 is a hash algorithm, one way, no feasible.
- C is wrong because RSA-256 is asymmetric cryptography, not used for data encryption because it would be too slow.
For any further detail:
Comments are closed, but trackbacks and pingbacks are open.