Practice Test 3 | Google Cloud Certified Professional Data Engineer | Dumps | Mock Test

Question 45

The security team in your company asked to apply the following rules:

Data on-premise and on the cloud should be encrypted at all times.
Encryption is done using 256-bit AES keys provided by the security team.
Keys should be rotated every 72 days.

You use Google Storage to store raw and transformed data. As of the rules above, data should be encrypted when written to Google Storage. As a data engineer, what would you do to satisfy the security team’s requirement?

A. Supply the encryption key provided by the security team and reference it as part of the API service calls to encrypt data in Cloud Storage.
B. Upload encryption key provided by the security team to Cloud Key Management Service (KMS) and use the key to encrypt data while writing to Google Storage.
C. Create symmetric keys using Cloud Key Management Service (KMS) and use them to encrypt data while writing to Google Storage. Create new keys every 72 days.
D. Create asymmetric keys using Cloud Key Management Service (KMS) and use them to encrypt data while writing to Google Storage. Create new keys every 72 days.

Answer

Correct Answer: A
Customer-Supplied Encryption Keys (CSEK) is a feature in Google Cloud Storage and Google Compute Engine. If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data.

When you use Customer-Supplied Encryption Keys in Cloud Storage, you provide a raw CSEK as part of an API call. This key is transmitted from the Google front end to the storage system’s memory. This key is used as the key encryption key in Google Cloud Storage for your data.

The raw CSEK is used to unwrap wrapped chunk keys, to create raw chunk keys in memory. These are used to decrypt data chunks stored in the storage systems. These keys are used as the data encryption keys (DEK) in Google Cloud Storage for your data.