A healthcare company requires that all data stored in Cloud Storage must be encrypted using cryptographic keys that the company generates, stores, and manages entirely on their own on-premises Hardware Security Modules (HSMs). Google must not have access to the key material. Which encryption strategy must be used?

Answer options:

Google-Managed Encryption Keys (GMEK)

Customer-Managed Encryption Keys (CMEK) via Cloud KMS

Customer-Supplied Encryption Keys (CSEK)

Cloud External Key Manager (EKM)

How to approach this question

Differentiate between CMEK (keys in KMS) and CSEK (keys provided in the API call and not stored by Google).

Full Answer

C.Customer-Supplied Encryption Keys (CSEK)✓ Correct

Customer-Supplied Encryption Keys (CSEK) allow you to provide your own raw encryption key. Cloud Storage uses your key to encrypt the data and then purges the key from its servers. You must provide the exact same key to read the data later.

Common mistakes

Confusing CMEK (Customer-Managed) with CSEK (Customer-Supplied). CMEK uses Cloud KMS; CSEK does not.

Question 26 All questions Question 28

Practice the full GCP Professional Cloud Architect Practice Exam 6

50 questions · hints · full answers · grading

More questions from this exam

Q01CASE STUDY: TechStream Gaming Overview: Industry: Gaming Size: 500 employees, $100M revenue Env...Medium Q02CASE STUDY: TechStream Gaming Overview: Industry: Gaming Size: 500 employees, $100M revenue Env...Medium Q03CASE STUDY: TechStream Gaming Overview: Industry: Gaming Size: 500 employees, $100M revenue Env...Hard Q04CASE STUDY: TechStream Gaming Overview: Industry: Gaming Size: 500 employees, $100M revenue Env...Medium Q05CASE STUDY: TechStream Gaming Overview: Industry: Gaming Size: 500 employees, $100M revenue Env...Easy

View all 50 questions →