Google Cloud Professional Cloud Security Engineer Practice Exam

How can a team manage customer-supplied encryption keys (CSEK) for Cloud Storage?

• A. Use the gsutil command line tool to upload the object and specify the encryption key location
• B. Store keys in Cloud SQL securely
• C. Use IAM to manage access to the keys
• D. Encrypt data at rest using predefined templates

The correct answer is: Use the gsutil command line tool to upload the object and specify the encryption key location

Managing customer-supplied encryption keys (CSEK) for Cloud Storage involves securely interfacing with the storage service while ensuring that the encryption keys remain confidential and are applied correctly when data is stored. Using the gsutil command line tool to upload objects while specifying the encryption key location is a direct and effective way to implement CSEK. This method allows users to specify a CSEK when uploading data, ensuring that the object is encrypted using the key supplied by the customer. The tool handles the integration of the key with the upload process, meaning that the data at rest will be protected by the customer's specified encryption measure. This approach ensures compliance with customer data management policies and enhances security by placing control over encryption in the hands of the customer. It responds directly to the requirement to work with CSEK, which necessitates specifying the key during the data upload process. The other options, while they may offer some relevant security features, do not directly address the requirements for managing CSEK in Cloud Storage as effectively as the command line tool does. For example, storing keys in Cloud SQL does not facilitate direct integration with the object storage service. Likewise, using IAM for access management relates more to permissions for accessing resources rather than specifically handling