Google Cloud Professional Cloud Security Engineer Practice Exam

To leverage envelope encryption and encrypt data at the application layer, what is the recommended approach?

• A. Encrypt data using a single key
• B. Generate a data encryption key (DEK) and store it directly
• C. Generate a DEK locally and a key encryption key (KEK) in Cloud KMS
• D. Use Cloud Key Management for all encryption needs

The correct answer is: Generate a DEK locally and a key encryption key (KEK) in Cloud KMS

The recommended approach for leveraging envelope encryption while ensuring data is encrypted at the application layer involves generating a data encryption key (DEK) locally and a key encryption key (KEK) using Cloud Key Management Service (KMS). This method employs a two-layer key management strategy, providing enhanced security and flexibility. In this approach, the DEK is used to encrypt the actual application data, ensuring that sensitive information is protected while minimizing performance overhead associated with encryption operations. By storing the DEK in-memory or in a secure location during its lifecycle, the application can efficiently encrypt and decrypt data as needed. On the other hand, the KEK, which is the more secure and long-term key, is managed and stored in Cloud KMS. This allows for centralized key management, automated key rotation, and policy enforcement, which are crucial for maintaining a secure environment and compliance with best practices. The use of Cloud KMS provides an added layer of security, as it ensures that the more sensitive KEK is not directly exposed in the application’s environment. In contrast, using a single key to encrypt all data does not leverage the benefits of envelope encryption and increases the risk of key loss or exposure. Storing the DEK directly without using a KEK in Cloud