Google Cloud Professional Cloud Security Engineer Practice Exam

What should be done to use a key generated on-premises for data encryption in Cloud Storage?

• A. Use customer-managed encryption keys
• B. Use customer-supplied encryption keys to manage DEK
• C. Use default GCP encryption methods
• D. Store the key in Google Secret Manager

The correct answer is: Use customer-supplied encryption keys to manage DEK

Using customer-supplied encryption keys (CSEK) allows you to bring your own encryption key for use in Google Cloud Storage. This means that you have complete control over the encryption keys used to secure your data. When you supply your own key, you handle the key management directly, thereby ensuring that access is limited to authorized users and systems according to your organization's policies. When uploading data to Cloud Storage using CSEK, you provide the encryption key along with the data. Google Cloud will then encrypt the data with this key, while you maintain ownership and control over the key itself. This approach is particularly useful for organizations that have specific compliance requirements that mandate they manage encryption keys independently from cloud service providers. While customer-managed encryption keys (CMEK) is another option that allows you to use Google Cloud’s Key Management Service to manage keys, this does not encompass the on-premises generated keys. The use of default GCP encryption methods relies solely on Google’s key management, which would not meet the requirement of utilizing an on-premises key. Storing the key in Google Secret Manager offers a secure way to manage and access secrets, but it does not directly enable the use of an on-premises key for data encryption in Cloud Storage in