Google Cloud Professional Cloud Architect — Question 154

You are designing a Data Warehouse on Google Cloud and want to store sensitive data in BigQuery. Your company requires you to generate the encryption keys outside of Google Cloud. You need to implement a solution. What should you do?

Answer options

• A. Generate a new key in Cloud Key Management Service (Cloud KMS). Store all data in Cloud Storage using the customer-managed key option and select the created key. Set up a Dataflow pipeline to decrypt the data and to store it in a new BigQuery dataset.
• B. Generate a new key in Cloud KMS. Create a dataset in BigQuery using the customer-managed key option and select the created key.
• C. Import a key in Cloud KMS. Store all data in Cloud Storage using the customer-managed key option and select the created key. Set up a Dataflow pipeline to decrypt the data and to store it in a new BigQuery dataset.
• D. Import a key in Cloud KMS. Create a dataset in BigQuery using the customer-supplied key option and select the created key.

Correct answer: D

Explanation

The correct answer is D because it involves importing an encryption key into Cloud KMS and using the customer-supplied key option for the BigQuery dataset, which aligns with the requirement to generate keys outside of Google Cloud. Options A and C incorrectly suggest using Cloud Storage for data storage and Dataflow for decryption, which is unnecessary when working directly with BigQuery. Option B does not address the need to import an external key.