Google Cloud Professional Cloud Security Engineer — Question 110

Your organization previously stored files in Cloud Storage by using Google Managed Encryption Keys (GMEK), but has recently updated the internal policy to require Customer Managed Encryption Keys (CMEK). You need to re-encrypt the files quickly and efficiently with minimal cost.

What should you do?

Answer options

• A. Reupload the files to the same Cloud Storage bucket specifying a key file by using gsutil.
• B. Encrypt the files locally, and then use gsutil to upload the files to a new bucket.
• C. Copy the files to a new bucket with CMEK enabled in a secondary region.
• D. Change the encryption type on the bucket to CMEK, and rewrite the objects.

Correct answer: D

Explanation

The correct answer is D because changing the encryption type on the existing bucket to CMEK allows for the re-encryption of objects without the need for additional uploads or creating new buckets. Options A and B involve unnecessary steps of reuploading files, which can be more time-consuming and costly, while option C requires copying to a new bucket, which also adds complexity.