Google Cloud Professional Cloud Security Engineer — Question 154

Your organization wants full control of the keys used to encrypt data at rest in their Google Cloud environments. Keys must be generated and stored outside of Google and integrate with many Google Services including BigQuery.

What should you do?

Answer options

• A. Use customer-supplied encryption keys (CSEK) with keys generated on trusted external systems. Provide the raw CSEK as part of the API call.
• B. Create a KMS key that is stored on a Google managed FIPS 140-2 level 3 Hardware Security Module (HSM). Manage the Identity and Access Management (IAM) permissions settings, and set up the key rotation period.
• C. Use Cloud External Key Management (EKM) that integrates with an external Hardware Security Module (HSM) system from supported vendors.
• D. Create a Cloud Key Management Service (KMS) key with imported key material. Wrap the key for protection during import. Import the key generated on a trusted system in Cloud KMS.

Correct answer: C

Explanation

The correct answer is C because Cloud External Key Management (EKM) allows you to manage your encryption keys externally while integrating seamlessly with Google Cloud services. Option A does not provide the required integration with multiple services, option B relies on Google-managed keys which contradicts the need for external control, and option D involves importing keys instead of managing them externally.