Google Cloud Professional Cloud Security Engineer — Question 242

Your privacy team uses crypto-shredding (deleting encryption keys) as a strategy to delete personally identifiable information (PII). You need to implement this practice on Google Cloud while still utilizing the majority of the platform's services and minimizing operational overhead. What should you do?

Answer options

• A. Use client-side encryption before sending data to Google Cloud, and delete encryption keys on-premises.
• B. Use Cloud External Key Manager to delete specific encryption keys.
• C. Use customer-managed encryption keys to delete specific encryption keys.
• D. Use Google default encryption to delete specific encryption keys.

Correct answer: C

Explanation

The correct answer is C because using customer-managed encryption keys allows you to have full control over the keys and to delete them as needed, effectively implementing crypto-shredding. Option A involves client-side encryption which does not fully utilize Google Cloud services, while option B focuses on Cloud External Key Manager but does not integrate as seamlessly with the overall strategy. Option D is incorrect because Google default encryption does not provide the necessary control for crypto-shredding.