Google Cloud Professional Cloud Security Engineer — Question 243

Your company is storing sensitive data in Cloud Storage. You want a key generated on-premises to be used in the encryption process.
What should you do?

Answer options

• A. Use the Cloud Key Management Service to manage a data encryption key (DEK).
• B. Use the Cloud Key Management Service to manage a key encryption key (KEK).
• C. Use customer-supplied encryption keys to manage the data encryption key (DEK).
• D. Use customer-supplied encryption keys to manage the key encryption key (KEK).

Correct answer: C

Explanation

The correct answer is C because using customer-supplied encryption keys allows you to manage the data encryption key (DEK) directly, ensuring that the sensitive data is encrypted with a key generated on-premises. Options A and B involve using Cloud Key Management Service, which does not meet the requirement of using an on-premises generated key. Option D incorrectly suggests managing a key encryption key (KEK) instead of the data encryption key (DEK).