Google Cloud Professional Cloud Security Engineer — Question 262

A customer's internal security team must manage its own encryption keys for encrypting data on Cloud Storage and decides to use customer-supplied encryption keys (CSEK).
How should the team complete this task?

Answer options

• A. Upload the encryption key to a Cloud Storage bucket, and then upload the object to the same bucket.
• B. Use the gsutil command line tool to upload the object to Cloud Storage, and specify the location of the encryption key.
• C. Generate an encryption key in the Google Cloud Platform Console, and upload an object to Cloud Storage using the specified key.
• D. Encrypt the object, then use the gsutil command line tool or the Google Cloud Platform Console to upload the object to Cloud Storage.

Correct answer: B

Explanation

The correct answer is B because it specifically details the process of using the gsutil command line tool to upload an object while providing the location of the encryption key. Option A incorrectly suggests uploading the key to a bucket, which is not a secure method. Option C involves generating a key in GCP, which is not customer-supplied. Option D mentions encrypting the object first, but does not address how to use the customer-supplied key during the upload process.