Google Cloud Professional Cloud Security Engineer — Question 268

Your company is using Cloud Dataproc for its Spark and Hadoop jobs. You want to be able to create, rotate, and destroy symmetric encryption keys used for the persistent disks used by Cloud Dataproc. Keys can be stored in the cloud.
What should you do?

Answer options

• A. Use the Cloud Key Management Service to manage the data encryption key (DEK).
• B. Use the Cloud Key Management Service to manage the key encryption key (KEK).
• C. Use customer-supplied encryption keys to manage the data encryption key (DEK).
• D. Use customer-supplied encryption keys to manage the key encryption key (KEK).

Correct answer: B

Explanation

The correct answer is B because the Cloud Key Management Service (KMS) is designed to manage key encryption keys (KEKs) that encrypt data encryption keys (DEKs). Options A and C incorrectly focus on DEKs, which are not managed directly by KMS in the way required, while option D is inappropriate as it suggests using customer-supplied keys for KEK management, which is not the optimal approach.