Google Cloud Professional Cloud Security Engineer — Question 269
You are working with a client that is concerned about control of their encryption keys for sensitive data. The client does not want to store encryption keys at rest in the same cloud service provider (CSP) as the data that the keys are encrypting. Which Google Cloud encryption solutions should you recommend to this client?
(Choose two.)
Answer options
- A. Customer-supplied encryption keys.
- B. Google default encryption
- C. Secret Manager
- D. Cloud External Key Manager
- E. Customer-managed encryption keys
Correct answer: A, D
Explanation
The correct answers, Customer-supplied encryption keys and Cloud External Key Manager, allow the client to maintain control over their encryption keys outside the cloud service provider, addressing their concerns. Google default encryption and Secret Manager do not provide the desired separation of key storage, while Customer-managed encryption keys still involve storing keys within the cloud environment.