Google Cloud Professional Cloud Security Engineer — Question 35

You need to follow Google-recommended practices to leverage envelope encryption and encrypt data at the application layer.
What should you do?

Answer options

• A. Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the encrypted DEK.
• B. Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the KEK.
• C. Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the encrypted DEK.
• D. Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the KEK.

Correct answer: A

Explanation

The correct answer is A because it follows the envelope encryption model by generating a local DEK for data encryption and a KEK in Cloud KMS to encrypt the DEK, ensuring both keys are securely managed. Options B, C, and D are incorrect as they either store the KEK instead of the encrypted DEK or incorrectly generate the DEK and KEK, deviating from recommended practices.