Google Cloud Professional Data Engineer — Question 171

You want to encrypt the customer data stored in BigQuery. You need to implement per-user crypto-deletion on data stored in your tables. You want to adopt native features in Google Cloud to avoid custom solutions. What should you do?

Answer options

• A. Implement Authenticated Encryption with Associated Data (AEAD) BigQuery functions while storing your data in BigQuery.
• B. Create a customer-managed encryption key (CMEK) in Cloud KMS. Associate the key to the table while creating the table.
• C. Create a customer-managed encryption key (CMEK) in Cloud KMS. Use the key to encrypt data before storing in BigQuery.
• D. Encrypt your data during ingestion by using a cryptographic library supported by your ETL pipeline.

Correct answer: A

Explanation

The correct answer is A because using Authenticated Encryption with Associated Data (AEAD) BigQuery functions allows for native encryption and supports per-user crypto-deletion directly within BigQuery. Options B and C involve customer-managed keys that do not provide the same level of integrated functionality for per-user deletion. Option D relies on external cryptography rather than leveraging BigQuery's built-in capabilities.