Google Cloud Professional Data Engineer — Question 190

You are on the data governance team and are implementing security requirements. You need to encrypt all your data in BigQuery by using an encryption key managed by your team. You must implement a mechanism to generate and store encryption material only on your on-premises hardware security module (HSM). You want to rely on Google managed solutions. What should you do?

Answer options

• A. Create the encryption key in the on-premises HSM, and import it into a Cloud Key Management Service (Cloud KMS) key. Associate the created Cloud KMS key while creating the BigQuery resources.
• B. Create the encryption key in the on-premises HSM and link it to a Cloud External Key Manager (Cloud EKM) key. Associate the created Cloud KMS key while creating the BigQuery resources.
• C. Create the encryption key in the on-premises HSM, and import it into Cloud Key Management Service (Cloud HSM) key. Associate the created Cloud HSM key while creating the BigQuery resources.
• D. Create the encryption key in the on-premises HSM. Create BigQuery resources and encrypt data while ingesting them into BigQuery.

Correct answer: B

Explanation

The correct answer is B because it allows you to create an encryption key in your on-premises HSM and link it to a Cloud External Key Manager, which meets the requirement of using Google-managed solutions. Answer A is incorrect because it uses Cloud KMS instead of Cloud EKM. Answer C mistakenly refers to Cloud HSM, which is not appropriate for external key management. Answer D does not utilize the Google-managed solutions required for this scenario.