Manage Symmetric Encryption Keys for Cloud Dataproc
Question
Your company is using Cloud Dataproc for its Spark and Hadoop jobs.
You want to be able to create, rotate, and destroy symmetric encryption keys used for the persistent disks used by Cloud Dataproc.
Keys can be stored in the cloud.
What should you do?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.A.
To manage the symmetric encryption keys used for the persistent disks used by Cloud Dataproc, you can use the Cloud Key Management Service (KMS). This allows you to create, rotate, and destroy the keys as necessary.
The Cloud KMS provides two types of keys: key encryption keys (KEKs) and data encryption keys (DEKs).
KEKs are used to encrypt and decrypt DEKs, which are then used to encrypt and decrypt data.
Option A suggests using the Cloud KMS to manage the DEKs directly. This is the correct approach, as DEKs are the keys that are used to encrypt and decrypt the data on the persistent disks used by Cloud Dataproc.
Option B suggests using the Cloud KMS to manage KEKs. This approach is not correct, as KEKs are used to encrypt and decrypt DEKs, not data. Managing KEKs would not provide a direct solution for managing the symmetric encryption keys used for the persistent disks.
Option C suggests using customer-supplied encryption keys (CSEKs) to manage the DEKs directly. This approach is possible, but it requires you to manage the keys yourself and to ensure that the keys are rotated and destroyed securely. This approach also requires additional setup steps, which can increase the complexity of the deployment.
Option D suggests using CSEKs to manage KEKs. This approach is not correct, as KEKs are used to encrypt and decrypt DEKs, not data. Managing KEKs would not provide a direct solution for managing the symmetric encryption keys used for the persistent disks.
Therefore, the correct answer is A: Use the Cloud Key Management Service to manage the data encryption key (DEK).
