Managed Instance Groups Boot Disk Encryption Solution

B.

Reference - https://cloud.google.com/kubernetes-engine/docs/how-to/dynamic-provisioning-cmek.

Based on the customer's requirements to manage and rotate encryption keys, the recommended boot disk encryption solution for the Compute Engine-based cluster using Managed Instance Groups (MIGs) is customer-managed encryption keys (CMEK) using Cloud Key Management Service (KMS).

Option A, customer-supplied encryption keys (CSEK), allows the customer to provide their own encryption keys, but it does not provide the ability to manage or rotate the keys. The customer would have to manually manage and rotate the keys themselves, which could be challenging and time-consuming.

Option B, CMEK using Cloud KMS, allows the customer to manage and rotate their encryption keys through the use of Cloud KMS, which provides a centralized key management system. With this option, the customer can also set policies for key rotation, key versioning, and key usage. This option provides the most flexibility and control for the customer.

Option C, encryption by default, automatically encrypts the boot disk, but it uses Google-managed keys, so the customer would not have control over key management or rotation. This option may not meet the customer's requirement for key management.

Option D, pre-encrypting files before transferring to Google Cloud Platform (GCP) for analysis, is not a boot disk encryption solution and would not meet the customer's requirement for encrypting the entire compute engine-based cluster using MIGs. It may be a valid option for encrypting files before they are transferred to GCP, but it is not relevant to this scenario.

In summary, the best option to meet the customer's requirements to manage and rotate encryption keys for the compute engine-based cluster using MIGs is customer-managed encryption keys (CMEK) using Cloud Key Management Service (KMS).