A customer's internal security team must manage its own encryption keys for encrypting data on Cloud Storage and decides to use customer-supplied encryption keys (CSEK)
How should the team complete this task?
Click on the arrows to vote for the correct answer
A. B. C. D.D.
https://cloud.google.com/storage/docs/encryption/customer-supplied-keysWhen using Customer-Supplied Encryption Keys (CSEK) in Google Cloud Storage, the customer is responsible for generating and managing the encryption keys. With CSEK, data is encrypted on the client side, meaning that the data is encrypted before it is sent to Cloud Storage.
To complete this task, the security team must generate an encryption key and then use it to encrypt the data before uploading it to Cloud Storage. There are a few different ways to do this, but the best approach depends on the specific requirements of the organization.
Option A suggests uploading the encryption key to the same bucket where the object will be stored. This approach is not recommended as it would mean that the key and the encrypted data would both be stored in the same location, making it easier for an attacker to access both.
Option B suggests using the gsutil command line tool to upload the object to Cloud Storage and specify the location of the encryption key. This option is better as it allows the encryption key to be stored separately from the encrypted data. However, it still requires the use of a command line tool which may not be the best option for all users.
Option C suggests generating an encryption key in the Google Cloud Platform Console and uploading an object to Cloud Storage using the specified key. This option is similar to Option B but provides an easier method for generating the encryption key.
Option D suggests encrypting the object and then using either the gsutil command line tool or the Google Cloud Platform Console to upload the object to Cloud Storage. This option is also a good approach, as it ensures that the data is encrypted before it is uploaded to Cloud Storage.
In summary, options B, C, and D are all viable options for completing this task, but the best approach will depend on the specific requirements and preferences of the customer's security team. It is important to ensure that the encryption key is stored securely and separately from the encrypted data to minimize the risk of unauthorized access.