You need to follow Google-recommended practices to leverage envelope encryption and encrypt data at the application layer.
What should you do?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
https://cloud.google.com/kms/docs/envelope-encryptionThe recommended approach to leveraging envelope encryption and encrypting data at the application layer in Google Cloud is to generate a data encryption key (DEK) locally and then use Cloud KMS to encrypt the DEK using a new key encryption key (KEK). The encrypted data and encrypted DEK are then stored together.
Option A is the correct answer. Here's a detailed explanation of each option:
A. Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the encrypted DEK.
This approach is recommended by Google and follows the envelope encryption pattern. It involves generating a DEK locally that is used to encrypt the data, and then using Cloud KMS to encrypt the DEK with a new KEK. The encrypted DEK and encrypted data are then stored together. This approach provides an additional layer of security because the DEK is encrypted with a separate key, making it more difficult for an attacker to access the DEK and subsequently decrypt the data.
B. Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the KEK.
This approach is similar to Option A but involves storing the encrypted DEK and KEK together instead of storing the encrypted DEK and encrypted data together. This approach is not recommended because it does not provide the same level of security as storing the encrypted DEK and encrypted data together. An attacker who gains access to the KEK could potentially decrypt the encrypted DEK and subsequently decrypt the data.
C. Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the encrypted DEK.
This approach involves generating a new DEK in Cloud KMS and then using a locally generated KEK to encrypt the DEK. The encrypted DEK and encrypted data are then stored together. While this approach is still secure, it is not the recommended approach because it involves generating the DEK in Cloud KMS, which can be more complex and less flexible than generating the DEK locally.
D. Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the KEK.
This approach is similar to Option C but involves storing the encrypted DEK and KEK together instead of storing the encrypted DEK and encrypted data together. This approach is not recommended for the same reasons as Option B.