Upload Files to Cloud Storage with Customer-Supplied Encryption Keys - PCA Exam Answer

How to Upload Files to Cloud Storage with Customer-Supplied Encryption Keys

Prev Question Next Question

Question

You need to upload files from your on-premises environment to Cloud Storage.

You want the files to be encrypted on Cloud Storage using customer-supplied encryption keys.

What should you do?

Answers

A. Supply the encryption key in a .boto configuration file. Use gsutil to upload the files.

B. Supply the encryption key using gcloud config. Use gsutil to upload the files to that bucket.

C. Use gsutil to upload the files, and use the flag --encryption-key to supply the encryption key.

D. Use gsutil to create a bucket, and use the flag --encryption-key to supply the encryption key. Use gsutil to upload the files to that bucket.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

The correct answer is D. Use gsutil to create a bucket, and use the flag --encryption-key to supply the encryption key. Use gsutil to upload the files to that bucket.

Google Cloud Storage provides server-side encryption for data at rest by default, which means that all objects are encrypted when they are stored in Google Cloud Storage. However, if you want to use customer-supplied encryption keys to encrypt your data, you need to provide the encryption key when you upload the data.

To upload files from an on-premises environment to Cloud Storage and encrypt them using customer-supplied encryption keys, you can follow these steps:

Install and configure gsutil on your on-premises environment. You can download gsutil from the Google Cloud SDK website.
Create a Cloud Storage bucket. You can use the gsutil mb command to create a bucket. For example:

css
gsutil mb -p [PROJECT_ID] -c [STORAGE_CLASS] -l [LOCATION] -b on gs://[BUCKET_NAME]

where:

[PROJECT_ID] is the ID of your Google Cloud project.
[STORAGE_CLASS] is the storage class you want to use for the bucket. For example, you can use STANDARD or NEARLINE.
[LOCATION] is the location where you want to store your data. For example, you can use us-east1 or europe-west1.
[BUCKET_NAME] is the name of your Cloud Storage bucket.

Set the encryption key for the bucket. You can use the gsutil kms command to set the encryption key. For example:

less
gsutil kms encryption -k [KEY_NAME] gs://[BUCKET_NAME]

where:

[KEY_NAME] is the name of the customer-managed encryption key you want to use.
[BUCKET_NAME] is the name of your Cloud Storage bucket.

Upload your files to the bucket using the gsutil cp command. For example:

less
gsutil cp -k [LOCAL_FILE_PATH] gs://[BUCKET_NAME]/[OBJECT_NAME]

where:

[LOCAL_FILE_PATH] is the path to the file you want to upload.
[BUCKET_NAME] is the name of your Cloud Storage bucket.
[OBJECT_NAME] is the name you want to give to the object in the bucket.

The -k flag is used to indicate that the file should be encrypted using the customer-supplied encryption key.

Option A is incorrect because the .boto configuration file is not used to supply the encryption key for customer-supplied encryption.

Option B is incorrect because the gcloud config command is not used to supply the encryption key for customer-supplied encryption.

Option C is incorrect because the --encryption-key flag is not used to set the encryption key for customer-supplied encryption. Instead, the gsutil kms command should be used to set the encryption key.

Prev Question Next Question