Encryption Key Rotation Best Practices for Cloud Storage and Dataproc Processing

D.

The recommended approach to rotate encryption keys for sensitive data stored in a Cloud Storage bucket and processed in Dataproc while adhering to Google's security practices is to use Cloud Key Management Service (KMS) to create and manage encryption keys.

Option A: Create a key with Cloud Key Management Service (KMS). Encrypt the data using the encrypt method of Cloud KMS.

In this option, you would create a key with Cloud KMS and use the encrypt method of Cloud KMS to encrypt the sensitive data before storing it in the Cloud Storage bucket. Cloud KMS provides secure and scalable key management that allows you to manage cryptographic keys and use them to protect your data. The encrypt method is used to encrypt plaintext data with a Cloud KMS key. This approach ensures that the sensitive data is encrypted using a secure key management solution and can be rotated easily as required.

Option B: Create a key with Cloud Key Management Service (KMS). Set the encryption key on the bucket to the Cloud KMS key.

In this option, you would create a key with Cloud KMS and set it as the encryption key for the Cloud Storage bucket. This option is similar to option A but with the added step of setting the encryption key on the bucket. This approach ensures that the sensitive data is encrypted using a secure key management solution, and the key rotation can be easily managed by updating the encryption key on the bucket.

Option C: Generate a GPG key pair. Encrypt the data using the GPG key. Upload the encrypted data to the bucket.

In this option, you would generate a GPG key pair and use the GPG key to encrypt the sensitive data before storing it in the Cloud Storage bucket. This approach is not recommended because GPG is not a Google-recommended security practice for handling sensitive data in the cloud. Additionally, this approach does not provide a simple and secure way to manage key rotation.

Option D: Generate an AES-256 encryption key. Encrypt the data in the bucket using the customer-supplied encryption keys feature.

In this option, you would generate an AES-256 encryption key and use it to encrypt the sensitive data in the Cloud Storage bucket using the customer-supplied encryption keys (CSEK) feature. While CSEK provides a way to encrypt data using customer-managed encryption keys, it does not provide a simple way to manage key rotation. Additionally, this approach requires the manual management of encryption keys, which can increase the risk of errors or key compromise.

In summary, options A or B are the recommended approaches to rotate encryption keys for sensitive data stored in a Cloud Storage bucket and processed in Dataproc while adhering to Google's security practices. These options provide a secure and scalable way to manage cryptographic keys and use them to protect sensitive data.