Using On-Premises Key Generation for Cloud Storage Encryption | PCSE Exam Question

A.

If you want to use a key generated on-premises for encrypting your sensitive data in Cloud Storage, the best approach is to use customer-supplied encryption keys (CSEKs).

A CSEK is a key that is generated by the customer and used to encrypt and decrypt data in Cloud Storage. When you use a CSEK, Cloud Storage never sees or stores your plaintext encryption key, giving you greater control over your data.

To use a CSEK, you must create and manage your keys on-premises, and then securely transfer them to Cloud Storage during encryption and decryption operations. You can use a CSEK to manage a data encryption key (DEK), which is used to encrypt your data, or a key encryption key (KEK), which is used to encrypt and decrypt DEKs.

Option A ("Use the Cloud Key Management Service to manage a data encryption key (DEK)") is not correct because it suggests that you should use a key managed by Google to encrypt your data, rather than a key generated on-premises.

Option B ("Use the Cloud Key Management Service to manage a key encryption key (KEK)") is also not correct because it suggests that you should use a key managed by Google to encrypt and decrypt your DEKs, rather than a key generated on-premises.

Option C ("Use customer-supplied encryption keys to manage the data encryption key (DEK)") is the correct answer because it suggests that you should use a key generated on-premises to encrypt your data.

Option D ("Use customer-supplied encryption keys to manage the key encryption key (KEK)") is not correct because it suggests that you should use a key generated on-premises to encrypt and decrypt your DEKs, rather than a key generated on-premises to encrypt your data.

In summary, to use a key generated on-premises to encrypt your sensitive data in Cloud Storage, you should use customer-supplied encryption keys to manage the data encryption key (DEK).