Exam Professional Data Engineer topic 1 question 262 discussion

- Cloud EKM allows you to use encryption keys managed in external key management systems, including on-premises HSMs, while using Google Cloud services. - This means that the key material remains in your control and environment, and Google Cloud services use it via the Cloud EKM integration. - This approach aligns with the need to generate and store encryption material only on your on-premises HSM and is the correct way to integrate such keys with BigQuery. ====== Why not Option C - Cloud HSM is a fully managed service by Google Cloud that provides HSMs for your cryptographic needs. However, it's a cloud-based solution, and the keys generated or managed in Cloud HSM are not stored on-premises. This option doesn't align with the requirement to use only on-premises HSM for key storage.

check raaad's comment.

Option B, I agree with Raaad on the approach

https://cloud.google.com/kms/docs/ekm#ekm-management-mode

B- https://cloud.google.com/kms/docs/ekm#ekm-management-mode Coordinated external keys are made possible by EKM via VPC connections that use EKM key management from Cloud KMS. If your EKM supports the Cloud EKM control plane, then you can enable EKM key management from Cloud KMS for your EKM via VPC connections to create coordinated external keys. With EKM key management from Cloud KMS enabled, Cloud EKM can request the following changes in your EKM:

Option B, I agree with Raaad on the approach

C. Create the encryption key in the on-premises HSM, and import it into Cloud Key Management Service (Cloud HSM) key. Associate the created Cloud HSM key while creating the BigQuery resources.