You need to follow Google-recommended practices to leverage envelope encryption and encrypt data at the application layer. What should you do?
A.
Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the encrypted DEK.
B.
Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the KEK.
C.
Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the encrypted DEK.
D.
Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the KEK.
Yes, A is correct
The process of encrypting data is to generate a DEK locally, encrypt data with the DEK, use a KEK to wrap the DEK, and then store the encrypted data and the wrapped DEK. The KEK never leaves Cloud KMS.
A is the correct answer as stated in google docs
The process of encrypting data is to generate a DEK locally, encrypt data with the DEK, use a KEK to wrap the DEK, and then store the encrypted data and the wrapped DEK. The KEK never leaves Cloud KMS.
https://cloud.google.com/kms/docs/envelope-encryption#how_to_encrypt_data_using_envelope_encryption
This follows the recommended practice of envelope encryption, where the DEK is encrypted with a KEK, which is managed by a KMS service such as Cloud KMS. Storing both the encrypted data and the KEK allows for the data to be decrypted using the KEK when needed. It's important to generate the DEK locally to ensure the security of the key, and to generate a new KEK in Cloud KMS for added security and key management capabilities.
We need to store the encrypted data and Wrapped DEK . KEK would be centrally Managed by KMS .
https://cloud.google.com/kms/docs/envelope-encryption#how_to_encrypt_data_using_envelope_encryption
Answer A
Envelope Encryption: https://cloud.google.com/kms/docs/envelope-encryption
Here are best practices for managing DEKs:
-Generate DEKs locally.
-When stored, always ensure DEKs are encrypted at rest.
- For easy access, store the DEK near the data that it encrypts.
The DEK is encrypted (also known as wrapped) by a key encryption key (KEK). The process of encrypting a key with another key is known as envelope encryption.
Here are best practices for managing KEKs:
-Store KEKs centrally. (KMS )
-Set the granularity of the DEKs they encrypt based on their use case. For example, consider a workload that requires multiple DEKs to encrypt the workload's data chunks. You could use a single KEK to wrap all DEKs that are responsible for that workload's encryption.
-Rotate keys regularly, and also after a suspected incident.
A - Envelope Encryption ( DEK - to encrypt the data, KEK - encrypt the DEK , KEK resides in KMS and only the encrypted data and wrapped DEK will be stored back )
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Sheeda
Highly Voted 4 years, 2 months agoMohitA
4 years, 2 months agoDi4sa
Most Recent 8 months, 1 week agostandm
1 year, 5 months agoaashissh
1 year, 6 months agoppandher
1 year agoGCP72
2 years, 2 months agominostrozaml2
2 years, 9 months agoBill831231
2 years, 10 months agoumashankar_a
3 years, 3 months agodesertlotus1211
3 years, 6 months agodtmtor
3 years, 7 months agoDebasishLowes
3 years, 7 months agoCloudTrip
3 years, 8 months agoCloudTrip
3 years, 8 months agoBharathy
3 years, 10 months ago[Removed]
3 years, 12 months agoCHECK666
4 years, 1 month agoaiwaai
4 years, 2 months ago