Exam Professional Cloud Security Engineer topic 1 question 76 discussion

The anwser is:C This is a Customer-supplied encryption keys (CSEK). We generate our own encryption key and manage it on-premises. A KEK never leaves Cloud KMS.There is no KEK or KMS on-premises. Encryption at rest by default, with various key management options https://cloud.google.com/security/encryption-at-rest

Reference Links: https://cloud.google.com/kms/docs/envelope-encryption https://cloud.google.com/security/encryption-at-rest/customer-supplied-encryption-keys

Correct Answer -D - CSEK provided by the customer, Key encryption key (KEK) for chunk keys. Wraps the chunk keys. As per https://cloud.google.com/docs/security/encryption/customer-supplied-encryption-keys#cloud_storage. Some of us have provided correct link but not interpreted correctly and selected answer C, which is not correct. A & B not correct because it is CSEK.

The anwser is:C

By using customer-supplied encryption keys (CSEK) to manage the data encryption key (DEK), you can ensure that the encryption process utilizes a key that was generated and controlled on-premises, meeting your security and compliance requirements.

`customer-supplied encryption keys` == `DEK`, so the only answer that makes sense is A use KMS for KEK to wrap the DEK

Can't be A/B because "key generated on-premises" requirement. KEK ist KMS specific. Why (C): https://cloud.google.com/docs/security/encryption/customer-supplied-encryption-keys#cloud_storage --> "The raw CSEK is used to unwrap wrapped chunk keys, to create raw chunk keys in memory. These are used to decrypt data chunks stored in the storage systems. These keys are used as the data encryption keys (DEK) in Google Cloud Storage for your data."

C is answer. DEK

Customer-supplied because it is generated on prem. And we can only talk about DEK. KEK is always managed by Google

D , CSEK is used for KEK , DEK is always generated by Google as different chunks use different DEK Raw CSEK Storage system memory Provided by the customer. Key encryption key (KEK) for chunk keys. Wraps the chunk keys. Customer-requested operation (e.g., insertObject or getObject) is complete https://cloud.google.com/docs/security/encryption/customer-supplied-encryption-keys

C, KEK is google managed

To use a key generated on-premises for encrypting data in Cloud Storage, you should: C. Use customer-supplied encryption keys to manage the data encryption key (DEK). With customer-supplied encryption keys (CSEK), you can provide your own encryption keys, generated and managed on-premises, to encrypt and decrypt data in Cloud Storage. The data encryption key (DEK) is the key used to encrypt the actual data, and by using CSEK, you can manage this key with your own on-premises key management system.

The Answer is C. The raw CSEK is used to unwrap wrapped chunk keys, to create raw chunk keys in memory. These are used to decrypt data chunks stored in the storage systems. These keys are used as the data encryption keys (DEK) in Google Cloud Storage for your data. https://cloud.google.com/docs/security/encryption/customer-supplied-encryption-keys#cloud_storage

Answer is C: https://cloud.google.com/docs/security/encryption/customer-supplied-encryption-keys#cloud_storage If you look at the ENTIRE process - it CSEK is used to create the DEK (final product) for decryption if its data...

https://cloud.google.com/docs/security/encryption/customer-supplied-encryption-keys#cloud_storage

C . The answer is C and I don't understand why some people here rewriting google official doc here and saying answer is D?? Here is the link please read it carefully this is not an Instagramm feed. Please when you reading 3 seconds and come here you start confusing many people . Here is link SPECIFICALLY FOR CLOUD STORAGE . https://cloud.google.com/docs/security/encryption/customer-supplied-encryption-keys#cloud_storage

"C" KEK never leaves Cloud KMS. Customer supplied key can only be for DEK.