Exam Professional Cloud Security Engineer topic 1 question 38 discussion

Ans : B. Because if you encrypt the object using CSEK, then you can't use google cloud console to upload the object.

The fact is, both B & D would work. I lean towards B because it allows you to manage the file using GCP tools later as long as you keep that key around. B is definitely incomplete though, as the boto file does need to be updated.

Using the gsutil command-line tool with the appropriate options to specify the CSEK during the upload process is the proper way to manage customer-supplied encryption keys for Cloud Storage. This ensures that the data is encrypted using the provided key without the key being stored on Google's servers

With Customer-Supplied Encryption Keys (CSEK), you handle the encryption of the data yourself and then upload the encrypted data to Cloud Storage, ensuring you provide the necessary encryption key when required for access control. This method ensures that you maintain control over the encryption process and the security of your data.

`gcloud storage` you can point to a CSEK, but `gsutil` you can not

Should be (B) - but IMHO "gsutil" is legacy tool, it works with "gcloud": gcloud storage cp SOURCE_DATA gs://BUCKET_NAME/OBJECT_NAME --encryption-key=YOUR_ENCRYPTION_KEY

I have encrypt the object using 256 Encryption method, When I create a Bucket it gave me option of encryption as Google Managed Keys and Customer Managed keys but NO CSEK, I opted Google Managed as I do not have CMEK created, Now I create that Bucket.I upload my encrypted file to that bucket using Console, now the content of that file shows as Google managed not a CSEK. To my understanding you need to generate the keys in console encrypt that object and then upload that way it will show on that object as encryption of CSEK. Option B I opt now.

Answer D with removed or from console D. Encrypt the object, then use the gsutil command line tool or the Google Cloud Platform Console to upload the object to Cloud Storage. D. Encrypt the object, then use the gsutil command line tool

Ans is B

B is the ans . https://cloud.google.com/storage/docs/encryption/customer-supplied-keys

Object encryption is required. B does not encrypt objects.

To use customer-supplied encryption keys (CSEK) for encrypting data on Cloud Storage, the security team must encrypt the object first using the encryption key and then use the gsutil command line tool or the Google Cloud Platform Console to upload the object to Cloud Storage. Therefore, the correct answer is: D. Encrypt the object, then use the gsutil command line tool or the Google Cloud Platform Console to upload the object to Cloud Storage.

https://cloud.google.com/storage/docs/encryption/customer-supplied-keys Answer B

you can't use google cloud console to upload the object. https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys#upload_with_your_encryption_key

D of course

I will go with D because encrypting the object before uploading means the cutomer manages thier own key. A is not correct because its not a good practice to upload encryption key to storage object along with the encrypted object. B is not correct because specifying the location of the encryption key does not change anything C means Google manages the key.

CD are not right because Google Cloud Console does not support CSEK. must choose from A and B