You need to upload files from your on-premises environment to Cloud Storage. You want the files to be encrypted on Cloud Storage using customer-supplied encryption keys. What should you do?
A.
Supply the encryption key in a .boto configuration file. Use gsutil to upload the files.
B.
Supply the encryption key using gcloud config. Use gsutil to upload the files to that bucket.
C.
Use gsutil to upload the files, and use the flag --encryption-key to supply the encryption key.
D.
Use gsutil to create a bucket, and use the flag --encryption-key to supply the encryption key. Use gsutil to upload the files to that bucket.
In GCP document, key could be configured in .boto.
I didn't find information show gsutil suppots flag "--encryption-key".
https://cloud.google.com/storage/docs/encryption/customer-supplied-keys
The documentation is here:
https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys#upload-encrypt
Option C is correct. You can upload a file using customer-supplied encryption with the command:
gcloud storage cp SOURCE_DATA gs://BUCKET_NAME/OBJECT_NAME --encryption-key=YOUR_ENCRYPTION_KEY
.boto file with encryption key, but it will works for individual users, every user should update their own .boto with same key. Also while retrieving you should use the same key to decryption.
A is the only correct answer. Those pointing to 'C' need to realize that the flag "--encryption-key" works with *gcloud storage cp* and NOT with gsutil
https://cloud.google.com/storage/docs/gsutil
Even it is recommended to use gcloud, this is the lonely answer which covers all the lifecycle of the process : create the storage, use a CEK, and upload files.
I also agree that files have not to be encrypted individually, but the encryption has to be done at the storage level, so it will be transparent for a future consumer service.
Answer B would be correct but it is not only a question of supplying the key, but also to update the bucket. So it is not enough
The correct answer is C. Here's why:
Customer-Supplied Encryption Keys (CSEK): When using CSEK, you provide the encryption key yourself. Google doesn't store your key on their servers. You're responsible for managing and protecting it.
gsutil and --encryption-key: The gsutil command-line tool is the primary way to interact with Cloud Storage. To use CSEK with gsutil, you use the --encryption-key flag directly with the upload command. This flag takes the base64 encoded encryption key as its valu
Customer-Supplied Encryption Keys (CSEK) are provided on a per-request basis. This means you provide the key during the upload operation itself, not when creating the bucket or through persistent configuration files.
gsutil is the command-line tool for interacting with Cloud Storage. The --encryption-key flag specifically allows you to provide the base64 encoded encryption key when uploading objects.
I see option D is not even discussed. The question said "upload files", meaning multiple object. Isn't the encrypted bucked creation a secured way to store them in cloud storage?
Option C: Use gsutil to upload the files and use the flag --encryption-key to supply the encryption key. This is the correct approach, as it allows you to specify the CSEK directly at the time of upload, ensuring that your files are encrypted using your provided key.
D. Use gsutil to create a bucket, and use the flag --encryption-key to supply the encryption key. Use gsutil to upload the files to that bucket.
This option provides the most comprehensive and secure approach:
Create an encrypted bucket:
Use gsutil mb -b location gs://your-bucket-name --encryption-key=your_encryption_key
This ensures that all objects uploaded to this bucket will be encrypted with your provided key.
Upload files to the encrypted bucket:
Use gsutil cp your_local_file gs://your-bucket-name
By following this approach, you guarantee that your files are encrypted both at rest and in transit on Cloud Storage, providing a robust security posture.
The other options either lack the encryption key specification or do not create an encrypted bucket, leaving your data vulnerable.
The boto configuration file in Google Cloud Platform (GCP) controls how the gsutil command behaves:
Setting up gsutil
You can use the boto configuration file to set up gsutil to work through a proxy.
Using encryption keys
You can use the boto configuration file to use customer-managed or customer-supplied encryption keys.
option A,
Option A allows you to configure the .boto configuration file with the encryption key. This configuration file is used by gsutil to apply settings, including encryption key management. By placing the encryption key in the .boto file, you ensure that every time gsutil is used, it automatically supplies the correct key for encrypting files as they are uploaded to Cloud Storage.
Option C: The --encryption-key flag does not exist for gsutil. Instead, gsutil uses the .boto configuration file or the -o flag for customer-supplied encryption keys.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
KouShikyou
Highly Voted 5 years, 3 months agoJaimeMS
7 months, 4 weeks agoryaryarya
3 weeks, 2 days agotartar
4 years, 6 months agonitinz
3 years, 11 months agokumarp6
4 years, 3 months agoEroc
Highly Voted 5 years, 3 months ago09bd94b
Most Recent 1 week, 2 days agohpf97
2 weeks ago09bd94b
2 weeks, 1 day agoLrzo
2 weeks, 5 days agoklayytech
1 month, 1 week agorrope
1 month, 1 week agorahuld19
1 month, 1 week agomahi_h
1 month, 2 weeks agokip21
1 month, 3 weeks agodeep316
1 month, 3 weeks agoklayytech
1 month, 4 weeks agodesertlotus1211
2 months, 1 week agodesertlotus1211
2 months, 1 week agoicarogsm
2 months, 2 weeks ago46affda
2 months, 2 weeks ago09bd94b
2 weeks, 1 day agosim7243
2 months, 3 weeks ago