Exam Professional Cloud Architect topic 1 question 65 discussion

In GCP document, key could be configured in .boto. I didn't find information show gsutil suppots flag "--encryption-key". https://cloud.google.com/storage/docs/encryption/customer-supplied-keys

I agree, A.(https://cloud.google.com/storage/docs/gsutil/addlhelp/UsingEncryptionKeys#generating-customer-supplied-encryption-keys)

I see option D is not even discussed. The question said "upload files", meaning multiple object. Isn't the encrypted bucked creation a secured way to store them in cloud storage?

[GSUtil] check_hashes content_language decryption_key1 ... 100 default_api_version disable_analytics_prompt encryption_key

Option C: Use gsutil to upload the files and use the flag --encryption-key to supply the encryption key. This is the correct approach, as it allows you to specify the CSEK directly at the time of upload, ensuring that your files are encrypted using your provided key.

D. Use gsutil to create a bucket, and use the flag --encryption-key to supply the encryption key. Use gsutil to upload the files to that bucket. This option provides the most comprehensive and secure approach: Create an encrypted bucket: Use gsutil mb -b location gs://your-bucket-name --encryption-key=your_encryption_key This ensures that all objects uploaded to this bucket will be encrypted with your provided key. Upload files to the encrypted bucket: Use gsutil cp your_local_file gs://your-bucket-name By following this approach, you guarantee that your files are encrypted both at rest and in transit on Cloud Storage, providing a robust security posture. The other options either lack the encryption key specification or do not create an encrypted bucket, leaving your data vulnerable.

The boto configuration file in Google Cloud Platform (GCP) controls how the gsutil command behaves: Setting up gsutil You can use the boto configuration file to set up gsutil to work through a proxy. Using encryption keys You can use the boto configuration file to use customer-managed or customer-supplied encryption keys.

A! I agree that the boto file sounds better

Option C is correct - please refer https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys#command-line

option A, Option A allows you to configure the .boto configuration file with the encryption key. This configuration file is used by gsutil to apply settings, including encryption key management. By placing the encryption key in the .boto file, you ensure that every time gsutil is used, it automatically supplies the correct key for encrypting files as they are uploaded to Cloud Storage. Option C: The --encryption-key flag does not exist for gsutil. Instead, gsutil uses the .boto configuration file or the -o flag for customer-supplied encryption keys.

Answer: C Use gsutil to upload the files, and use the flag -encryption-key to supply the encryption key. Here’s why this is the best option: 1. Using gsutil: gsutil is the command-line tool for interacting with Google Cloud Storage, and it supports options for specifying customer-supplied encryption keys directly during the upload process. 2. Flag -encryption-key: The -encryption-key flag allows you to specify the encryption key at the time of uploading the files. This ensures that the files are encrypted with the provided key as they are being uploaded to Cloud Storage.

A is correct

Option C is correct.

Straight for the docs: https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys#upload-encrypt

Option C is correct C. Use gsutil to upload the files, and use the flag --encryption-key to supply the encryption key. gsutil -o "GSUtil:encryption_key=YOUR_BASE64_ENCRYPTION_KEY" cp your_file.txt gs://your-bucket/

When using customer-supplied encryption keys (CSEK) in Google Cloud Storage, you can provide the encryption key directly in your gsutil command during the upload operation. The --encryption-key flag allows you to specify the encryption key for encrypting the files as they are uploaded.

The correct answer is C. Use gsutil to upload the files, and use the flag --encryption-key to supply the encryption key. Here’s why: To encrypt files with a customer-supplied encryption key (CSEK), you can use the gsutil command along with the --encryption-key flag to specify the encryption key when uploading files to Cloud Storage. This allows each file to be encrypted using your specified encryption key, providing an additional layer of security beyond Google-managed encryption. The other options are incorrect: A and B reference .boto configuration files and gcloud config, but those methods are not used to specify customer-supplied encryption keys for file uploads. D incorrectly suggests using --encryption-key when creating a bucket, but encryption keys are supplied during file uploads, not during bucket creation. Thus, C is the correct option to upload files with customer-supplied encryption keys using gsutil.