Exam Professional Cloud Developer topic 1 question 242 discussion

According to the documentation the SHA256 is needed in the REST API -> B https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys#rest-csek-download-object

Base64-encoded SHA256 hash vs. Raw Encryption Key: The Google Cloud Storage documentation you linked mentions two approaches for customer-managed encryption keys: Base64-encoded SHA256 hash: This is primarily used for verification purposes and access control. not for reading Option A: Correct. Using the base64-encoded encryption key instead of the raw key bytes for reading will likely lead to a 4xx error. Option B: Incorrect. You don't directly use the base64-encoded SHA256 hash for reading the object, but it might be required for authentication purposes. Option C: Incorrect. Entering the correct encryption algorithm shouldn't lead to a 4xx error if everything else is configured correctly. Option D: Incorrect. Similar to option B, using the base64-encoded SHA256 hash for reading the object is not the correct approach.

as some guys said, in the link https://cloud.google.com/storage/docs/encryption/customer-supplied-keys#response we understand why B is correct

B is correct.

B is correct.

4xx is for Bad request, resource forbidden, not found and many more. If we want to read the object of Cloud storage bucket programmatically, then we need to pass the same customer key that was used for encrypting the object. The request we need to send with Base64Encode ( SHA256 Hash (customer-key ) ) The key set for object is SHA256 Hash (customer-key ) and while reading the Base64decode of the key will happen and comparing the Hash of the keys. If Hash are equal, then read access is permitted.

took my exam yesterday (01-03-2023) and this question was there

https://cloud.google.com/storage/docs/encryption/customer-supplied-keys

Option D is a possible cause of an HTTP 4xx error when reading an object from Cloud Storage because it is incorrect to use the base64-encoded SHA256 hash of the customer's encryption key to read an encrypted object. To read an encrypted object, you need to use the original encryption key, not its hash. The HTTP 4xx error could be a result of an incorrect or unsupported key format, or a key mismatch. On the other hand, using the base64-encoded key (Option A), the encryption algorithm (Option C), or the base64-encoded SHA256 hash of the encryption key (Option B) without the original encryption key would not allow the object to be decrypted and read.

Answer B, made a mistsake

You receive an HTTP 400 error in the following cases: 1.You upload an object using a customer-supplied encryption key, and you attempt to perform another operation on the object (other than requesting or updating most metadata or deleting the object) without providing the key. 2.You upload an object using a customer-supplied encryption key, and you attempt to perform another operation on the object with an incorrect key. 3.You upload an object without providing a customer-supplied encryption key, and you attempt to perform another operation on the object with a customer-supplied encryption key. 4.You specify an encryption algorithm, key, or SHA256 hash that is not valid. Point number 2 has the answer https://cloud.google.com/storage/docs/encryption/customer-supplied-keys#response