Your company has a strict policy that all cryptographic keys used to encrypt data in Google Cloud must be generated and managed on-premises by your own Hardware Security Module (HSM). Which encryption method must you use?

Answer options:

Google-Managed Encryption Keys

Customer-Managed Encryption Keys (CMEK)

Customer-Supplied Encryption Keys (CSEK)

Cloud HSM

How to approach this question

Differentiate between CMEK (managed in Cloud KMS) and CSEK (supplied by the customer from outside GCP).

Full Answer

C.Customer-Supplied Encryption Keys (CSEK)✓ Correct

Customer-Supplied Encryption Keys (CSEK)

Customer-Supplied Encryption Keys (CSEK) is a feature where you generate your own encryption keys on-premises. When you create a resource (like a Compute Engine disk or Cloud Storage object), you provide the key in the API request. Google uses it to encrypt the data and immediately purges the key from memory. If you lose the key, Google cannot recover your data.

Common mistakes

Confusing CMEK with CSEK. CMEK means you manage the key lifecycle within Google Cloud KMS. CSEK means you supply the raw key material from outside.

Question 25 All questions Question 27

Practice the full GCP Professional Cloud Architect Practice Exam 4

50 questions · hints · full answers · grading

More questions from this exam

Q01CASE STUDY: TechStream Gaming Overview: 500 employees, $100M revenue. On-prem US/EU, 200 servers...Medium Q02CASE STUDY: TechStream Gaming Overview: 500 employees, $100M revenue. On-prem US/EU, 200 servers...Medium Q03CASE STUDY: TechStream Gaming Overview: 500 employees, $100M revenue. On-prem US/EU, 200 servers...Hard Q04CASE STUDY: TechStream Gaming Overview: 500 employees, $100M revenue. On-prem US/EU, 200 servers...Hard Q05CASE STUDY: TechStream Gaming Overview: 500 employees, $100M revenue. On-prem US/EU, 200 servers...Easy

View all 50 questions →