Exam Professional Cloud Security Engineer topic 1 question 34 discussion

Answer is B. https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/customer-managed-encryption "The CMEK feature allows you to create, use, and revoke the key encryption key (KEK). Google still controls the data encryption key (DEK)."

B The KEK is always managed by the KMS. The KMS never manages the DEK (so A is wrong). Both C/D are bad options, the customer supplying the encryption key defeats the purpose of the scenario in the question.

To manage encryption for Cloud Dataproc persistent disks, Google Cloud supports Customer-Managed Encryption Keys (CMEK) using Cloud Key Management Service (KMS). In this setup: Data Encryption Key (DEK): Google Cloud automatically generates and manages the DEK for encrypting the persistent disk data. Key Encryption Key (KEK): The KEK, managed in Cloud KMS, encrypts the DEK. This ensures the customer has control over key management operations, such as key rotation and deletion.

Answer is B Cloud KMS allows you to manage KEKs, which in turn are used to encrypt the DEKs. DEKs are then used to encrypt the data. This separation ensures that the more sensitive KEK remains securely managed within the Cloud KMS

Agree with B

The correct answer is B. Use the Cloud Key Management Service to manage the key encryption key (KEK). Cloud Dataproc uses a two-level encryption model, where the data encryption key (DEK) is encrypted with a key encryption key (KEK). The KEK is stored in Cloud Key Management Service (KMS), which allows you to create, rotate, and destroy the KEK as needed. If you use customer-supplied encryption keys (CSEKs) to manage the DEK, you will be responsible for managing the CSEKs yourself. This can be a complex and time-consuming task, and it can also increase the risk of data loss if the CSEKs are compromised.

Option B, using Cloud KMS to manage the key encryption key (KEK), is not necessary as persistent disks in Cloud Dataproc are already encrypted at rest using AES-256 encryption with a unique DEK generated and managed by Google.

The CMEK feature allows you to create, use, and revoke the key encryption key (KEK). Google still controls the data encryption key (DEK)."

there is a diagram in the link. if you understand the diagram, you will get the answer. https://cloud.google.com/sql/docs/mysql/cmek#with-cmek

Answer is B. the documentation says that Google does the data encryption by default and then that encryption key is again encrypted by KEK. which in turn can be managed by Customer.

Option B, using the Cloud KMS to manage the key encryption key (KEK), is incorrect. The KEK is used to encrypt the DEK, so the DEK is the key that is managed by the Cloud KMS.

B can be right but we never been asked about envelope encription... so... the solution is to use a customer managed Data Encryption Key

B. Use the Cloud Key Management Service to manage the key encryption key (KEK).

Answer is B, https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/customer-managed-encryption

In my opinion it should be B. reference : https://cloud.google.com/kms/docs/envelope-encryption How to encrypt data using envelope encryption The process of encrypting data is to generate a DEK locally, encrypt data with the DEK, use a KEK to wrap the DEK, and then store the encrypted data and the wrapped DEK. The KEK never leaves Cloud KMS.

I think the answer is A. DEK (Data encryption Key ) is the key which is used to encrypt the data. It can be both customer-managed or customer supplied in terms of GCP> https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/customer-managed-encryption The link above states "This PD and bucket data is encrypted using a Google-generated data encryption key (DEK) and key encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key encryption key (KEK). Google still controls the data encryption key (DEK)."

b of course