Exam Professional Cloud Security Engineer topic 1 question 135 discussion

Answer D because "Minimize the latency to access encryption keys"

The default already has low latency! "Because of the high volume of keys at Google, and the need for low latency and high availability, DEKs are stored near the data that they encrypt. DEKs are encrypted with (wrapped by) a key encryption key (KEK), using a technique known as envelope encryption. These KEKs are not specific to customers; instead, one or more KEKs exist for each service." We need less complexity and low latency so use default on non-sensitive data!

D- the ans refers to both types of data:sensitive and non sensitive

Answer D https://cloud.google.com/docs/security/encryption/default-encryption

B. Encrypt non-sensitive data and sensitive data with Cloud Key Management Service.

keeps complexity low

B. Encrypt non-sensitive data and sensitive data with Cloud Key Management Service.

✑ Schedule key rotation for sensitive data. : => Cloud KMS allows you to set a rotation schedule for symmetric keys to automatically generate a new key version at a fixed time interval. Multiple versions of a symmetric key can be active at any time for decryption, with only one primary key version used for encrypting new data. With EKM, create an externally managed key directly from the Cloud KSM console. ✑ Control which region the encryption keys for sensitive data are stored in. => If using Cloud KMS, your cryptographic keys will be stored in the region where you deploy the resource. You also have the option of storing those keys inside a physical Hardware Security Module located in the region you choose with Cloud HSM. ✑ Minimize the latency to access encryption keys for both sensitive and non-sensitive data : => Cloud KMS is available in several global locations and across multi-regions, allowing you to place your service where you want for low latency and high availability. https://cloud.google.com/security-key-management