B is the answer. https://cloud.google.com/kms/docs/using-other-products#cmek_integrations https://cloud.google.com/kms/docs/using-other-products#cmek_integrations CMEK is supported for all the listed google services.

Obviously A is the better answer. Based on the GCP blog [1], you can utilize Cloud External Key Manager (Cloud EKM) to manage customer key easily and fulfill the compliance requirements as Key Access Justifications is already GA. Also, Cloud EKM supports all the services listed in the questions per the reference [2] [1] https://cloud.google.com/blog/products/compliance/how-google-cloud-helps-customers-stay-current-with-gdpr [2] https://cloud.google.com/kms/docs/ekm#supported_services

B is the answer. https://cloud.google.com/kms/docs/using-other-products#cmek_integrations https://cloud.google.com/kms/docs/using-other-products#cmek_integrations CMEK is supported for all the listed google services.

B. Customer-managed encryption keys With customer-managed encryption keys (CMEK), you have control over the encryption keys used to protect your data in Google Cloud Platform services such as Compute Engine, Google Kubernetes Engine, Cloud Storage, BigQuery, and Pub/Sub. This ensures that you can manage and control the keys in a way that aligns with GDPR requirements and provides an additional layer of security for your data.

B Why not A?: GCP doesn't offer a service called "Cloud External Key Manager." While there are external key management solutions, they might not integrate seamlessly with all GCP services you're using.

B. Customer-managed encryption keys With customer-managed encryption keys (CMEK), you have control over the encryption keys used to protect your data in Google Cloud Platform services such as Compute Engine, Google Kubernetes Engine, Cloud Storage, BigQuery, and Pub/Sub. This ensures that you can manage and control the keys in a way that aligns with GDPR requirements and provides an additional layer of security for your data.

All mentioned services are supported by CMEK

A or B, where B does not require additional assets/resources and thus (sounds like it would be) cheaper

I work with banks in Eu, they are using CMEK in general and it is GDPR compliant - B

With my current client in Europe, where GDPR is mandate, we are using EKM.

Seems to be EKM in conjunction with CMEK to support all the required services. However it's EKM specifically that enables customers to store keys in europe and enforce various controls over their keys as required by GDPR. https://cloud.google.com/blog/products/compliance/how-google-cloud-helps-customers-stay-current-with-gdpr https://cloud.google.com/kms/docs/using-other-products#cmek_integrations

Cloud External Key Manager (option A) is an option for customers who require full control over their encryption keys while leveraging Google Cloud's Key Management Service. However, this option is generally not required for GDPR compliance.

EKM is GDPR compliant

Answer is A and please read the docs. Cloud EKM is GDPR compliant and does support all the services listed. Where is the confusion here?

"Customer-supplied encryption keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine. If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data." so it can't be A because A doesn't support all these services. The answer is B as this still allows you to manage your keys!

https://cloud.google.com/blog/products/compliance/how-google-cloud-helps-customers-stay-current-with-gdpr

Answer is A, Customers can also require detailed justification and approval each time a key is requested to decrypt data using External Key Manager, and deny Google the ability to decrypt their data for any reason using Key Access Justifications, which is now in General Availability. https://cloud.google.com/blog/products/compliance/how-google-cloud-helps-customers-stay-current-with-gdpr