Bash, the Crucial Exams Chat Bot
AI Bot
Data Protection and Encryption (GCP PCSE) Flashcards
GCP Professional Cloud Security Engineer Flashcards
| Front | Back |
| How can you revoke access to a CMEK key | You can disable the cryptographic key or delete it via Cloud KMS. |
| How does GCP handle data encryption for storage buckets | By default, GCP encrypts bucket data using Google-managed keys automatically. |
| What does the "data encryption key (DEK)" do | Encrypts the actual data being protected. |
| What does the "key encryption key (KEK)" do | Encrypts the data encryption key (DEK) in envelope encryption. |
| What does the principle of "least privilege" entail in encryption key management | Only grant access to encryption keys to users or services that absolutely need it. |
| What GCP service allows secure key sharing between projects | Cloud KMS lets you share keys securely across projects via IAM roles. |
| What GCP service provides managed certificates for HTTPS | Google Certificate Manager provides certificates to secure HTTPS traffic. |
| What happens if you lose your CSEK key | The associated data becomes permanently inaccessible because GCP does not store CSEK keys. |
| What is a keyring in GCP | It is a grouping of cryptographic keys used for organizing and managing encryption keys. |
| What is a symmetric key in GCP | A single key used for both encryption and decryption. |
| What is an asymmetric key in GCP | A key pair with a public key for encryption and a private key for decryption. |
| What is Cloud KMS | Google's Key Management Service for creating, managing, and using encryption keys securely on GCP. |
| What is CMEK in GCP | Customer-Managed Encryption Keys allow customers to use their own encryption keys in GCP services. |
| What is CSEK in GCP | Customer-Supplied Encryption Keys allow customers to bring and manage their own encryption keys outside of GCP. |
| What is envelope encryption in GCP | A method where data is encrypted using data encryption keys, which are then secured with key encryption keys. |
| What is FIPS 140-2 compliance | Certification ensuring that a cryptographic module meets strict security standards. |
| What is Google-managed encryption | Encryption where Google automatically handles and manages encryption keys for cloud data. |
| What is HSM in GCP | Hardware Security Module, a device for securely storing and managing cryptographic keys. |
| What is key versioning in GCP | KMS functionality that allows creating multiple versions of a key to enhance security practices. |
| What is the default encryption strategy of GCP | Google encrypts all data at rest and in transit using its default managed keys. |
| What is the difference between CMEK and CSEK | CMEK keys are managed securely by GCP integrations, while CSEK keys are entirely managed by the customer. |
| What is the purpose of encryption at rest | To protect data stored in GCP from unauthorized access and ensure data confidentiality. |
| What is the purpose of encryption in transit | To secure data while it is being transmitted across networks and prevent unauthorized access. |
| What is Tink in GCP | Tink is a multi-language cryptographic library by Google for implementing secure encryption and key management. |
| What permissions are needed for use of CMEK | Users must have appropriate roles and permissions, such as Cloud KMS CryptoKey Encrypter/Decrypter. |
| When should you rotate encryption keys | Regularly or when a key is suspected to be compromised. |
| When should you use CMEK | When you need more control over encryption keys but still want seamless management via Google services. |
| When should you use CSEK | When you need absolute control over encryption keys and their lifecycle outside of GCP. |
| Why is it important to log key usage | To monitor and secure encryption activities, detect anomalies, and uphold compliance. |
| Why should you use audit logs with encryption key management | To track key usage and detect potential misuse of your encryption keys. |
This deck explores encryption methods in GCP, including key management, customer-managed encryption keys (CMEK), customer-supplied encryption keys (CSEK), and securing stored and transmitted data.