Bash, the Crucial Exams Chat Bot
AI Bot
Data Protection and Encryption (GCP PCSE) Flashcards
GCP Professional Cloud Security Engineer Flashcards
| Front | Back |
| How can you revoke access to a CMEK key | You can disable the cryptographic key or delete it via Cloud KMS. |
| How does GCP handle data encryption for storage buckets | By default, GCP encrypts bucket data using Google-managed keys automatically. |
| What does the "data encryption key (DEK)" do | Encrypts the actual data being protected. |
| What does the "key encryption key (KEK)" do | Encrypts the data encryption key (DEK) in envelope encryption. |
| What does the principle of "least privilege" entail in encryption key management | Only grant access to encryption keys to users or services that absolutely need it. |
| What GCP service allows secure key sharing between projects | Cloud KMS lets you share keys securely across projects via IAM roles. |
| What GCP service provides managed certificates for HTTPS | Google Certificate Manager provides certificates to secure HTTPS traffic. |
| What happens if you lose your CSEK key | The associated data becomes permanently inaccessible because GCP does not store CSEK keys. |
| What is a keyring in GCP | It is a grouping of cryptographic keys used for organizing and managing encryption keys. |
| What is a symmetric key in GCP | A single key used for both encryption and decryption. |
| What is an asymmetric key in GCP | A key pair with a public key for encryption and a private key for decryption. |
| What is Cloud KMS | Google's Key Management Service for creating, managing, and using encryption keys securely on GCP. |
| What is CMEK in GCP | Customer-Managed Encryption Keys allow customers to use their own encryption keys in GCP services. |
| What is CSEK in GCP | Customer-Supplied Encryption Keys allow customers to bring and manage their own encryption keys outside of GCP. |
| What is envelope encryption in GCP | A method where data is encrypted using data encryption keys, which are then secured with key encryption keys. |
| What is FIPS 140-2 compliance | Certification ensuring that a cryptographic module meets strict security standards. |
| What is Google-managed encryption | Encryption where Google automatically handles and manages encryption keys for cloud data. |
| What is HSM in GCP | Hardware Security Module, a device for securely storing and managing cryptographic keys. |
| What is key versioning in GCP | KMS functionality that allows creating multiple versions of a key to enhance security practices. |
| What is the default encryption strategy of GCP | Google encrypts all data at rest and in transit using its default managed keys. |
| What is the difference between CMEK and CSEK | CMEK keys are managed securely by GCP integrations, while CSEK keys are entirely managed by the customer. |
| What is the purpose of encryption at rest | To protect data stored in GCP from unauthorized access and ensure data confidentiality. |
| What is the purpose of encryption in transit | To secure data while it is being transmitted across networks and prevent unauthorized access. |
| What is Tink in GCP | Tink is a multi-language cryptographic library by Google for implementing secure encryption and key management. |
| What permissions are needed for use of CMEK | Users must have appropriate roles and permissions, such as Cloud KMS CryptoKey Encrypter/Decrypter. |
| When should you rotate encryption keys | Regularly or when a key is suspected to be compromised. |
| When should you use CMEK | When you need more control over encryption keys but still want seamless management via Google services. |
| When should you use CSEK | When you need absolute control over encryption keys and their lifecycle outside of GCP. |
| Why is it important to log key usage | To monitor and secure encryption activities, detect anomalies, and uphold compliance. |
| Why should you use audit logs with encryption key management | To track key usage and detect potential misuse of your encryption keys. |
Front
What is FIPS 140-2 compliance
Click the card to flip
Back
Certification ensuring that a cryptographic module meets strict security standards.
Front
What GCP service provides managed certificates for HTTPS
Back
Google Certificate Manager provides certificates to secure HTTPS traffic.
Front
What is Google-managed encryption
Back
Encryption where Google automatically handles and manages encryption keys for cloud data.
Front
What is the purpose of encryption in transit
Back
To secure data while it is being transmitted across networks and prevent unauthorized access.
Front
What is Cloud KMS
Back
Google's Key Management Service for creating, managing, and using encryption keys securely on GCP.
Front
What is an asymmetric key in GCP
Back
A key pair with a public key for encryption and a private key for decryption.
Front
How can you revoke access to a CMEK key
Back
You can disable the cryptographic key or delete it via Cloud KMS.
Front
What is key versioning in GCP
Back
KMS functionality that allows creating multiple versions of a key to enhance security practices.
Front
When should you rotate encryption keys
Back
Regularly or when a key is suspected to be compromised.
Front
What is envelope encryption in GCP
Back
A method where data is encrypted using data encryption keys, which are then secured with key encryption keys.
Front
What is CMEK in GCP
Back
Customer-Managed Encryption Keys allow customers to use their own encryption keys in GCP services.
Front
When should you use CMEK
Back
When you need more control over encryption keys but still want seamless management via Google services.
Front
What is the purpose of encryption at rest
Back
To protect data stored in GCP from unauthorized access and ensure data confidentiality.
Front
What is Tink in GCP
Back
Tink is a multi-language cryptographic library by Google for implementing secure encryption and key management.
Front
What is a symmetric key in GCP
Back
A single key used for both encryption and decryption.
Front
What is a keyring in GCP
Back
It is a grouping of cryptographic keys used for organizing and managing encryption keys.
Front
What happens if you lose your CSEK key
Back
The associated data becomes permanently inaccessible because GCP does not store CSEK keys.
Front
What is the difference between CMEK and CSEK
Back
CMEK keys are managed securely by GCP integrations, while CSEK keys are entirely managed by the customer.
Front
What does the "data encryption key (DEK)" do
Back
Encrypts the actual data being protected.
Front
What does the principle of "least privilege" entail in encryption key management
Back
Only grant access to encryption keys to users or services that absolutely need it.
Front
What is HSM in GCP
Back
Hardware Security Module, a device for securely storing and managing cryptographic keys.
Front
Why is it important to log key usage
Back
To monitor and secure encryption activities, detect anomalies, and uphold compliance.
Front
When should you use CSEK
Back
When you need absolute control over encryption keys and their lifecycle outside of GCP.
Front
What GCP service allows secure key sharing between projects
Back
Cloud KMS lets you share keys securely across projects via IAM roles.
Front
What permissions are needed for use of CMEK
Back
Users must have appropriate roles and permissions, such as Cloud KMS CryptoKey Encrypter/Decrypter.
Front
What is the default encryption strategy of GCP
Back
Google encrypts all data at rest and in transit using its default managed keys.
Front
What is CSEK in GCP
Back
Customer-Supplied Encryption Keys allow customers to bring and manage their own encryption keys outside of GCP.
Front
What does the "key encryption key (KEK)" do
Back
Encrypts the data encryption key (DEK) in envelope encryption.
Front
Why should you use audit logs with encryption key management
Back
To track key usage and detect potential misuse of your encryption keys.
Front
How does GCP handle data encryption for storage buckets
Back
By default, GCP encrypts bucket data using Google-managed keys automatically.
1/30
This deck explores encryption methods in GCP, including key management, customer-managed encryption keys (CMEK), customer-supplied encryption keys (CSEK), and securing stored and transmitted data.