GCP Professional Cloud Architect Practice Question
A government agency is migrating tens of terabytes of scanned legal records to Compute Engine persistent disks. Compliance policy states:
Google Cloud must never retain any copy-encrypted or plaintext-of the encryption key.
Security officers must be able to make the data permanently unreadable at any moment by deleting their local key material, without invoking any additional Google Cloud APIs.
Which data-at-rest encryption approach best satisfies these requirements?
Use CMEK with Cloud External Key Manager backed by an on-premises HSM.
Use customer-managed encryption keys (CMEK) stored in Cloud KMS and rotate them manually on demand.
Rely on Google-managed default encryption for persistent disks, which encrypts data without any customer-side keys.
Use customer-supplied encryption keys (CSEK) and provide the key in every Compute Engine API request that touches the disks.
Customer-supplied encryption keys (CSEK) meet both constraints. With CSEK, the customer generates and stores the key entirely outside Google Cloud and attaches it to each API request that creates or accesses encrypted data. Google never persists the key; it exists only in memory for the duration of the request. If the customer later destroys the local copy of the key, Google can no longer decrypt the persistent disks, immediately rendering the data unrecoverable without any further action in Cloud.
Alternatives do not satisfy the policy:
Customer-managed encryption keys (CMEK) stored in Cloud KMS leave the key material under Google's management.
CMEK with Cloud External Key Manager still requires Google Cloud services to fetch the key from an external system each time data is accessed, so merely deleting a local copy would not disable access.
Google-managed default encryption keys are fully controlled by Google and provide no customer control over key destruction.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
ELI5: What are Customer-Supplied Encryption Keys (CSEK)?
Open an interactive chat with Bash
Why doesn't Customer-Managed Encryption Keys (CMEK) satisfy the requirements in this scenario?
Open an interactive chat with Bash
What is the role of Cloud External Key Manager (EKM) in encryption, and why doesn't it meet the compliance policy?
Open an interactive chat with Bash
What is a Customer-Supplied Encryption Key (CSEK)?
Open an interactive chat with Bash
How does CSEK ensure compliance with strict key management policies?
Open an interactive chat with Bash
How does CSEK compare to Customer-Managed Encryption Keys (CMEK)?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Designing for security and compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .