GCP Professional Cloud Security Engineer Practice Question
A media-streaming company ingests user activity logs that must be encrypted using envelope encryption before the data is written to BigQuery. During peak hours, the data-processing pipeline performs about 30,000 symmetric Encrypt or Decrypt operations per minute, distributed across several keys. The security policy requires that keys be protected in a module validated to at least FIPS 140-2 Level 1. There is no mandate for hardware-backed key storage. To keep latency and operational costs low while staying within default service quotas, which key-management approach should the team choose?
Implement client-side encryption with the Tink library and keep the master key material in an external HSM managed by the security team.
Create symmetric software-protected keys in Cloud KMS and invoke the Encrypt and Decrypt API from the data-processing pipeline.
Store the keys in an on-premises HSM and access them through Cloud External Key Manager (EKM) for every encryption and decryption request.
Provision symmetric keys in Cloud HSM so each operation executes in a FIPS 140-2 Level 3 hardware security module.
Symmetric software-protected keys in Cloud KMS are secured by Google's BoringCrypto module, which is validated at FIPS 140-2 Level 1. This satisfies the policy requirement without the additional cost and latency associated with Cloud HSM or external HSM solutions. Cloud KMS's default quota of 60,000 symmetric cryptographic requests per minute (1,000 QPS) per key ring is sufficient to handle the projected 30,000 operations per minute. Therefore, using Cloud KMS software-protected keys via the Encrypt and Decrypt API best meets compliance, performance, and cost objectives. Hardware-backed options such as Cloud HSM or external HSMs incur higher costs and may have similar or lower default throughput, while fully client-side encryption would add operational complexity and does not leverage managed service quotas.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is envelope encryption, and why is it used?
Open an interactive chat with Bash
What is FIPS 140-2 Level 1, and why is it significant?
Open an interactive chat with Bash
What is the difference between Cloud KMS and Cloud HSM?
Open an interactive chat with Bash
What is FIPS 140-2 Level 1?
Open an interactive chat with Bash
What is the difference between Cloud KMS and Cloud HSM?
Open an interactive chat with Bash
Why is envelope encryption necessary when writing data to BigQuery?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .