GCP Professional Cloud Security Engineer Practice Question
Your company, a European financial institution, must store transaction logs in Google Cloud Storage and BigQuery. Local regulations mandate that the cryptographic keys used to encrypt the data never leave the bank's on-premises HSM, and auditors require demonstrable separation between data at rest and the encryption keys. Which Google Cloud capability best satisfies these requirements while avoiding custom application-level encryption?
Implement client-side envelope encryption in your application and upload pre-encrypted objects.
Rely on Google default encryption for both services because keys are always encrypted by Google.
Configure Cloud Storage and BigQuery with customer-managed encryption keys (CMEK) stored in Cloud KMS.
Use Cloud External Key Manager (EKM) to protect the datasets with keys resident in the on-premises HSM.
Cloud External Key Manager (EKM) lets you use encryption keys that are generated and held in an external key management system-such as an on-premises HSM-while still taking advantage of built-in server-side encryption for services like Cloud Storage and BigQuery. Because the key material never resides in Google Cloud, EKM provides the required physical separation between data and keys. CMEK with Cloud KMS does not meet the requirement because the keys are stored inside Google-managed infrastructure. Google default encryption also stores keys in Google-controlled systems and offers no customer control. Client-side envelope encryption keeps keys on-premises but requires custom encryption and decryption logic in every application, increasing operational complexity that the scenario seeks to avoid.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Cloud External Key Manager (EKM)?
Open an interactive chat with Bash
How does EKM differ from customer-managed encryption keys (CMEK)?
Open an interactive chat with Bash
Why is client-side envelope encryption less suitable in this scenario?
Open an interactive chat with Bash
What is Cloud External Key Manager (EKM)?
Open an interactive chat with Bash
How does EKM differ from CMEK in terms of key management?
Open an interactive chat with Bash
Why is client-side envelope encryption not ideal in this scenario?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .