GCP Professional Cloud Security Engineer Practice Question
Your organization must retain sole custody of its encryption keys on an on-premises HSM. You decide to use Cloud External Key Manager (EKM) so that both BigQuery datasets and Compute Engine persistent disks are protected by keys stored outside Google Cloud. Which statement accurately describes how Google Cloud interacts with those externally hosted keys during normal read and write operations?
Because EKM is enabled, Google Cloud support cannot rotate or create snapshots of encrypted persistent disks until the keys are re-imported.
EKM can be configured only with asymmetric keys; symmetric keys are not supported.
The customer-owned key-encrypting key never leaves the external system; Cloud KMS contacts that system over the network to wrap or unwrap the data encryption key each time data is accessed.
BigQuery tables and disks protected by EKM must reside in a dedicated project that contains no other Google Cloud resources.
When you enable CMEK with EKM, Google Cloud services such as BigQuery and Compute Engine call Cloud KMS, which in turn makes a real-time, TLS-protected request to the external key management system whenever a data encryption key (DEK) must be wrapped or unwrapped. The customer-owned key-encrypting key (KEK) stays inside the external HSM; only the DEK travels between Cloud KMS and the external system. Google never stores or caches the KEK, satisfying the requirement that the primary encryption key remain under exclusive customer control. The other options are incorrect because EKM does not mandate a dedicated project, does not prohibit snapshot operations, and it supports only symmetric external keys, not exclusively asymmetric keys.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Cloud External Key Manager (EKM)?
Open an interactive chat with Bash
How does the Key-Encrypting Key (KEK) interact with Data Encryption Keys (DEKs)?
Open an interactive chat with Bash
What kind of keys are supported by EKM in Google Cloud?
Open an interactive chat with Bash
What is Cloud External Key Manager (EKM)?
Open an interactive chat with Bash
How do DEKs and KEKs differ in encryption processes?
Open an interactive chat with Bash
Why is TLS used for Cloud KMS communication with an external key manager?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .