GCP Professional Cloud Security Engineer Practice Question
Your security team keeps a 256-bit AES key in an on-premises FIPS-validated HSM and wants to reuse that key as the customer-managed encryption key (CMEK) for a BigQuery dataset stored in the europe-west1 region. You must import the key into Cloud KMS while ensuring the key material is never sent to Google in plaintext. Which procedure satisfies Google Cloud's requirements and the security goal?
Create a hardware-backed key in Cloud HSM and copy the on-premises key bytes into the first key version through the KMS REST API without wrapping.
Configure Cloud External Key Manager (EKM) to reference the on-premises HSM URI and assign that external key to the BigQuery dataset instead of importing the key into Cloud KMS.
Create a key ring and symmetric key in europe-west1, generate a SOFTWARE protection-level import job, wrap the AES key offline with AES-KWP (RFC 5649) using the job's public key, then run gcloud kms keys versions import to upload the wrapped key.
Create a key ring in the global location and paste the Base64-encoded 32-byte key directly into the first key version by using the Cloud Console's Upload key material option.
The key ring and symmetric CryptoKey must reside in the same region (europe-west1) as the BigQuery dataset. Create an import job whose protection level matches the target CryptoKey version (SOFTWARE or HSM). Download the import job's public wrapping key and wrap the 256-bit AES key offline with a supported algorithm such as AES-KWP (RFC 5649) or RSA_OAEP_3072_SHA1_AES_256. Finally, use gcloud kms keys versions import (or the equivalent API method) to upload the wrapped key material. This process keeps the key encrypted during transit and complies with Cloud KMS BYOK requirements. Directly pasting raw Base64 bytes, copying key material without wrapping, or using Cloud EKM (which links to but does not import the key) do not meet the import workflow requirements.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AES-KWP (RFC 5649)?
Open an interactive chat with Bash
What is a Cloud KMS import job and why is it needed?
Open an interactive chat with Bash
Why should the BigQuery dataset and CryptoKey be in the same region?
Open an interactive chat with Bash
What is a key ring in Google Cloud KMS?
Open an interactive chat with Bash
What is AES-KWP (RFC 5649) and why is it used for key wrapping?
Open an interactive chat with Bash
What is gcloud kms keys versions import and what does it do?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .