A healthcare provider is building a Dataflow pipeline that loads sensitive genomic records into a BigQuery dataset located in the europe-west2 region. Regulations require that: 1) all data be encrypted with keys that remain exclusively in the hospital's on-premises HSM, 2) every decryption operation be auditable in Cloud Logging, and 3) no application code changes be needed beyond configuration. Which key-management approach should you recommend?
Use Cloud External Key Manager (EKM) with an externally managed key and enable CMEK on the BigQuery dataset and Dataflow temporary buckets.
Create Customer-Managed Encryption Keys (CMEK) in Cloud KMS and rotate them weekly.
Enable default Google-managed encryption for BigQuery and Dataflow artifacts and rely on Cloud Audit Logs.
Configure Customer-Supplied Encryption Keys (CSEK) and pass the key with every Dataflow and BigQuery request.
Cloud External Key Manager (EKM) lets Google Cloud services such as BigQuery and Cloud Storage use an encryption key that is stored and managed in an external HSM. When you enable CMEK protection with an EKM key, the key material never resides in Google Cloud, yet BigQuery and Dataflow can transparently encrypt and decrypt data without code changes. Every call to the external key is captured in Cloud Audit Logs, satisfying the auditing requirement. Customer-supplied encryption keys cannot be used with BigQuery and require applications to pass the key on each request, while CMEK keys kept entirely inside Cloud KMS do not meet the mandate that the key stay on-premises. Default Google-managed keys provide no customer control.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Cloud External Key Manager (EKM)?
Open an interactive chat with Bash
How do Customer-Managed Encryption Keys (CMEK) work in Google Cloud?
Open an interactive chat with Bash
What is the difference between CMEK and CSEK?
Open an interactive chat with Bash
GCP Professional Data Engineer
Designing data processing systems
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .