A healthcare provider must comply with national regulations that prohibit any hyperscaler, including Google Cloud, from ever holding or recovering the encryption keys that protect patient data. The analytics team wants to load sensitive HL7 records into BigQuery and Cloud Storage, using customer-managed encryption keys that reside in an on-premises Hardware Security Module (HSM). The solution must
ensure that Google Cloud services can never decrypt data without a successful call to the on-premises HSM,
avoid operational work to periodically re-import keys into Google Cloud, and
minimize downtime if the primary on-premises HSM becomes unreachable.
Which design best satisfies these requirements?
Create a Cloud KMS key that uses Cloud External Key Manager. Define an EkmConnection with multiple on-premises HSM endpoints and set that key as a CMEK for BigQuery datasets and Cloud Storage buckets.
Configure Customer-Managed Encryption Keys (CMEK) stored in Cloud KMS HSM and enable automatic Google-managed fallback in case the on-premises HSM is unavailable.
Use Customer-Supplied Encryption Keys (CSEK) for each Cloud Storage object and configure periodic re-upload of the key material to avoid expiry.
Import the HSM key material into Cloud KMS every 90 days, then reference the imported key as a CMEK for BigQuery and Cloud Storage.
Cloud External Key Manager (EKM) lets Google Cloud wrap the Data Encryption Keys for BigQuery and Cloud Storage with a key that is stored and remains in an external HSM. Because the key material never enters Google-controlled infrastructure, Google can decrypt data only after a real-time unwrap call succeeds against the external key, meeting the "never held by Google" requirement. To keep the solution highly available without needing to re-import keys, you configure a single Cloud KMS key ring and key version that references an EKM key, and associate that key with an EkmConnection containing multiple redundant endpoints that point to separate HSM instances in your on-premises cluster. Cloud KMS automatically fails over to the next healthy endpoint if the first is unavailable, so encryption and decryption requests continue without operator intervention. Importing key material into Cloud KMS, using Customer-Supplied Encryption Keys (CSEK), or enabling Google-managed fallback would all violate the requirement that Google must never possess or recover the key, and rotating a new imported key on a schedule would add unnecessary operational overhead.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Cloud External Key Manager (EKM)?
Open an interactive chat with Bash
How does Cloud KMS enable high availability with EKM?
Open an interactive chat with Bash
What are Customer-Supplied Encryption Keys (CSEK), and why are they not preferred here?
Open an interactive chat with Bash
What is Cloud External Key Manager (EKM) in Google Cloud?
Open an interactive chat with Bash
How does Cloud KMS handle redundancy using EKM for high availability?
Open an interactive chat with Bash
What are Customer-Managed Encryption Keys (CMEK), and how do they differ from EKM keys?
Open an interactive chat with Bash
GCP Professional Data Engineer
Designing data processing systems
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .