A healthcare provider stores sensitive patient telemetry in BigQuery. A new regulation requires that the encryption keys protecting this data must remain in an on-premises, FIPS 140-2 Level 3 certified HSM that is managed exclusively by the provider's security team. Analysts must continue to run existing SQL workloads without code changes, and key rotation must occur automatically through the key-management system rather than by updating application logic. Which Google Cloud encryption approach best meets these requirements?
Configure BigQuery to use a Customer-Managed Encryption Key that is hosted in an on-premises HSM through Cloud External Key Manager.
Protect the dataset with Customer-Supplied Encryption Keys (CSEK) provided in every BigQuery API call.
Configure BigQuery with Customer-Managed Encryption Keys stored in Cloud KMS and backed by Cloud HSM.
Enable the default Google-managed encryption that automatically secures data at rest.
Because the regulation stipulates that encryption keys must stay in an on-premises FIPS 140-2 Level 3 HSM under the customer's sole control, the only Google Cloud option that satisfies this is Cloud External Key Manager (EKM). With EKM, BigQuery can be configured to use a customer-managed encryption key that never leaves the customer-owned HSM; Google Cloud retrieves key material on-demand over a secure channel, so the data remains encrypted at rest with an externally hosted key. Key rotation is handled in the external HSM and is transparent to BigQuery clients, so no SQL jobs or application code need to change.
Using CMEK backed by Cloud HSM would store the key inside Google Cloud, violating the requirement that keys remain on-premises. Default Google-managed keys do not satisfy customer-control or residency requirements. Customer-supplied encryption keys (CSEK) are not supported for BigQuery and require applications to supply a key with every request, which would break existing workloads and fail to automate rotation. Therefore, configuring BigQuery with an external key through Cloud EKM is the correct solution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Cloud External Key Manager (EKM)?
Open an interactive chat with Bash
What is FIPS 140-2 certification and why is it important for HSMs?
Open an interactive chat with Bash
How does key rotation work with Cloud External Key Manager (EKM)?
Open an interactive chat with Bash
What is Cloud External Key Manager (EKM)?
Open an interactive chat with Bash
What is FIPS 140-2 Level 3 certification?
Open an interactive chat with Bash
How does BigQuery interact with the on-premises HSM when using Cloud EKM?
Open an interactive chat with Bash
GCP Professional Data Engineer
Designing data processing systems
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .