You are designing a Data Warehouse on Google Cloud and want to store sensitive data in BigQuery. Your company requires you to generate the encryption keys outside of Google Cloud. You need to implement a solution. What should you do?
You are designing a Data Warehouse on Google Cloud and want to store sensitive data in BigQuery. Your company requires you to generate the encryption keys outside of Google Cloud. You need to implement a solution. What should you do?
To ensure sensitive data is encrypted using a key generated outside of Google Cloud, an existing key must be imported into Cloud Key Management Service (Cloud KMS). Once imported, the key can then be used as a customer-managed encryption key (CMEK) to encrypt data stored in BigQuery. This prevents the need for generating new keys within Google Cloud, aligning with the company's requirements. Therefore, import the key into Cloud KMS and set up a Dataflow pipeline to decrypt and store the data in BigQuery, ensuring it remains encrypted, complies with security policies, and follows the proper encryption protocols.
D is OK
But CSEK is not supported in BigQuery
It is a tricky distinction because of the term collision. However, "import key to KMS" does not mean CSEK. CSEK does not get imported or stored in KMS at all. CSEK "customer supplied" is per-transaction uploaded by every API call by the user/client (no KMS). This situation "customer supplied" means created from non-GCP KMS (could be on-prem or EKM). Once a key is imported to KMS it is treated as CMEK. The API client calling GCS doesn't need to upload the key. It lives in KMS. That is not the same "per-transaction" upload as CSEK.
I mean after being imported to KMS you key is handled like a CMEK and available to BQ service.
The answer is easy. It says keys must be left outside of Google Cloud. This automatically eliminates A / B. Now the C option says decrypts before storing it in BigQuery which the point is to encrypt the data while been in BigQuery, D is the only possible answer.
Except that BigQuery doesn't support customer supplied keys outside of GCP.
Answer D is incorrect because BigQuery does not support the use of customer-supplied keys to encrypt data at rest. Instead, you can use customer-managed encryption keys in Cloud KMS to encrypt the data in BigQuery. To do this, you can either generate a new key in Cloud KMS (answer A) or import an existing key (answer C). Once you have a key in Cloud KMS, you can create a BigQuery dataset and select the key as the customer-managed key for the dataset. This will enable BigQuery to use the key to encrypt the data in the dataset.
Yes, BigQuery and BigLake tables don't support Customer-Supplied Encryption Keys (CSEK). Answer must be either A or C, since the say generate key outside Google Cloud, import the key, hence I go for the answer C.
https://cloud.google.com/bigquery/docs/customer-managed-encryption#before_you_begin
https://cloud.google.com/kms/docs/importing-a-key
You have to know the difference between CSEK and "imported keys to KMS". Those are not the same things. CSEK is never stored in KMS, obviously an imported key is. It is then as available as any CMEK to BQ.
GCP docu says "BigQuery and BigLake tables don't support Customer-Supplied Encryption Keys (CSEK)." However, I just tested it and it worked: 1. Create Key openssl rand 32 > ./key2 2. Import into KMS gcloud kms keys versions import --import-job csek1 --location us-west1 --keyring csek --key csek --algorithm google-symmetric-encryption --target-key-file ./key2 3. In Cloud Console: select the key when creating a new data set and table in BigQuery
Right, term collision with "customer supplied" key. However, "import key to KMS" does not mean CSEK.
Yes, BigQuery and BigLake tables don't support Customer-Supplied Encryption Keys (CSEK). Answer must be either A or C, since the say generate key outside Google Cloud, import the key, hence I go for the answer C. https://cloud.google.com/bigquery/docs/customer-managed-encryption#before_you_begin https://cloud.google.com/kms/docs/importing-a-key
D is correct. I had this question on the exam toaday and I go with D. Explanation is - Generate the key outside the GCP so C and D are correct. "Set up a Dataflow pipeline to decrypt the data and to store it in a new BigQuery dataset" is not correct becuase it means that data exist on GCP what is not correct. Only D is correct.
C - as BigQuery doesn't support Customer Supplier Keys.
D is ok
Answer D. Questions says "...design data warehouse..." - would prefer BigQuery
answer is D https://cloud.google.com/bigquery/docs/customer-managed-encryption
Correct answer is D
Key work: "keys outside of Google Cloud" so you have to import the key. between C and D I go with D.
BigQuery doesn't support CSEK
Sorry even C is not correct, why to store the data in bq without encryption. data should be passed encrypted from storage to bq. then Answer is B
I would go with C. https://cloud.google.com/bigquery/docs/customer-managed-encryption Read that document in the link carefully. 1st paragraph: "By Default, BigQuery encrypts your content stored at rest"; 1st bullet point, 2nd paragraph under the [Before you Begin] section: "BigQuery and BigLake tables don't support Customer-Supplied Encryption Keys (CSEK)" There is also a difference between CMEK and CSEK. CMEK: you can create and manage a key using Cloud KMS; CSEK: you specify the contents of the key; Ref for CMEK vs CSEK: https://cloud.google.com/sql/docs/mysql/cmek#:~:text=Note%3A%20Customer%2Dmanaged%20encryption%20keys,specific%20resources%20across%20Google%20Cloud.
Even though I'll chose C for the answer over D, because of the terminology in "BQ using customer-supplied key", I have an issue with this: To me it does not make any sense. The data is being encrypted by some key say K1 to store in Cloud Storage, then Decrypted, to be Re-Encrypted (automatically by say K2 [a google created key]) by BigQuery when being stored. This negates the use of K1 on your Data Storage in BigQuery. It makes no sense. If someone sees this differently, I'd love to hear it. Thanks.
BG DOES support CSEK.
If you want to control encryption yourself, you can use customer-managed encryption keys (CMEK) for BigQuery. https://cloud.google.com/bigquery/docs/customer-managed-encryption
There is a difference between customer managed and customer supplied. Link that you have shared talks about customer managed and not customer supplied
A, B, C are ruled out as they say Customer Managed keys. Hence, D.
https://cloud.google.com/bigquery/docs/customer-managed-encryption
It cannot be D, BigQuery does not support customer supplied KMS keys, only customer managed keys, B.
The answer cannot be D since BigQuery does not support customer provided keys, only customer managed keys generated in Cloud KMS. So B is the only viable option that doesn't add complexity.