You need to upload files from your on-premises environment to Cloud Storage. You want the files to be encrypted on Cloud Storage using customer-supplied encryption keys. What should you do?
You need to upload files from your on-premises environment to Cloud Storage. You want the files to be encrypted on Cloud Storage using customer-supplied encryption keys. What should you do?
To upload files from an on-premises environment to Cloud Storage using customer-supplied encryption keys, you should configure the encryption key in a .boto configuration file and use gsutil to upload the files. This method ensures that the files are encrypted using customer-supplied keys during the upload process. Other methods like using the --encryption-key flag are associated with the gcloud command rather than gsutil, making the .boto configuration file the correct approach for gsutil.
In GCP document, key could be configured in .boto. I didn't find information show gsutil suppots flag "--encryption-key". https://cloud.google.com/storage/docs/encryption/customer-supplied-keys
A is ok
.boto file with encryption key, but it will works for individual users, every user should update their own .boto with same key. Also while retrieving you should use the same key to decryption.
The documentation is here: https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys#upload-encrypt Option C is correct. You can upload a file using customer-supplied encryption with the command: gcloud storage cp SOURCE_DATA gs://BUCKET_NAME/OBJECT_NAME --encryption-key=YOUR_ENCRYPTION_KEY
Option C doesn't say "use gcloud storage cp", it says "use gsutil".
I agree, A.(https://cloud.google.com/storage/docs/gsutil/addlhelp/UsingEncryptionKeys#generating-customer-supplied-encryption-keys)
I think the correct is A
Take into account that by the time this exam was designed, gcloud storage was most likely still not available or just in beta. The "--encryption-key" flag is meant to be used with gcloud, not with gsutil; having said this, if in the actual exam the option says gcloud storage, go for C. If it says gsutil, go for A, as gsutil does not have any "--encryption-key" flag and this question was probably intended to be tricky when it was crafted. Btw, the official documentation states that gcloud storage should be used with that flag, and for gsutil we should add the encryption key to the .boto file - https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys#gsutil. Again, the questions are probably old and gcloud storage is relatively new.
A is the correct one
Option A is not a valid solution, as the .boto configuration file is not used to specify the encryption key. Option B is also not a valid solution, as gcloud config is used to set global flags for the gcloud command-line tool, and does not affect the use of gsutil. Option D is not necessary, as you can use an existing bucket and simply specify the encryption key when uploading the files. Therefore, the correct answer is C: Use gsutil to upload the files, and use the flag --encryption-key to supply the encryption key. This will encrypt the files on Cloud Storage using the customer-supplied encryption key.
A is correct. Link here: https://www.cloudskillsboost.google/focuses/19181?parent=catalog
C is correct you can use customer-supplied encryption keys to upload an object with --encryption-key flag https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys#upload-encrypt
IDK why most here vote for A. But in the docs it clearly states to use the encryption-flag. https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys#upload-encrypt Even in the boto reference (https://cloud.google.com/storage/docs/boto-gsutil) there is a reference to the above file. It must be C.
Actually `gsutil` doesn't support a `--encryption-key` flag, it uses a `.boto` file. This is why A is correct
gsutil supports customer-supplied encryption keys: https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys#gcloud
gsutil supports them, but not to be used with the '--encryption-key' file. In the official documentation (https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys#gsutil), gsutil is said to be used with the .boto file, and gcloud storage with the '--encryption-key' flag. This question is probably old, so unless that the actual exam has an option with gcloud storage, the correct option is A because gsutil does NOT support the '--encryption-key' flag.
gsutil supports them, but not to be used with the '--encryption-key' file. In the official documentation (https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys#gsutil), gsutil is said to be used with the .boto file, and gcloud storage with the '--encryption-key' flag. This question is probably old, so unless that the actual exam has an option with gcloud storage, the correct option is A because gsutil does NOT support the '--encryption-key' flag.
gsutil supports customer-supplied encryption keys: https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys#gcloud
gsutil supports them, but not to be used with the '--encryption-key' file. In the official documentation (https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys#gsutil), gsutil is said to be used with the .boto file, and gcloud storage with the '--encryption-key' flag. This question is probably old, so unless that the actual exam has an option with gcloud storage, the correct option is A because gsutil does NOT support the '--encryption-key' flag.
The .boto file was indeed used for configuration in older versions of Google Cloud Storage, particularly with the gsutil tool. However, this method is now considered legacy and is not recommended for modern Google Cloud configurations. Option C is correct.
The correct answer is C. Use gsutil to upload the files, and use the flag --encryption-key to supply the encryption key. Here’s why: To encrypt files with a customer-supplied encryption key (CSEK), you can use the gsutil command along with the --encryption-key flag to specify the encryption key when uploading files to Cloud Storage. This allows each file to be encrypted using your specified encryption key, providing an additional layer of security beyond Google-managed encryption. The other options are incorrect: A and B reference .boto configuration files and gcloud config, but those methods are not used to specify customer-supplied encryption keys for file uploads. D incorrectly suggests using --encryption-key when creating a bucket, but encryption keys are supplied during file uploads, not during bucket creation. Thus, C is the correct option to upload files with customer-supplied encryption keys using gsutil.
When using customer-supplied encryption keys (CSEK) in Google Cloud Storage, you can provide the encryption key directly in your gsutil command during the upload operation. The --encryption-key flag allows you to specify the encryption key for encrypting the files as they are uploaded.
A is correct .....
https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys#upload-encrypt this flag exist now
No, its wrong because the flag is for gcloud and not gsutil ... https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys#gcloud
Option C is correct C. Use gsutil to upload the files, and use the flag --encryption-key to supply the encryption key. gsutil -o "GSUtil:encryption_key=YOUR_BASE64_ENCRYPTION_KEY" cp your_file.txt gs://your-bucket/
Answer: A. Selected A in the exam
A is correct https://cloud.google.com/storage/docs/gsutil/addlhelp/UsingEncryptionKeys gsutil accepts CSEKs for interacting with Cloud Storage objects using the JSON API. The keys are provided via the .boto configuration file
A is correct. use gsutil to upload file in Cloud Storage. And Cloud Storage configuration is defined in .boto on client side.
Answer is A
https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys#upload-encrypt gcloud storage cp SOURCE_DATA gs://BUCKET_NAME/OBJECT_NAME --encryption-key=YOUR_ENCRYPTION_KEY
A is the correct. We have to modify "encryption_key = " in a boto file. C is incorrect because if we want to use only the flag "encryption_key" we have to use gsutil -o "GSUtil:encryption_key=YOUR_ENCRYPTION_KEY" https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys#command-line_1
According to https://cloud.google.com/storage/docs/boto-gsutil : Using .boto File for "Using customer-managed or customer-supplied encryption keys."
https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys#upload-encrypt - said to add to boto config file.
The correct answer is **C. Use gsutil to upload the files, and use the flag --encryption-key to supply the encryption key**. To upload files from your on-premises environment to Cloud Storage using customer-supplied encryption keys, you can use the `gsutil` command-line tool. The `gsutil` tool has a flag called `--encryption-key` that allows you to specify the encryption key that you want to use. The following command will upload the file `my-file.txt` to the bucket `my-bucket` using the encryption key `my-encryption-key`: ``` gsutil cp my-file.txt my-bucket --encryption-key my-encryption-key ```
Use the gcloud storage cp command with the --encryption-key flag: https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys#gcloud That is why option A is correct.
gcloud storage cp SOURCE_DATA gs://BUCKET_NAME/OBJECT_NAME --encryption-key=YOUR_ENCRYPTION_KEY c is wrong b/c of gsutil
Answer: C Use gsutil to upload the files, and use the flag -encryption-key to supply the encryption key. Here’s why this is the best option: 1. Using gsutil: gsutil is the command-line tool for interacting with Google Cloud Storage, and it supports options for specifying customer-supplied encryption keys directly during the upload process. 2. Flag -encryption-key: The -encryption-key flag allows you to specify the encryption key at the time of uploading the files. This ensures that the files are encrypted with the provided key as they are being uploaded to Cloud Storage.
option A, Option A allows you to configure the .boto configuration file with the encryption key. This configuration file is used by gsutil to apply settings, including encryption key management. By placing the encryption key in the .boto file, you ensure that every time gsutil is used, it automatically supplies the correct key for encrypting files as they are uploaded to Cloud Storage. Option C: The --encryption-key flag does not exist for gsutil. Instead, gsutil uses the .boto configuration file or the -o flag for customer-supplied encryption keys.
You can only set customer-supplied encryption keys on individual objects. You cannot set a default customer-supplied encryption key for a bucket. https://cloud.google.com/storage/docs/encryption/customer-supplied-keys
A is correct verified
Per https://cloud.google.com/storage/docs/encryption/customer-supplied-keys#gsutil To use a customer-supplied encryption key with gsutil, add the following option to the [GSUtil] section of your boto configuration file: encryption_key - An RFC 4648 Base64-encoded string of your AES-256 encryption key. So it's A.
In my view it must be A. https://cloud.google.com/storage/docs/encryption/customer-supplied-keys#gsutil
The correct flag is GSUtil:encryption_key so D is wrong. As per documentation A is the correct answer. https://cloud.google.com/storage/docs/gsutil/addlhelp/UsingEncryptionKeys#generating-customer-supplied-encryption-keys
Note that if you'd like to specify CMEKs on a per-command basis without needing to edit your boto file, you may specify the key name as top-level boto option: gsutil -o 'GSUtil:encryption_key=projects/PROJECT_ID/locations/LOCATION/keyRings/KEYRING/cryptoKeys/KEYNAME' \ cp /some/local/file gs://my-bucket/ Answer is A (boto+encryption key)
all New Questions released in June 2021 are in Question number 3 or share you email
they seem to be deleted from the discussion of Q3. Where can we find them?
are they added somewhere else? please confirm.
vote A
Do qwiklabs you will understand this CSEK using .boto file
A is correct https://cloud.google.com/storage/docs/encryption/customer-supplied-keys
A is ok
boto configuration sets the default encryption key B will not work C works. however evry upload you msust specify --encryption-key D : gsutil mb command option to specify default ke is -key , hence --encryption-key is wrong
A is the correct. We have to modify "encryption_key = " in a boto file. C is incorrect because if we want to use only the flag "encryption_key" we have to use gsutil -o "GSUtil:encryption_key=YOUR_ENCRYPTION_KEY" https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys#command-line_1
The .boto configuration file is indeed used by gsutil for its configuration settings, but there are a couple of reasons this isn’t the recommended or most secure method for customer-supplied encryption keys: 1. Security Concerns: Embedding encryption keys directly into configuration files can expose them to unnecessary risks. If someone gains access to this file, they can decrypt your data. 2. Practicality: Using a configuration file is less flexible. If you need different encryption keys for different operations or files, specifying them in a command (as in option C) is much more practical. While technically you might be able to use the .boto configuration file to supply encryption keys, it isn’t the recommended practice, especially for security and flexibility reasons. The best practice, as suggested by Google, is to supply the encryption key directly in the upload command using the --encryption-key flag, making option C the more appropriate choice.
gsultil cannot use with that flag, its must be used in gcloud gcloud storage cp SOURCE_DATA gs://BUCKET_NAME/OBJECT_NAME --encryption-key=YOUR_ENCRYPTION_KEY
Hey man! The answer is A. "--encryption-key" is the flag for "gcloud storage cp" command only, not for gsutil. https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys#gsutil
A is ok
C - https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys#console
https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys#command-line
A! I agree that the boto file sounds better
The boto configuration file in Google Cloud Platform (GCP) controls how the gsutil command behaves: Setting up gsutil You can use the boto configuration file to set up gsutil to work through a proxy. Using encryption keys You can use the boto configuration file to use customer-managed or customer-supplied encryption keys.
Option C: Use gsutil to upload the files and use the flag --encryption-key to supply the encryption key. This is the correct approach, as it allows you to specify the CSEK directly at the time of upload, ensuring that your files are encrypted using your provided key.
[GSUtil] check_hashes content_language decryption_key1 ... 100 default_api_version disable_analytics_prompt encryption_key
I see option D is not even discussed. The question said "upload files", meaning multiple object. Isn't the encrypted bucked creation a secured way to store them in cloud storage?
right answer is A
Customer-Supplied Encryption Keys (CSEK) are provided on a per-request basis. This means you provide the key during the upload operation itself, not when creating the bucket or through persistent configuration files. gsutil is the command-line tool for interacting with Cloud Storage. The --encryption-key flag specifically allows you to provide the base64 encoded encryption key when uploading objects.
The correct answer is C. Here's why: Customer-Supplied Encryption Keys (CSEK): When using CSEK, you provide the encryption key yourself. Google doesn't store your key on their servers. You're responsible for managing and protecting it. gsutil and --encryption-key: The gsutil command-line tool is the primary way to interact with Cloud Storage. To use CSEK with gsutil, you use the --encryption-key flag directly with the upload command. This flag takes the base64 encoded encryption key as its valu
Only A is 100% correct
This is why it's good to do the Quest and labs before going through practice test like this. If you have actually done the labs nobody will tell you that the correct A is A before you know it
not sure is it A or C?
Should be A since the flag for specifying encryption key in gsutil is not correct, it should be GSUtil:encryption_key
I believe the answer is A. There are so many incorrect answers on this web site.
A is the right answer
A & C are correct, the question should mention picking 2 options
A is the correct answer https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys#uploading_with_your_encryption_key
A is correct - https://cloud.google.com/storage/docs/gsutil/addlhelp/UsingEncryptionKeys
D is wrong because gsutil kms --encryption-key is for CMEK (customer managed encryption key) using cloud kms, not for CSEK (customer supplied encryption key). A is correct answer
Answer is A. Configured this in one of the labs.
A is correct.
I will go with A https://cloud.google.com/storage/docs/gsutil/addlhelp/UsingEncryptionKeys#generating-customer-supplied-encryption-keys
A. Supply the encryption key in a .boto configuration file. Use gsutil to upload the files.
Answer is A. https://cloud.google.com/storage/docs/boto-gsutil#boto
A is the correct answer
Answer A - https://cloud.google.com/storage/docs/boto-gsutil • Using customer-managed or customer-supplied encryption keys
https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys#command-line
should be A. if you use gcloud command, you can add encryption key as option in command line. but if you use gstuil, you have to add key into boto file.. and boto file is configuraiton file for gsutil.
The updated answer its C, there is an --encryption-key flag https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys#command-line
correct answers is A as per below extract https://cloud.google.com/storage/docs/gsutil/addlhelp/UsingEncryptionKeys Encryption Behavior A single encryption_key may be specified in the .boto configuration file, and multiple decryption_keys may be specified. If encryption_key exists in the .boto configuration file, gsutil ensures that data it writes or copies in Cloud Storage is encrypted with that key. If encryption_key is not supplied, gsutil ensures that all data it writes or copies instead uses the destination bucket’s default encryption type – if the bucket has a default KMS key set, that CMEK is used for encryption; if not, Google-managed encryption is used.
A. --encryption-key is usable with gcloud storage command, not with gsutil. https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys#upload-encrypt
A is the correct answer. .boto
A is the correct ans.
C - Answer gcloud storage cp SOURCE_DATA gs://BUCKET_NAME/OBJECT_NAME --encryption-key=YOUR_ENCRYPTION_KEY
gcloud storage is not gsutil.
D - Correct gsutil mb -k < Key > gs://xx gsutil -m cp -r xx gs://xx
Choose A
Option C is correct - please refer https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys#command-line
If you pay attention, you'll see that the command mentioned is not gsutil, but gcloud! Of all options mentioned, only A is 100% valid
C is wrong because gsutil does not have a --encryption-key option
A is Correct. Here is the documentation -https://cloud.google.com/storage/docs/boto-gsutil