Your company is using Cloud Dataproc for its Spark and Hadoop jobs. You want to be able to create, rotate, and destroy symmetric encryption keys used for the persistent disks used by Cloud Dataproc. Keys can be stored in the cloud.
What should you do?
For managing symmetric encryption keys employed for persistent disks in Cloud Dataproc, the best approach is to use Cloud Key Management Service (KMS) to handle the key encryption key (KEK). Google uses a two-level encryption model where the data encryption key (DEK) is encrypted with a KEK. The KEK can be created, rotated, and destroyed using Cloud KMS. This aligns with best practices for encryption management in Google Cloud's environment.
Answer is B. https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/customer-managed-encryption "The CMEK feature allows you to create, use, and revoke the key encryption key (KEK). Google still controls the data encryption key (DEK)."
SHOULD BE A. NO envelope encryption is metioned in the question.
Correct answer is B, and A is wrong! envlope encryption is default mechanism in CMEK when used for Dataproc, please check this link: This PD and bucket data is encrypted using a Google-generated data encryption key (DEK) and key encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key encryption key (KEK). Google still controls the data encryption key (DEK). For more information on Google data encryption keys, see Encryption at Rest. https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/customer-managed-encryption
I agree but then should answer not be be C- customer supplied key?
My bad I read it as Customer managed.. even though i now realised i wrote customer supplied. :D
Answer is B, https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/customer-managed-encryption
Ans : B.
I also support B, but A is also good ,because kek is hosted within KMS, also the real DEK can be uploaded there ,or just in the database.
In my opinion it should be B. reference : https://cloud.google.com/kms/docs/envelope-encryption How to encrypt data using envelope encryption The process of encrypting data is to generate a DEK locally, encrypt data with the DEK, use a KEK to wrap the DEK, and then store the encrypted data and the wrapped DEK. The KEK never leaves Cloud KMS.
b of course
I think the answer is A. DEK (Data encryption Key ) is the key which is used to encrypt the data. It can be both customer-managed or customer supplied in terms of GCP> https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/customer-managed-encryption The link above states "This PD and bucket data is encrypted using a Google-generated data encryption key (DEK) and key encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key encryption key (KEK). Google still controls the data encryption key (DEK)."
B. Use the Cloud Key Management Service to manage the key encryption key (KEK).
B can be right but we never been asked about envelope encription... so... the solution is to use a customer managed Data Encryption Key
Option B, using the Cloud KMS to manage the key encryption key (KEK), is incorrect. The KEK is used to encrypt the DEK, so the DEK is the key that is managed by the Cloud KMS.
Answer is B. the documentation says that Google does the data encryption by default and then that encryption key is again encrypted by KEK. which in turn can be managed by Customer.
there is a diagram in the link. if you understand the diagram, you will get the answer. https://cloud.google.com/sql/docs/mysql/cmek#with-cmek
The CMEK feature allows you to create, use, and revoke the key encryption key (KEK). Google still controls the data encryption key (DEK)."
Option B, using Cloud KMS to manage the key encryption key (KEK), is not necessary as persistent disks in Cloud Dataproc are already encrypted at rest using AES-256 encryption with a unique DEK generated and managed by Google.
The correct answer is B. Use the Cloud Key Management Service to manage the key encryption key (KEK). Cloud Dataproc uses a two-level encryption model, where the data encryption key (DEK) is encrypted with a key encryption key (KEK). The KEK is stored in Cloud Key Management Service (KMS), which allows you to create, rotate, and destroy the KEK as needed. If you use customer-supplied encryption keys (CSEKs) to manage the DEK, you will be responsible for managing the CSEKs yourself. This can be a complex and time-consuming task, and it can also increase the risk of data loss if the CSEKs are compromised.
Agree with B
Answer is B Cloud KMS allows you to manage KEKs, which in turn are used to encrypt the DEKs. DEKs are then used to encrypt the data. This separation ensures that the more sensitive KEK remains securely managed within the Cloud KMS