A security engineer needs to ensure that all customer data stored in Cloud Storage is encrypted at rest using keys that the organization manages and rotates themselves. Which encryption option should they use?
Trap 1: Customer-supplied encryption keys (CSEK)
CSEK requires supplying keys per API call; rotation is not centrally managed.
Trap 2: Google-managed encryption (GMEK)
GMEK uses keys managed by Google, not the customer.
Trap 3: Cloud HSM
Cloud HSM is a hardware security module; it is used with CMEK or CSEK, not an encryption option by itself.
- A
Customer-supplied encryption keys (CSEK)
Why wrong: CSEK requires supplying keys per API call; rotation is not centrally managed.
- B
Google-managed encryption (GMEK)
Why wrong: GMEK uses keys managed by Google, not the customer.
- C
Customer-managed encryption keys (CMEK) using Cloud KMS
CMEK allows customers to manage and rotate their keys via Cloud KMS.
- D
Cloud HSM
Why wrong: Cloud HSM is a hardware security module; it is used with CMEK or CSEK, not an encryption option by itself.