What should you do?

You need to follow Google-recommended practices to leverage envelope encryption and encrypt data at the application layer.

What should you do?
A . Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the encrypted DEK.
B . Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the KEK.
C . Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted
data and the encrypted DEK.
D . Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the KEK.

View Answer

Answer: A

Explanation:

Reference:

https://cloud.google.com/kms/docs/envelope-encryption

Envelope Encryption: https://cloud.google.com/kms/docs/envelope-encryption

Here are best practices for managing DEKs:

– Generate DEKs locally.

– When stored, always ensure DEKs are encrypted at rest.

– For easy access, store the DEK near the data that it encrypts.

The DEK is encrypted (also known as wrapped) by a key encryption key (KEK). The process of encrypting a key with another key is known as envelope encryption.

Here are best practices for managing KEKs:

– Store KEKs centrally. (KMS)

– Set the granularity of the DEKs they encrypt based on their use case. For example, consider a workload that requires multiple DEKs to encrypt the workload’s data chunks. You could use a single KEK to wrap all DEKs that are responsible for that workload’s encryption.

– Rotate keys regularly, and also after a suspected incident.