Q: 9
You need to follow Google-recommended practices to leverage envelope encryption and encrypt
data at the application layer.
What should you do?
Options
Discussion
A . Nothing else really matches the envelope encryption method Google wants.
A. Store the encrypted DEK alongside the data, KEK goes in Cloud KMS. Follows envelope encryption and Google guidance.
A , fits Google's recommendation. Generate DEK locally, encrypt it with KEK in Cloud KMS, then only store encrypted DEK (not KEK) with the data. Pretty sure that's what their envelope encryption docs specify. Let me know if you see it differently.
A but if anyone has practical experience with KMS setups, chime in please.
B tbh, since if you keep the KEK with the data, retrieval is easier and you won't need to call KMS every time. Pretty sure some orgs do this for quick access, unless I'm missing a compliance catch here.
Yeah, Google wants you to generate the DEK locally, then use KMS for the KEK and only store the encrypted DEK with the data. So A is it. Saw similar guidance in GCP docs, but correct me if I missed something.
B , since storing the KEK seems logical if you want fast re-encryption. Still, Google's envelope encryption talks about keeping encrypted DEK with data, so maybe that's a catch. Let me know if you see it differently.
Agreed, it's A. Store the encrypted DEK with the data, keep the KEK managed by KMS, that's what Google pushes for envelope encryption. Pretty sure this is what their docs mean by "recommended practice." Disagree?
Its A seen a similar one in exam reports, KMS KEK wraps local DEK then store both encrypted.
B looks tempting but it's a common trap, KEK shouldn't be stored with the encrypted data. A
Be respectful. No spam.
