A customer’s internal security team must manage its own encryption keys for encrypting data on Cloud Storage and decides to use customer-supplied encryption keys (CSEK).
How should the team complete this task?
A.
Upload the encryption key to a Cloud Storage bucket, and then upload the object to the same bucket.
B.
Use the gsutil command line tool to upload the object to Cloud Storage, and specify the location of the encryption key.
C.
Generate an encryption key in the Google Cloud Platform Console, and upload an object to Cloud Storage using the specified key.
D.
Encrypt the object, then use the gsutil command line tool or the Google Cloud Platform Console to upload the object to Cloud Storage.
To use customer-supplied encryption keys (CSEK) for encrypting data on Cloud Storage, follow these steps:
Generate an Encryption Key: Generate a 256-bit AES encryption key. This key should be base64-encoded.
sh
Copy code
openssl rand -base64 32
Upload Object with CSEK: Use the gsutil command-line tool to upload the object to Cloud Storage, specifying the location of the encryption key using the -o option.
Verify Encryption: After uploading the object, you can verify that it is encrypted using the provided CSEK by checking the object's metadata.
gsutil stat gs://[BUCKET_NAME]/[OBJECT_NAME]
Key Management: Ensure that the encryption key is securely stored and managed. It should not be hard-coded in scripts or applications.
By using the gsutil tool and specifying the encryption key, you ensure that the object is encrypted using the customer-supplied encryption key during the upload process.
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit