PROFESSIONAL-CLOUD-DEVELOPER · Question #259
Your application stores customers' content in a Cloud Storage bucket, with each object being encrypted with the customer's encryption key. The key for each object in Cloud Storage is entered into your
The correct answer is B. You attempted the read operation without the base64-encoded SHA256 hash of the encryption. Cloud Storage Customer-Supplied Encryption Keys (CSEK) require three HTTP headers on every read or write request: x-goog-encryption-algorithm (e.g., AES256), x-goog-encryption-key (the base64-encoded 256-bit key), and x-goog-encryption-key-sha256 (the base64-encoded SHA256 hash o
Question
Your application stores customers' content in a Cloud Storage bucket, with each object being encrypted with the customer's encryption key. The key for each object in Cloud Storage is entered into your application by the customer. You discover that your application is receiving an HTTP 4xx error when reading the object from Cloud Storage. What is a possible cause of this error?
Options
- AYou attempted the read operation on the object with the customer's base64-encoded key.
- BYou attempted the read operation without the base64-encoded SHA256 hash of the encryption
- CYou entered the same encryption algorithm specified by the customer when attempting the read
- DYou attempted the read operation on the object with the base64-encoded SHA256 hash of the
How the community answered
(38 responses)- A3% (1)
- B82% (31)
- C5% (2)
- D11% (4)
Explanation
Cloud Storage Customer-Supplied Encryption Keys (CSEK) require three HTTP headers on every read or write request: x-goog-encryption-algorithm (e.g., AES256), x-goog-encryption-key (the base64-encoded 256-bit key), and x-goog-encryption-key-sha256 (the base64-encoded SHA256 hash of the key). The hash is used by Google to verify the key was not corrupted in transit. If the SHA256 hash header is omitted, Cloud Storage returns a 400 Bad Request error because the request is malformed. Option A is incorrect - providing the base64-encoded key is required and correct, not a cause of error. Option C is incorrect - specifying the same algorithm the customer used is the right thing to do. Option D is a distractor that describes supplying the SHA256 hash, which is actually the correct and required behavior, not an error condition.
Topics
Community Discussion
No community discussion yet for this question.