nerdexam
ExamsPROFESSIONAL-CLOUD-SECURITY-ENGINEERQuestions#251
GoogleGoogle

PROFESSIONAL-CLOUD-SECURITY-ENGINEER · Question #251

PROFESSIONAL-CLOUD-SECURITY-ENGINEER Question #251: Real Exam Question with Answer & Explanation

The correct answer is D: Generate a key in your on-premises environment and store it in a Hardware Security Module. To meet regulatory requirements for full control over encryption key material and valid access rationales, generate the key on-premises and store it in a Hardware Security Module (HSM) for use with Cloud EKM.

Submitted by lucia.co· Apr 18, 2026Ensuring data protection

Question

You are migrating an application into the cloud. The application will need to read data from a Cloud Storage bucket. Due to local regulatory requirements, you need to hold the key material used for encryption fully under your control and you require a valid rationale for accessing the key material. What should you do?

Options

  • AEncrypt the data in the Cloud Storage bucket by using Customer Managed Encryption Keys.
  • BGenerate a key in your on-premises environment to encrypt the data before you upload the data
  • CEncrypt the data in the Cloud Storage bucket by using Customer Managed Encryption Keys
  • DGenerate a key in your on-premises environment and store it in a Hardware Security Module

Explanation

To meet regulatory requirements for full control over encryption key material and valid access rationales, generate the key on-premises and store it in a Hardware Security Module (HSM) for use with Cloud EKM.

Common mistakes.

  • A. Customer Managed Encryption Keys (CMEK) are managed by Cloud KMS, where Google has control over the key lifecycle, which does not meet the requirement for the customer to have full control over the key material and a rationale for accessing it outside of KMS logs.
  • B. Generating a key on-premises and encrypting data before upload using Customer-Supplied Encryption Keys (CSEK) provides customer control over the key, but the question's emphasis on a 'valid rationale for accessing the key material' suggests a more integrated, auditable solution like EKM rather than just supplying a key for encryption at rest.
  • C. This option is identical to A and is incorrect for the same reason: CMEK through Cloud KMS does not grant the customer 'full control' over the key material in the sense of managing its physical storage and having a specific rationale for access to the material itself.

Concept tested. Cloud External Key Management (EKM) with HSM

Reference. https://cloud.google.com/kms/docs/external-keys

Topics

#Cloud Storage Encryption#Customer Controlled Keys#Hardware Security Module (HSM)#Client-Side Encryption

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full PROFESSIONAL-CLOUD-SECURITY-ENGINEER PracticeBrowse All PROFESSIONAL-CLOUD-SECURITY-ENGINEER Questions