You are designing a Data Warehouse on Google Cloud and want to store sensitive data in BigQuery. Your company requires you to generate the encryption keys outside of Google Cloud. You need to implement a solution. What should you do?
Choose an answer
Tap an option to check your answer.
Correct answer: Import a key in Cloud KMS. Create a dataset in BigQuery using the customer-supplied key option and select the created key..
Why this is the answer
The correct solution involves importing a key into Cloud KMS and then using that key with BigQuery's customer-supplied encryption key (CSEK) feature. The requirement is to generate keys outside of Google Cloud, which necessitates importing them into Cloud KMS. BigQuery supports CSEK, allowing you to encrypt your dataset with a key you provide, which can be managed by Cloud KMS. The first two incorrect options are wrong because they suggest generating a new key in Cloud KMS, which violates the requirement to generate keys outside of Google Cloud. The third incorrect option is wrong because it proposes storing data in Cloud Storage and then using a Dataflow pipeline to decrypt and move it to BigQuery. This is an unnecessarily complex and inefficient approach when BigQuery directly supports CSEK for its datasets, allowing the data to remain encrypted at rest within BigQuery using the imported key.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed