Compute Engine Encryption Options Quiz

Questions and Answers

What is the primary responsibility of Compute Engine regarding default encryption?

• It requires manual configuration for encryption settings.
• It allows only third-party encryption solutions.
• It automatically encrypts customer content at rest without additional actions. (correct)
• It provides insurance against data loss through encryption.

What does a customer-managed encryption key (CMEK) allow you to control?

• The management of symmetric key encryption keys by Google.
• The protection level, location, and access permissions of the keys. (correct)
• The encryption algorithm used by Google.
• The physical security of the Compute Engine hardware.

Which of the following is necessary when managing resources with customer-supplied encryption keys (CSEKs)?

• Automatically encrypting all data using default settings.
• Overriding Google’s management of key encryption.
• Forgetting about key management after initial setup.
• Specifying the key used for encrypting the resource at all times. (correct)

How can you create customer-managed encryption keys (CMEKs)?

By utilizing Cloud KMS Autokey or creating them manually. (D)

What does enabling Confidential mode add to Hyperdisk Balanced disks?

Additional hardware-based encryption. (B)

Which encryption types are supported for disk clones and machine images in Compute Engine?

CMEKs and Google-default encryption. (D)

What happens when you use Cloud KMS Autokey to create keys?

Keys and key rings are generated on demand during resource creation. (C)

What is a key feature of customer-supplied encryption keys (CSEKs)?

They require the customer to manage and provide the key. (D)

What must be done to encrypt a snapshot in relation to the source disk's key?

Use the same key that was used to encrypt the source disk (B)

Which statement is true regarding disk encryption in Compute Engine?

Disks can be encrypted using either Google-managed, customer-managed, or customer-supplied keys (C)

What is required when creating a snapshot using the gcloud CLI or API?

Retrieve and utilize the resource identifier of the key used for the source disk (A)

What does the diskEncryptionKey object in a JSON response indicate?

Information about whether the disk uses CMEK or CSEK encryption (B)

Which mode extends hardware-based encryption to Hyperdisk Balanced volumes?

Confidential Mode (A)

What is a requirement for using Hyperdisk Balanced volumes in Confidential mode?

They must be deployed on Confidential VMs using the N2D machine type (B)

Which tool can you use to view a disk's encryption type?

Google Cloud console (C)

How can key usage tracking benefit users utilizing customer-managed encryption keys?

It provides visibility into which resources are protected by a key (D)

What action must be taken if the disk uses CSEK-encryption?

Consult the organization's administrator for key details (A)

Flashcards

Google Default Encryption

Compute Engine's default encryption setting, where Google manages the encryption keys.

Key Encryption Key (KEK)

A key used to encrypt another key, typically used to encrypt data at rest.

Customer-Managed Encryption Key (CMEK)

A key encryption key (KEK) that is managed by you in Google Cloud Key Management Service (KMS).

Customer-Supplied Encryption Key (CSEK)

You provide the key encryption key (KEK) yourself when creating or managing an encrypted resource.

Confidential Mode

A feature that adds hardware-based encryption to Hyperdisk Balanced disks, enhancing data security.

Hyperdisk Balanced Disk

A type of disk that can be encrypted with Confidential Mode, providing enhanced security.

Cloud KMS Autokey

A way to automatically create and manage customer-managed encryption keys (CMEKs) in Google Cloud KMS.

Cloud KMS

A service within Google Cloud that allows you to manage and control encryption keys.

Google-managed encryption

The default encryption method for Compute Engine disks. Google manages the encryption keys.

Confidential Mode for Hyperdisk Balanced volumes

A feature that enables hardware-based encryption for Hyperdisk Balanced volumes, enhancing security without application changes.

Confidential VMs

A special type of VM that runs on a secure environment, leveraging hardware-based encryption for sensitive workloads.

Cloud Key Management Service (Cloud KMS)

A service that allows you to manage and use encryption keys to protect your data in Google Cloud.

Compute Engine Persistent Disks

A service that allows you to store and manage persistent disks for your virtual machines.

Key Usage Tracking

The mechanism by which Cloud KMS allows you to track which resources are protected by a specific key.

Cloud Shell

A tool provided by Google Cloud for interacting with the command line and managing resources.

Hyperdisk Balanced Volumes

A type of disk in Compute Engine that provides high throughput and low latency for demanding workloads, such as databases.

Study Notes

Compute Engine Encryption Options

• Compute Engine encrypts customer data at rest by default (Google default encryption).
• Users can customize encryption using key encryption keys (KEKs).
• KEKs encrypt Google-generated keys used for data encryption.

Key Encryption Key (KEK) Options

• Customer-Managed Encryption Keys (CMEKs): Recommended.
  • Users manage encryption keys in Cloud KMS, controlling protection, location, rotation, usage, and access.
  • Allows key usage tracking, audit log viewing, and key lifecycle control.
  • CMEKs can be created manually or automatically using Cloud KMS Autokey.
  • Disks encrypted with CMEKs usually don't require key specification after creation.
• Customer-Supplied Encryption Keys (CSEKs):
  • Users manage encryption keys outside Compute Engine.
  • The encryption key must be specified when creating or managing a disk/resource using CSEKs.

Additional Security Features

• Confidential Mode for Hyperdisk Balanced Disks: Adds hardware-based encryption to Hyperdisk Balanced disks.
  • Enables additional security without application refactoring.
  • Can only be used with Confidential VMs.
  • Limited to specific machine types (N2D) and regions.

Supported Encryption Types

• Disk clones and machine images support Google-default, CMEKs, and CSEKs.
• Standard snapshots and instant snapshots support Google-default, CMEKs, and CSEKs.

Cloud KMS Autokey

• Autokey automatically generates keys and key rings on demand during resource creation.
• Automatically creates service agents and grants required IAM roles.
• Does not create new keys for snapshots; the source disk's key is automatically applied.
• Manual intervention required for snapshots created with gcloud CLI, Terraform, or API.

Checking Disk Encryption

• Use the gcloud CLI, Google Cloud Console, or Compute Engine API to view a disk's encryption type.
• Encryption type appears in the "Properties" table, under "Encryption".

Determining if a Disk is Encrypted

• A "diskEncryptionKey" field indicates an encrypted disk within a JSON object.
• The object contains details about CMEK or CSEK encryption.

Information Retrieval Based on Encryption Type

• CMEK: View detailed key, key ring, and location information via "View keys by project" steps.
• CSEK: Contact the organization administrator for key details.

CMEK Benefits

• Key usage tracking allows observing which resources the key protects.