Compute Engine Encryption Options Quiz

Questions and Answers

What is the primary responsibility of Compute Engine regarding default encryption?

It requires manual configuration for encryption settings.

It allows only third-party encryption solutions.

It automatically encrypts customer content at rest without additional actions. (correct)

It provides insurance against data loss through encryption.

What does a customer-managed encryption key (CMEK) allow you to control?

The management of symmetric key encryption keys by Google.

The protection level, location, and access permissions of the keys. (correct)

The encryption algorithm used by Google.

The physical security of the Compute Engine hardware.

Which of the following is necessary when managing resources with customer-supplied encryption keys (CSEKs)?

Automatically encrypting all data using default settings.

Overriding Google’s management of key encryption.

Forgetting about key management after initial setup.

Specifying the key used for encrypting the resource at all times. (correct)

How can you create customer-managed encryption keys (CMEKs)?

By utilizing Cloud KMS Autokey or creating them manually.

What does enabling Confidential mode add to Hyperdisk Balanced disks?

Additional hardware-based encryption.

Which encryption types are supported for disk clones and machine images in Compute Engine?

CMEKs and Google-default encryption.

What happens when you use Cloud KMS Autokey to create keys?

Keys and key rings are generated on demand during resource creation.

What is a key feature of customer-supplied encryption keys (CSEKs)?

They require the customer to manage and provide the key.

What must be done to encrypt a snapshot in relation to the source disk's key?

Use the same key that was used to encrypt the source disk

Which statement is true regarding disk encryption in Compute Engine?

Disks can be encrypted using either Google-managed, customer-managed, or customer-supplied keys

What is required when creating a snapshot using the gcloud CLI or API?

Retrieve and utilize the resource identifier of the key used for the source disk

What does the diskEncryptionKey object in a JSON response indicate?

Information about whether the disk uses CMEK or CSEK encryption

Which mode extends hardware-based encryption to Hyperdisk Balanced volumes?

Confidential Mode

What is a requirement for using Hyperdisk Balanced volumes in Confidential mode?

They must be deployed on Confidential VMs using the N2D machine type

Which tool can you use to view a disk's encryption type?

Google Cloud console

How can key usage tracking benefit users utilizing customer-managed encryption keys?

It provides visibility into which resources are protected by a key

What action must be taken if the disk uses CSEK-encryption?

Consult the organization's administrator for key details

Study Notes

Compute Engine Encryption Options

• Compute Engine encrypts customer data at rest by default (Google default encryption).
• Users can customize encryption using key encryption keys (KEKs).
• KEKs encrypt Google-generated keys used for data encryption.

Key Encryption Key (KEK) Options

• Customer-Managed Encryption Keys (CMEKs): Recommended.
  • Users manage encryption keys in Cloud KMS, controlling protection, location, rotation, usage, and access.
  • Allows key usage tracking, audit log viewing, and key lifecycle control.
  • CMEKs can be created manually or automatically using Cloud KMS Autokey.
  • Disks encrypted with CMEKs usually don't require key specification after creation.
• Customer-Supplied Encryption Keys (CSEKs):
  • Users manage encryption keys outside Compute Engine.
  • The encryption key must be specified when creating or managing a disk/resource using CSEKs.

Additional Security Features

• Confidential Mode for Hyperdisk Balanced Disks: Adds hardware-based encryption to Hyperdisk Balanced disks.
  • Enables additional security without application refactoring.
  • Can only be used with Confidential VMs.
  • Limited to specific machine types (N2D) and regions.

Supported Encryption Types

• Disk clones and machine images support Google-default, CMEKs, and CSEKs.
• Standard snapshots and instant snapshots support Google-default, CMEKs, and CSEKs.

Cloud KMS Autokey

• Autokey automatically generates keys and key rings on demand during resource creation.
• Automatically creates service agents and grants required IAM roles.
• Does not create new keys for snapshots; the source disk's key is automatically applied.
• Manual intervention required for snapshots created with gcloud CLI, Terraform, or API.

Checking Disk Encryption

• Use the gcloud CLI, Google Cloud Console, or Compute Engine API to view a disk's encryption type.
• Encryption type appears in the "Properties" table, under "Encryption".

Determining if a Disk is Encrypted

• A "diskEncryptionKey" field indicates an encrypted disk within a JSON object.
• The object contains details about CMEK or CSEK encryption.

Information Retrieval Based on Encryption Type

• CMEK: View detailed key, key ring, and location information via "View keys by project" steps.
• CSEK: Contact the organization administrator for key details.

CMEK Benefits

• Key usage tracking allows observing which resources the key protects.

Description

Test your knowledge on encryption options in Google Cloud's Compute Engine. This quiz covers customer-managed and customer-supplied encryption keys, as well as their unique features and security implications. Learn how to effectively manage and utilize encryption keys to enhance data protection.