Symmetric Encryption Keys for Persistent Disks

A.

To create, rotate, and destroy symmetric encryption keys used for the persistent disks used by Cloud Dataproc, the recommended approach is to use the Cloud Key Management Service (KMS).

Option A - Use the Cloud Key Management Service to manage the data encryption key (DEK): This option is partially correct. The Cloud KMS can be used to manage the data encryption key (DEK) for encrypting the persistent disks. However, rotating and destroying the DEK would not be possible with this approach.

Option B - Use the Cloud Key Management Service to manage the key encryption key (KEK): This option is incorrect. The key encryption key (KEK) is used for encrypting the DEK and is not directly used for encrypting the persistent disks.

Option C - Use customer-supplied encryption keys to manage the data encryption key (DEK): This option is also partially correct. With customer-supplied encryption keys, it is possible to manage the DEK for encrypting the persistent disks. However, rotating and destroying the DEK would not be possible with this approach.

Option D - Use customer-supplied encryption keys to manage the key encryption key (KEK): This option is incorrect. As mentioned earlier, the KEK is used for encrypting the DEK and is not directly used for encrypting the persistent disks.

Therefore, the best option is Option A - Use the Cloud Key Management Service to manage the data encryption key (DEK). By using the Cloud KMS, you can easily create, rotate, and destroy symmetric encryption keys used for the persistent disks used by Cloud Dataproc. The Cloud KMS provides a highly available and scalable service for managing encryption keys in the cloud. Additionally, it allows you to securely store your keys in the cloud, provides auditing and logging of key usage, and integrates with other Google Cloud services for encryption and decryption.