Associate Data Practitioner

Unlock the power of your data in the cloud! Get hands-on with Google Cloud's core data services like BigQuery and Looker to validate your practical skills in data ingestion, analysis, and management, and earn your Associate Data Practitioner certification!

Practice Test

Fundamental
Exam

Identify use cases for customer-managed encryption keys (CMEK), customer-supplied encryption keys (CSEK), and Google-managed encryption keys (GMEK)

4.4 Apply security measures and ensure compliance with data privacy regulations

Differentiate Between CMEK, CSEK, and GMEK

Every piece of data stored in Google Cloud is secured with encryption, which scrambles information to prevent unauthorized access. By default, GCP uses Google-managed encryption keys (GMEK), so Google takes care of key management. This option requires no extra setup, making it simple for users who want built-in protection. It includes automated key rotation and storage in Google’s secure key infrastructure.

GMEK or Google default encryption provides hands-off security. You do not see or directly manage these keys. Google’s security teams handle key creation, rotation, and protection, ensuring industry-standard practices. This setup is ideal for workloads without strict compliance demands, as it lowers operational overhead and risk of misconfiguration.

Customer-managed encryption keys (CMEK) allow you to create and store keys in Cloud KMS for full control over key lifecycle. You decide rotation schedules, key location, and access policies. This choice helps meet compliance requirements that require customer oversight and audit trails. With CMEK, you can track every key operation in audit logs and enforce strict permissions.

Customer-supplied encryption keys (CSEK) let you provide your own key material to GCP. With CSEK, you generate, store, and manage keys outside Google Cloud, retaining complete ownership. This is important for organizations with strict regulatory needs that demand on-premises key control. However, losing your key can make data irretrievable, so it carries the highest operational risk.

When choosing between encryption key options, consider control, security, and operational complexity. Use the following as a guide:

  • GMEK: Low control, fully managed by Google, minimal setup.
  • CMEK: Moderate control, integrates with Cloud KMS, suitable for compliance.
  • CSEK: High control, you supply key material, best for strict regulations but complex to manage.

Conclusion

Choosing the right encryption key type in GCP balances ease of use against control and compliance requirements. GMEK works best for simple protection, CMEK for regulated environments needing customer oversight, and CSEK for organizations demanding complete key ownership. Understanding these options helps ensure data is both secure and managed to meet business needs.

Distinguish between primary and secondary data storage location type (e.g., regions, dual-regions, multi-regions, zones) for data redundancyUnderstand the role of Cloud Key Management Service (Cloud KMS) to manage encryption keys