You have a CryptoKey in Google Cloud KMS. You disable it. What is the effect on encryption and decryption operations?
Think about how disabling a key affects new and existing data.
Disabling a CryptoKey prevents new encryption operations but allows decryption of existing ciphertexts. This ensures data can still be read but no new data can be encrypted with that key.
Arrange the Cloud KMS resources from broadest to most specific for organizing keys securely.
Think about how projects contain key rings and key rings contain keys.
The correct hierarchy is Project > Key Ring > CryptoKey > CryptoKey Version. Projects contain key rings, which group keys, and each key has versions.
You set an IAM policy that denies the 'cloudkms.cryptoKeyVersions.useToEncrypt' permission for a user on a CryptoKey. What will happen when the user tries to encrypt data?
Consider what the specific permission controls.
The 'useToEncrypt' permission controls the ability to encrypt data. Denying it prevents encryption but does not affect decryption permissions.
Consider the following command:
gcloud kms keys create my-key --location=us-central1 --keyring=my-ring --purpose=encryption --rotation-period=2592000s --next-rotation-time=2024-07-01T00:00:00Z
What will be the rotation behavior of this key?
Check the format and meaning of rotation-period and next-rotation-time.
The rotation-period is specified in seconds (2592000s = 30 days). The key will rotate automatically every 30 days starting at the specified next-rotation-time.
You want to minimize the risk of exposing plaintext encryption keys in your application using Cloud KMS. Which approach is best?
Think about where the plaintext keys should reside to reduce risk.
Keeping keys inside Cloud KMS and performing cryptographic operations there avoids exposing plaintext keys to your application, reducing risk of leakage.