Encryption（加密）在谷歌云数据工程师考试中只有很少的题量，但是也是复习的一个点。

小娜学习后强烈推荐谷歌官方的演讲视频（英文）：
https://www.youtube.com/watch?v=StJ1NOQjAjo

视频演讲人是谷歌security的产品经理，讲解由浅入深，比起documentation不知从什么地方开始捋实在是好了很多。

小姐姐语速比较快，所以小娜截了几张重要的图，跟大家分享：

Screen Shot 2018-07-14 at 7.08.47 pm.png

谷歌云默认data at rest是有encrypt的，分为三种：

1. Default Google encryption
   -> created by Google
   -> managed by Google
   -> by default

2. Customer-managed encryption keys (CMEK)
   -> created by Google
   -> managed by customer
   -> generally available

3. Customer-supplied encryption keys (CSEK)
   -> supplied by customer
   -> managed by Google
   -> available for GCE and GCS only

Screen Shot 2018-07-14 at 9.44.49 pm.png

Screen Shot 2018-07-14 at 9.46.38 pm.png

KEKs are located on Key Management Service (KMS)

Screen Shot 2018-07-14 at 9.52.44 pm.png

Screen Shot 2018-07-14 at 9.58.32 pm.png

Screen Shot 2018-07-14 at 10.10.23 pm.png

Key rotation:
-> automatic: rotate per say 30 days
-> manual: call API, or on UI

Separation of duties:
The people who set the encryption keys are not the people who use the encryption keys

Screen Shot 2018-07-14 at 10.17.48 pm.png

Screen Shot 2018-07-14 at 10.25.01 pm.png