L13. Data Protection: Cloud KMS, Secret Manager, and DLP API
Video generating
Check back soon for the video lesson on Data Protection: Cloud KMS, Secret Manager, and DLP API
Google Cloud provides multiple layers of data protection. The Digital Leader exam tests Cloud KMS for encryption key management, Secret Manager for credential storage, and Cloud DLP for sensitive data discovery.
Encryption on Google Cloud
Google Cloud encrypts all data at rest by default using AES-256 encryption. You don't need to configure anything for baseline encryption. Layers of encryption:
- Google-managed keys (default): Google handles everything; no configuration needed
- Customer-managed encryption keys (CMEK): you create and manage keys in Cloud KMS; Google uses them for encryption/decryption on your behalf
- Customer-supplied encryption keys (CSEK): you provide the raw key material for each API call; you manage keys entirely outside Google
- Client-side encryption: you encrypt data before sending it to Google Cloud
Cloud Key Management Service (KMS)
Cloud KMS is a managed service for creating and controlling cryptographic keys. Key types:
- Software keys: stored and used in software; cheaper
- Hardware keys (Cloud HSM): keys generated and used in certified hardware security modules (FIPS 140-2 Level 3); cannot be exported
Secret Manager
Secret Manager stores sensitive data such as API keys, database passwords, and TLS certificates as secrets. Key features:
- Versioned secrets: create new versions without deleting old ones
- Automatic replication across regions (with configurable replication policies)
- IAM-controlled access with audit logging
- Integration with Cloud Run, Cloud Functions, GKE via environment variable injection
Cloud Data Loss Prevention (DLP) API
Cloud DLP inspects, classifies, and de-identifies sensitive data in text, images, and Cloud Storage. Info types detected: PII (names, SSNs, passport numbers), financial data (credit card numbers), health data (medical IDs), and custom patterns. Operations:
- Inspect: scan data for sensitive information
- De-identify: redact, mask, or tokenize sensitive values
- Re-identify: reverse de-identification with proper authorization
Encryption in Transit
All traffic between Google services and users is encrypted by default using TLS. Google Cloud Certificate Manager manages TLS certificates for Cloud Load Balancing, CDN, and other services.
| Service | Purpose |
|---|---|
| Cloud KMS | Manage cryptographic keys (CMEK) |
| Cloud HSM | Hardware-backed key management (FIPS 140-2 L3) |
| Secret Manager | Store and access application secrets and credentials |
| Cloud DLP | Discover, classify, and de-identify sensitive data |
- ✓Google Cloud encrypts all data at rest by default with AES-256; no configuration needed
- ✓CMEK lets you use your own keys in Cloud KMS for encryption; you control key lifecycle and rotation
- ✓Cloud HSM provides hardware-backed key storage meeting FIPS 140-2 Level 3 requirements
- ✓Secret Manager stores application credentials (API keys, passwords) with versioning and IAM-controlled access
- ✓Cloud DLP inspects and de-identifies sensitive data (PII, financial data) in Cloud Storage and other sources
1. A company wants to ensure that database connection strings and API keys used by their Cloud Run services are stored securely and not exposed in environment variables in plaintext. Which service should they use?
2. A data team wants to scan a Cloud Storage bucket containing customer records to find any PII before sharing the data with an analytics team. Which Google Cloud service should they use?
Recommended: Pluralsight
Reinforce these lessons with Pluralsight's Google Cloud paths: structured video courses, GCP console labs, and practice exams for the Digital Leader certification.