Cyber Intelligence
Security, Operations, and Governance · Trust and security

L13. Data Protection: Cloud KMS, Secret Manager, and DLP API

Video generating

Check back soon for the video lesson on Data Protection: Cloud KMS, Secret Manager, and DLP API

Google Cloud provides multiple layers of data protection. The Digital Leader exam tests Cloud KMS for encryption key management, Secret Manager for credential storage, and Cloud DLP for sensitive data discovery.

Encryption on Google Cloud

Google Cloud encrypts all data at rest by default using AES-256 encryption. You don't need to configure anything for baseline encryption. Layers of encryption:

  • Google-managed keys (default): Google handles everything; no configuration needed
  • Customer-managed encryption keys (CMEK): you create and manage keys in Cloud KMS; Google uses them for encryption/decryption on your behalf
  • Customer-supplied encryption keys (CSEK): you provide the raw key material for each API call; you manage keys entirely outside Google
  • Client-side encryption: you encrypt data before sending it to Google Cloud

Cloud Key Management Service (KMS)

Cloud KMS is a managed service for creating and controlling cryptographic keys. Key types:

  • Software keys: stored and used in software; cheaper
  • Hardware keys (Cloud HSM): keys generated and used in certified hardware security modules (FIPS 140-2 Level 3); cannot be exported
Key operations: encrypt, decrypt, sign, verify; key rotation (automatic rotation supported). Key rings: logical groupings of keys with shared location and IAM policies.

Secret Manager

Secret Manager stores sensitive data such as API keys, database passwords, and TLS certificates as secrets. Key features:

  • Versioned secrets: create new versions without deleting old ones
  • Automatic replication across regions (with configurable replication policies)
  • IAM-controlled access with audit logging
  • Integration with Cloud Run, Cloud Functions, GKE via environment variable injection
vs. Cloud KMS: KMS manages cryptographic keys for encrypting data. Secret Manager stores secret values (credentials, tokens) securely.

Cloud Data Loss Prevention (DLP) API

Cloud DLP inspects, classifies, and de-identifies sensitive data in text, images, and Cloud Storage. Info types detected: PII (names, SSNs, passport numbers), financial data (credit card numbers), health data (medical IDs), and custom patterns. Operations:

  • Inspect: scan data for sensitive information
  • De-identify: redact, mask, or tokenize sensitive values
  • Re-identify: reverse de-identification with proper authorization
Use cases: finding sensitive data in Cloud Storage before moving to analytics, masking PII in logs before sharing with analytics teams.

Encryption in Transit

All traffic between Google services and users is encrypted by default using TLS. Google Cloud Certificate Manager manages TLS certificates for Cloud Load Balancing, CDN, and other services.

ServicePurpose
Cloud KMSManage cryptographic keys (CMEK)
Cloud HSMHardware-backed key management (FIPS 140-2 L3)
Secret ManagerStore and access application secrets and credentials
Cloud DLPDiscover, classify, and de-identify sensitive data
Exam tip: Cloud KMS manages encryption keys. Secret Manager stores credentials. Cloud DLP finds and masks sensitive data in your datasets.

Exam Focus Points
  • Google Cloud encrypts all data at rest by default with AES-256; no configuration needed
  • CMEK lets you use your own keys in Cloud KMS for encryption; you control key lifecycle and rotation
  • Cloud HSM provides hardware-backed key storage meeting FIPS 140-2 Level 3 requirements
  • Secret Manager stores application credentials (API keys, passwords) with versioning and IAM-controlled access
  • Cloud DLP inspects and de-identifies sensitive data (PII, financial data) in Cloud Storage and other sources
Knowledge Check

1. A company wants to ensure that database connection strings and API keys used by their Cloud Run services are stored securely and not exposed in environment variables in plaintext. Which service should they use?

2. A data team wants to scan a Cloud Storage bucket containing customer records to find any PII before sharing the data with an analytics team. Which Google Cloud service should they use?

Recommended: Pluralsight

Reinforce these lessons with Pluralsight's Google Cloud paths: structured video courses, GCP console labs, and practice exams for the Digital Leader certification.

Start Digital Leader prep free10-day free trial available