Encryption(加密)在谷歌云数据工程师考试中只有很少的题量,但是也是复习的一个点。
小娜学习后强烈推荐谷歌官方的演讲视频(英文):
https://www.youtube.com/watch?v=StJ1NOQjAjo
视频演讲人是谷歌security的产品经理,讲解由浅入深,比起documentation不知从什么地方开始捋实在是好了很多。
小姐姐语速比较快,所以小娜截了几张重要的图,跟大家分享:
Screen Shot 2018-07-14 at 7.08.47 pm.png
谷歌云默认data at rest是有encrypt的,分为三种:
-
Default Google encryption
-> created by Google
-> managed by Google
-> by default -
Customer-managed encryption keys (CMEK)
-> created by Google
-> managed by customer
-> generally available -
Customer-supplied encryption keys (CSEK)
-> supplied by customer
-> managed by Google
-> available for GCE and GCS only
Screen Shot 2018-07-14 at 9.44.49 pm.png
Screen Shot 2018-07-14 at 9.46.38 pm.png
KEKs are located on Key Management Service (KMS)
Screen Shot 2018-07-14 at 9.52.44 pm.png
Screen Shot 2018-07-14 at 9.58.32 pm.png
Screen Shot 2018-07-14 at 10.10.23 pm.png
Key rotation:
-> automatic: rotate per say 30 days
-> manual: call API, or on UI
Separation of duties:
The people who set the encryption keys are not the people who use the encryption keys
Screen Shot 2018-07-14 at 10.17.48 pm.png
Screen Shot 2018-07-14 at 10.25.01 pm.png
网友评论