Question 4
Domain 2: Data Protection and Identity SecurityA cloud architect is designing a data protection scheme that requires different encryption keys for different data classifications. Which key management capability is ESSENTIAL to support this design?
Correct answer: B
Explanation
Hierarchical key management supports separate keys for different classifications by using "data encryption keys" to protect the data and "key encryption keys" to protect those keys. This layered structure lets the architect assign and rotate keys independently while keeping each data class isolated under its own key hierarchy.
Why each option is right or wrong
A. Single master key for all encryption operations
B. Hierarchical key management with data encryption keys and key encryption keys
A layered key hierarchy is required here because the design calls for distinct cryptographic separation by data class, which is achieved by using a unique data encryption key (DEK) for the actual data and a higher-level key encryption key (KEK) to wrap or protect each DEK. In practice, this is the standard hierarchical model used in key management systems: the KEK can be rotated or controlled centrally without re-encrypting all data, while each classification can retain its own DEK boundary for isolation.
C. Static key usage without rotation capability
D. Shared keys across all data classifications