As part of the data governance team, you're tasked with implementing security requirements, including encrypting all data in BigQuery using an encryption key managed by your team, with the encryption material generated and stored exclusively on your on-premises hardware security module (HSM). You prefer relying on Google-managed solutions. What's the recommended approach for this scenario?