Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

HashiCorp Vault-Associate Exam - Topic 1 Question 31 Discussion

You are using Vault's Transit secrets engine to encrypt your data. You want to reduce the amount of content encrypted with a single key in case the key gets compromised. How would you do this?
B) Upgrade to Vault Enterprise and integrate with HSM
A) Use 4096-bit RSA key to encrypt the data
C) Periodically re-key the Vault's unseal keys
D) Periodically rotate the encryption key

HashiCorp Vault-Associate Exam - Topic 1 Question 31 Discussion

Actual exam question for HashiCorp's Vault-Associate exam
Question #: 31
Topic #: 1
[All Vault-Associate Questions]

You are using Vault's Transit secrets engine to encrypt your dat

a. You want to reduce the amount of content encrypted with a single key in case the key gets compromised. How would you do this?

Show Suggested Answer Hide Answer
Suggested Answer: B

Running the second command in the GUI CLI will fail. The second command is vault kv put secret/creds passcode=my-long-passcode. This command attempts to write a secret named creds with the value passcode=my-long-passcode to the secret path, which is the default path for the kv secrets engine. However, the kv secrets engine is not enabled at the secret path, as shown by the first command vault secrets list, which lists the enabled secrets engines and their paths. The only enabled secrets engine is the transit secrets engine at the transit path. Therefore, the second command will fail with an error message saying that no secrets engine is mounted at the path secret/. To make the second command succeed, the kv secrets engine must be enabled at the secret path or another path, using the vault secrets enable command. For example, vault secrets enable -path=secret kv would enable the kv secrets engine at the secret path.Reference:kv - Command | Vault | HashiCorp Developer,vault secrets enable - Command | Vault | HashiCorp Developer


by Lucille at Oct 24, 2024, 05:02 AM

Limited Time Offer

25%

Off

Get Premium Vault-Associate Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
James
6 months ago
Wait, can you really just rotate keys like that? Sounds too easy.
upvoted 0 times
...
Jesusa
6 months ago
Totally agree with D, keeps things fresh!
upvoted 0 times
...
Elfriede
7 months ago
A 4096-bit key? Seems overkill for most cases.
upvoted 0 times
...
Glory
7 months ago
I think B is better, HSM adds extra security.
upvoted 0 times
...
Gregoria
7 months ago
D is the way to go! Regular key rotation is key.
upvoted 0 times
...
Laurene
7 months ago
Upgrading to Vault Enterprise sounds like a good idea, but I'm not convinced it directly addresses the key compromise concern.
upvoted 0 times
...
Lawana
8 months ago
I practiced a similar question where re-keying was mentioned, but I can't recall if it was about unseal keys or encryption keys.
upvoted 0 times
...
Sheron
8 months ago
I'm not entirely sure, but I feel like using a 4096-bit RSA key might not really help with the key compromise issue.
upvoted 0 times
...
Georgiana
8 months ago
I think I remember something about key rotation being important for security, so maybe option D is the right choice?
upvoted 0 times
...
Ernie
8 months ago
Alright, I think I've got this one figured out. The key is to periodically rotate the encryption key used by the Transit secrets engine. That way, even if one key is compromised, you limit the amount of data that could be accessed. Option D is definitely the way to go here.
upvoted 0 times
...
Mitsue
8 months ago
Ugh, I hate these Vault questions. I'm just not that comfortable with the specifics of how it works. I guess I'd go with option D since it sounds like the most straightforward way to limit the exposure if a key is breached. But I'm not totally confident in that answer.
upvoted 0 times
...
Alva
8 months ago
Okay, let me think this through. I know Vault is used for securely storing sensitive data, so reducing the amount of content encrypted with a single key makes sense to limit the impact if that key is compromised. I'm leaning towards option D, but I'll need to double-check the details on how that works in Vault.
upvoted 0 times
...
Danica
8 months ago
Hmm, this seems like a tricky one. I'm not too familiar with Vault's Transit secrets engine, but I think option D about rotating the encryption key sounds like the way to go.
upvoted 0 times
...
Alysa
1 year ago
Rotating the keys? That's like changing the locks on your house Alysary week. But hey, if it keeps the data safe, I'm all for it!
upvoted 0 times
...
Willodean
1 year ago
Rotating the keys? Sounds like a lot of work. Maybe I'll just lock the server in a lead-lined box instead. Problem solved!
upvoted 0 times
...
Trevor
1 year ago
Rotating the encryption key is definitely the way to go. I don't want to end up like the guy who lost the key to his bitcoin wallet, you know?
upvoted 0 times
Irma
12 months ago
C
upvoted 0 times
...
Jame
12 months ago
D
upvoted 0 times
...
Loreta
1 year ago
A
upvoted 0 times
...
...
Alisha
1 year ago
Hmm, I'm tempted to go with the HSM integration, but that might be overkill for my use case. Decisions, decisions.
upvoted 0 times
Reuben
12 months ago
C) Periodically re-key the Vault's unseal keys
upvoted 0 times
...
Ena
12 months ago
B) Upgrade to Vault Enterprise and integrate with HSM
upvoted 0 times
...
Domitila
1 year ago
A) Use 4096-bit RSA key to encrypt the data
upvoted 0 times
...
...
Angelo
1 year ago
Rotating the encryption key seems like the obvious choice here. Gotta keep that data secure, you know?
upvoted 0 times
Michal
12 months ago
D) Periodically rotate the encryption key
upvoted 0 times
...
Paola
1 year ago
C) Periodically re-key the Vault's unseal keys
upvoted 0 times
...
Ludivina
1 year ago
A) Use 4096-bit RSA key to encrypt the data
upvoted 0 times
...
...
Belen
1 year ago
I believe upgrading to Vault Enterprise and integrating with HSM could provide better security for our data.
upvoted 0 times
...
Loreta
1 year ago
I agree with Maurine. Using a 4096-bit RSA key might be too complex for our needs.
upvoted 0 times
...
Maurine
1 year ago
I think we should periodically rotate the encryption key to reduce the amount of content encrypted with a single key.
upvoted 0 times
...

Save Cancel