Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

HashiCorp Vault-Associate Exam - Topic 4 Question 10 Discussion

A web application uses Vault's transit secrets engine to encrypt data in-transit. If an attacker intercepts the data in transit which of the following statements are true? Choose two correct answers.
B) The keys can be rotated and min_decryption_version moved forward to ensure this data cannot be decrypted
A) You can rotate the encryption key so that the attacker won't be able to decrypt the data
C) The Vault administrator would need to seal the Vault server immediately
D) Even if the attacker was able to access the raw data, they would only have encrypted bits (TLS in transit)

HashiCorp Vault-Associate Exam - Topic 4 Question 10 Discussion

Actual exam question for HashiCorp's Vault-Associate exam
Question #: 10
Topic #: 4
[All Vault-Associate Questions]

A web application uses Vault's transit secrets engine to encrypt data in-transit. If an attacker intercepts the data in transit which of the following statements are true? Choose two correct answers.

Show Suggested Answer Hide Answer
Suggested Answer: B

Running the second command in the GUI CLI will fail. The second command is vault kv put secret/creds passcode=my-long-passcode. This command attempts to write a secret named creds with the value passcode=my-long-passcode to the secret path, which is the default path for the kv secrets engine. However, the kv secrets engine is not enabled at the secret path, as shown by the first command vault secrets list, which lists the enabled secrets engines and their paths. The only enabled secrets engine is the transit secrets engine at the transit path. Therefore, the second command will fail with an error message saying that no secrets engine is mounted at the path secret/. To make the second command succeed, the kv secrets engine must be enabled at the secret path or another path, using the vault secrets enable command. For example, vault secrets enable -path=secret kv would enable the kv secrets engine at the secret path.Reference:kv - Command | Vault | HashiCorp Developer,vault secrets enable - Command | Vault | HashiCorp Developer


by Nickolas at Feb 13, 2024, 05:55 PM

Limited Time Offer

25%

Off

Get Premium Vault-Associate Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Benedict
6 months ago
I disagree with D, they might still find a way to decrypt it.
upvoted 0 times
...
Dannette
6 months ago
Sealing the Vault server is a must in any breach situation.
upvoted 0 times
...
Jutta
7 months ago
Wait, how can they decrypt it if it's just encrypted bits?
upvoted 0 times
...
Dorsey
7 months ago
I think B is also correct!
upvoted 0 times
...
Oliva
7 months ago
A and D seem right to me.
upvoted 0 times
...
Dion
7 months ago
I feel like option C is a bit of a stretch. Sealing the Vault server seems drastic for just an interception.
upvoted 0 times
...
Kaycee
8 months ago
I'm a bit confused about option D. If the data is encrypted in transit, does that mean the attacker can't do anything with it?
upvoted 0 times
...
Pearly
8 months ago
I think option B sounds right because it mentions moving the min_decryption_version, which we discussed in class.
upvoted 0 times
...
Beata
8 months ago
I remember something about key rotation being important, but I'm not sure if it applies here.
upvoted 0 times
...
Glendora
8 months ago
I've got this! The correct answers are B and D. By rotating the keys and moving the min_decryption_version, the attacker won't be able to decrypt the intercepted data. And even if they could access the raw data, it would still be encrypted.
upvoted 0 times
...
Tequila
8 months ago
Okay, let's think this through. The attacker has intercepted the encrypted data, so we need to make sure they can't decrypt it. Rotating the keys and sealing the Vault server seem like logical steps to take.
upvoted 0 times
...
Freeman
8 months ago
This question seems straightforward. I think the key is understanding how Vault's transit secrets engine works and the options available for protecting the encrypted data.
upvoted 0 times
...
Fallon
8 months ago
Hmm, I'm a bit unsure about this one. Rotating the encryption key and moving the min_decryption_version forward sounds like a good strategy, but I'm not sure if that's the complete answer.
upvoted 0 times
...
Malcom
8 months ago
I've got a good feeling about this one. The router should send a link-state update to the neighbor to provide the correct, up-to-date LSA information.
upvoted 0 times
...
Kenneth
8 months ago
Okay, let me break this down. The key things I need to look for are an object that can calculate an average and also group the data by country. I think a few of these options could work, but I'll have to evaluate them closely.
upvoted 0 times
...
Sue
1 year ago
Gotta love these Vault questions! They really make you think about the security implications of your infrastructure. I'm just glad I don't have to worry about sealing the Vault server every time someone sniffs the network.
upvoted 0 times
Irma
12 months ago
D) Even if the attacker was able to access the raw data, they would only have encrypted bits (TLS in transit)
upvoted 0 times
...
Allene
12 months ago
A) You can rotate the encryption key so that the attacker won't be able to decrypt the data
upvoted 0 times
...
...
Bette
1 year ago
Exactly, even if the attacker got their hands on the raw data, all they'd have is a bunch of encrypted bits. It's like trying to read a book written in a language you don't understand.
upvoted 0 times
...
Galen
1 year ago
Haha, sealing the Vault server? That's a bit of an overkill, don't you think? I mean, the data is already encrypted in transit, so the attacker wouldn't be able to read it anyway.
upvoted 0 times
Youlanda
1 year ago
D) Even if the attacker was able to access the raw data, they would only have encrypted bits (TLS in transit)
upvoted 0 times
...
Antonio
1 year ago
A) You can rotate the encryption key so that the attacker won't be able to decrypt the data
upvoted 0 times
...
...
Ora
1 year ago
Yup, those are the right answers. Rotating the encryption key and moving the min_decryption_version forward is the way to go if an attacker intercepts the data in transit.
upvoted 0 times
...
Irma
1 year ago
But wouldn't sealing the Vault server also be a good option to prevent further access by the attacker?
upvoted 0 times
...
Chara
1 year ago
I agree with you, Lea. Rotating the encryption key and having only encrypted bits would protect the data.
upvoted 0 times
...
Cristen
1 year ago
Wow, this question is really testing our knowledge of Vault's transit secrets engine! I think options A and B are the correct answers here.
upvoted 0 times
Malcom
1 year ago
Even if the attacker intercepts the data, they would only have encrypted bits to work with.
upvoted 0 times
...
Eleonora
1 year ago
Sealing the Vault server may be necessary in extreme cases, but rotating the keys is crucial.
upvoted 0 times
...
Hui
1 year ago
It's important to rotate the encryption key and move min_decryption_version forward to protect the data.
upvoted 0 times
...
Sherita
1 year ago
I agree, options A and B make sense in this scenario.
upvoted 0 times
...
...
Lea
1 year ago
I think the correct answers are A and D.
upvoted 0 times
...

Save Cancel