Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsVA-003DomainsExplain encryption as a service
VA-003Free — No Signup

Explain encryption as a service

Practice VA-003 Explain encryption as a service questions with full explanations on every answer.

54questions

Start practicing

Explain encryption as a service — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

VA-003 Domains

Compare authentication methodsAssess Vault tokensCreate Vault policiesManage Vault leasesCompare and configure secrets enginesUtilize Vault CLI and APIExplain Vault architectureExplain encryption as a service

Practice Explain encryption as a service questions

10Q20Q30Q50Q

All VA-003 Explain encryption as a service questions (54)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A healthcare application needs to encrypt sensitive patient data before storing it in a legacy database that does not support encryption. The team wants to use Vault's encryption as a service. However, the application is running on a restricted network that cannot make outbound HTTP requests to Vault. Which solution should the team implement?

2

A DevOps team uses Vault's transit engine to encrypt secrets in CI/CD pipelines. They report that encryption operations are failing with 'permission denied' errors. The team has a policy granting 'create' and 'update' capabilities on the transit key path. What is the most likely missing capability?

3

A developer wants to encrypt data using Vault's transit engine with a key named 'payment-key'. The key already exists and is set to allow encryption. Which API path should the developer use to encrypt the data?

4

An organization wants to encrypt data at rest in a cloud storage bucket. They plan to use Vault's transit engine to generate a data key and then encrypt the data locally. Which transit endpoint should they use to get a data key?

5

Which TWO capabilities are required in a Vault policy to allow a client to encrypt data using a key named 'app-key' in the transit engine? (Assume the key already exists.)

6

Which THREE statements are true about Vault's encryption as a service using the transit engine?

7

A multinational corporation uses Vault Enterprise with the transit engine to encrypt sensitive financial data across multiple cloud regions. Each region has its own Vault cluster, and they use performance replication to synchronize transit keys. Recently, the team in the Asia-Pacific region reports that encryption operations are slower than in other regions. They also notice that some decryption requests for data encrypted with a key that was rotated in the primary region are failing with 'key version not found' errors. The transit key is named 'fin-key' and has been rotated three times. The Asia-Pacific cluster is up-to-date with replication according to the replication status dashboard. Which action should the operations team take to resolve the decryption failures?

8

A DevOps team needs to encrypt sensitive configuration data before storing it in a version control system. They want to use Vault's encryption as a service to encrypt the data using a named encryption key. Which Vault path should they use to perform the encryption?

9

Which TWO statements correctly describe Vault's encryption as a service using the Transit secrets engine?

10

After rotating the 'payment-key', Vault successfully decrypts data encrypted with the old key (v1). What is the most likely reason the decryption succeeded?

11

A DevOps team needs to implement encryption as a service for application data stored in a PostgreSQL database. They want to use Vault's transit secrets engine to encrypt sensitive fields before storage. Which TWO actions should the team take to ensure the encryption keys are rotated automatically and securely?

12

A financial technology company uses Vault Enterprise to manage encryption keys for its payment processing system. The system uses the transit secrets engine to encrypt credit card numbers before storing them in a legacy database. The security team mandates that all encryption keys must be automatically rotated every 30 days. The operations team configures the key 'payment-cards' with 'auto_rotate_period' set to 30 days. After the first rotation, the payment processing application starts failing with 'permission denied' errors when trying to decrypt previously encrypted data. The application uses a token with a policy that grants 'create' and 'update' capabilities on 'transit/decrypt/payment-cards'. The application does not use the 'rewrap' endpoint. The Vault audit logs show that the decryption requests are being made to the correct path. What is the most likely cause of the failure?

13

Drag and drop the steps to configure Vault's AWS secrets engine to generate IAM credentials into the correct order.

14

Match each Vault response wrapping feature to its description.

15

A developer wants to encrypt a password before storing it in a database. The encryption must be deterministic so that the same plaintext always produces the same ciphertext. Which encryption mode should be used in the transit secrets engine?

16

A DevOps team needs to encrypt large files (several GB) using Vault's transit engine. What is the recommended approach?

17

A team has set up automatic key rotation on a transit key. After rotation, encrypted data that was encrypted with the previous key version can no longer be decrypted. What is the most likely cause?

18

An application needs to encrypt credit card numbers. The encryption must be deterministic for indexing purposes but also support key rotation. Which approach should be used?

19

What is the primary purpose of the Vault transit secrets engine?

20

A security policy requires that encryption keys used in transit must never leave Vault's memory. However, development teams need to perform encryption offline in CI/CD pipelines. How can this be accomplished?

21

A user receives an error 'invalid ciphertext' when trying to decrypt data. The ciphertext was created by another Vault instance. What is the most likely issue?

22

Which Vault API path is used to encrypt data with the transit engine?

23

An organization wants to ensure that even Vault administrators cannot see the plaintext of data encrypted with the transit engine, but they want to use Vault for key management. What feature should be enabled?

24

A company uses Vault transit to encrypt secrets. They want to periodically rotate the encryption key to comply with compliance requirements. Which TWO actions should be taken? (Choose two.)

25

An application uses transit encryption with convergent encryption enabled. Which THREE statements are true about convergent encryption? (Choose three.)

26

Which THREE are valid operations in the Vault transit secrets engine? (Choose three.)

27

Refer to the exhibit. What is the purpose of the -field=ciphertext flag in this command?

28

Refer to the exhibit. Based on this policy, which actions can the associated token perform? (Assume all paths exist.)

29

Refer to the exhibit. What does min_decryption_version = 1 indicate?

30

An application needs to encrypt sensitive data before storing it in a database. The security team wants to use Vault's encryption as a service to avoid managing encryption keys. Which Vault secrets engine should they enable?

31

A DevOps engineer is configuring Vault to encrypt data in transit for a microservice. They create a key in the transit engine and want to encrypt a base64-encoded plaintext. Which API path and operation should they use?

32

An organization uses the transit engine with key rotation. They want to ensure that data encrypted with an older key version can be decrypted by Vault, but only if the key has not been deleted. Which of the following must be true?

33

An organization wants to encrypt sensitive fields in their database using Vault. They have multiple applications that need to encrypt different types of data. What approach should they take?

34

A developer wants to encrypt data using Vault's transit engine but does not want to base64 encode the ciphertext after encryption. What is the recommended way to handle this?

35

A security engineer needs to ensure that if a key is compromised, previous ciphertext can be re-encrypted with a new key version without exposing the plaintext. Which Vault operation should they use?

36

A compliance requirement states that encryption keys must be automatically rotated every 90 days. Which Vault feature can be used to enforce this?

37

An application encrypts data using the transit engine and stores the ciphertext in a database. After a key rotation, the application can no longer decrypt the data. What is the most likely cause?

38

A developer wants to encrypt a string "hello" using Vault's transit engine. What must they send in the API request?

39

Which TWO of the following are valid uses of the Vault transit secrets engine?

40

Which THREE of the following best practices should be followed when using Vault's encryption as a service with the transit engine?

41

Which TWO of the following are benefits of using Vault's transit engine for encryption as a service?

42

Refer to the exhibit. A DevOps engineer runs `vault read -format=json transit/keys/mykey` and receives the output shown. A microservice attempts to decrypt data that was encrypted with version 1 of the key. Will the decryption succeed?

43

Refer to the exhibit. An application token has the above policy. Which operation will fail?

44

Refer to the exhibit. A developer receives this error when attempting to decrypt data. What is the most likely cause?

45

A development team is building a microservices application that needs to encrypt sensitive customer data before storing it in a shared database. They want to minimize changes to their existing code and avoid managing encryption keys themselves. Which Vault feature should they use?

46

A security auditor requires that all encryption keys used to protect customer data must be periodically rotated according to company policy. The company uses Vault's Transit secrets engine. What is the recommended approach to rotate the encryption key?

47

Which TWO are benefits of using Vault's encryption as a service?

48

Which THREE are appropriate use cases for Vault's Transit secrets engine?

49

A healthcare company uses Vault Transit to encrypt patient records before storing them in a database. Each request to encrypt a small field (e.g., SSN) takes about 200ms due to network latency and cryptographic overhead. The application needs to encrypt millions of records daily, causing performance bottlenecks. The team wants to reduce latency per encryption operation. After reviewing the Vault documentation, they consider the following options: A. Use the batch encryption endpoint to encrypt multiple plaintexts in a single API call. B. Deploy a local caching proxy on each application server to intercept encryption calls. C. Enable Vault's built-in encryption result caching. D. Use a dedicated, high-performance Vault cluster with more resources. Which option most directly reduces per-operation latency?

50

A fintech company uses Vault Transit to encrypt credit card numbers (PANs) for PCI-DSS compliance. The security team enforces key rotation every 30 days, and Vault keeps previous key versions to allow decryption of old data. One day, a developer accidentally runs a command that deletes the latest key version before the rotation is complete. The company has Vault configured with key version soft-delete enabled. The incident response team needs to recover the ability to decrypt ciphertexts that were encrypted with the deleted key version. Which action should they take first?

51

A company is using Vault Transit to encrypt files before uploading them to an S3 bucket. They notice that for a given plaintext file, the ciphertext output is always identical, even when encrypting at different times. They are using the `encrypt` endpoint with the default AES-GCM algorithm. The team is concerned about security because the repeated ciphertext leaks information (e.g., file equality). What is the most likely cause of this behavior?

52

A data analytics company needs to encrypt streaming data (e.g., clickstream events) before sending to a cloud data lake. Each event is about 1KB. They use Vault Transit to encrypt each event individually. The encryption rate is too slow for the volume (100,000 events/second). The team considers options to improve performance. Which approach is most effective for reducing the number of API calls to Vault while maintaining security?

53

A company wants to encrypt sensitive data at rest in its application using HashiCorp Vault. They need to ensure that each application instance uses a unique encryption key without storing keys locally. Which TWO actions should the security team take to meet these requirements?

54

A financial services company uses HashiCorp Vault's transit engine to encrypt customer credit card numbers. The application sends each credit card number individually to Vault for encryption, and the response time is acceptable. However, during peak hours, the company needs to encrypt large batches of 10,000 credit card numbers. Users report that encrypting the entire batch takes several minutes, causing timeouts. The Vault cluster is healthy and not under high load. The security team wants to reduce the encryption time without changing the encryption algorithm or key strength. What should they do?

Practice all 54 Explain encryption as a service questions

Other VA-003 exam domains

Compare authentication methodsAssess Vault tokensCreate Vault policiesManage Vault leasesCompare and configure secrets enginesUtilize Vault CLI and APIExplain Vault architecture

Frequently asked questions

What does the Explain encryption as a service domain cover on the VA-003 exam?

The Explain encryption as a service domain covers the key concepts tested in this area of the VA-003 exam blueprint published by HashiCorp. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all VA-003 domains — no account required.

How many Explain encryption as a service questions are in the VA-003 question bank?

The Courseiva VA-003 question bank contains 54 questions in the Explain encryption as a service domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Explain encryption as a service for VA-003?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Explain encryption as a service questions for VA-003?

Yes — the session launcher on this page draws questions exclusively from the Explain encryption as a service domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your VA-003 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

TF-003SY0-701