Practice VA-003 Explain encryption as a service questions with full explanations on every answer.
Start practicing
Explain encryption as a service — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A healthcare application needs to encrypt sensitive patient data before storing it in a legacy database that does not support encryption. The team wants to use Vault's encryption as a service. However, the application is running on a restricted network that cannot make outbound HTTP requests to Vault. Which solution should the team implement?
2A DevOps team uses Vault's transit engine to encrypt secrets in CI/CD pipelines. They report that encryption operations are failing with 'permission denied' errors. The team has a policy granting 'create' and 'update' capabilities on the transit key path. What is the most likely missing capability?
3A developer wants to encrypt data using Vault's transit engine with a key named 'payment-key'. The key already exists and is set to allow encryption. Which API path should the developer use to encrypt the data?
4An organization wants to encrypt data at rest in a cloud storage bucket. They plan to use Vault's transit engine to generate a data key and then encrypt the data locally. Which transit endpoint should they use to get a data key?
5Which TWO capabilities are required in a Vault policy to allow a client to encrypt data using a key named 'app-key' in the transit engine? (Assume the key already exists.)
6Which THREE statements are true about Vault's encryption as a service using the transit engine?
7A multinational corporation uses Vault Enterprise with the transit engine to encrypt sensitive financial data across multiple cloud regions. Each region has its own Vault cluster, and they use performance replication to synchronize transit keys. Recently, the team in the Asia-Pacific region reports that encryption operations are slower than in other regions. They also notice that some decryption requests for data encrypted with a key that was rotated in the primary region are failing with 'key version not found' errors. The transit key is named 'fin-key' and has been rotated three times. The Asia-Pacific cluster is up-to-date with replication according to the replication status dashboard. Which action should the operations team take to resolve the decryption failures?
8A DevOps team needs to encrypt sensitive configuration data before storing it in a version control system. They want to use Vault's encryption as a service to encrypt the data using a named encryption key. Which Vault path should they use to perform the encryption?
9Which TWO statements correctly describe Vault's encryption as a service using the Transit secrets engine?
10After rotating the 'payment-key', Vault successfully decrypts data encrypted with the old key (v1). What is the most likely reason the decryption succeeded?
11A DevOps team needs to implement encryption as a service for application data stored in a PostgreSQL database. They want to use Vault's transit secrets engine to encrypt sensitive fields before storage. Which TWO actions should the team take to ensure the encryption keys are rotated automatically and securely?
12A financial technology company uses Vault Enterprise to manage encryption keys for its payment processing system. The system uses the transit secrets engine to encrypt credit card numbers before storing them in a legacy database. The security team mandates that all encryption keys must be automatically rotated every 30 days. The operations team configures the key 'payment-cards' with 'auto_rotate_period' set to 30 days. After the first rotation, the payment processing application starts failing with 'permission denied' errors when trying to decrypt previously encrypted data. The application uses a token with a policy that grants 'create' and 'update' capabilities on 'transit/decrypt/payment-cards'. The application does not use the 'rewrap' endpoint. The Vault audit logs show that the decryption requests are being made to the correct path. What is the most likely cause of the failure?
13Drag and drop the steps to configure Vault's AWS secrets engine to generate IAM credentials into the correct order.
14Match each Vault response wrapping feature to its description.
15A developer wants to encrypt a password before storing it in a database. The encryption must be deterministic so that the same plaintext always produces the same ciphertext. Which encryption mode should be used in the transit secrets engine?
16A DevOps team needs to encrypt large files (several GB) using Vault's transit engine. What is the recommended approach?
17A team has set up automatic key rotation on a transit key. After rotation, encrypted data that was encrypted with the previous key version can no longer be decrypted. What is the most likely cause?
18An application needs to encrypt credit card numbers. The encryption must be deterministic for indexing purposes but also support key rotation. Which approach should be used?
19What is the primary purpose of the Vault transit secrets engine?
20A security policy requires that encryption keys used in transit must never leave Vault's memory. However, development teams need to perform encryption offline in CI/CD pipelines. How can this be accomplished?
21A user receives an error 'invalid ciphertext' when trying to decrypt data. The ciphertext was created by another Vault instance. What is the most likely issue?
22Which Vault API path is used to encrypt data with the transit engine?
23An organization wants to ensure that even Vault administrators cannot see the plaintext of data encrypted with the transit engine, but they want to use Vault for key management. What feature should be enabled?
24A company uses Vault transit to encrypt secrets. They want to periodically rotate the encryption key to comply with compliance requirements. Which TWO actions should be taken? (Choose two.)
25An application uses transit encryption with convergent encryption enabled. Which THREE statements are true about convergent encryption? (Choose three.)
26Which THREE are valid operations in the Vault transit secrets engine? (Choose three.)
27Refer to the exhibit. What is the purpose of the -field=ciphertext flag in this command?
28Refer to the exhibit. Based on this policy, which actions can the associated token perform? (Assume all paths exist.)
29Refer to the exhibit. What does min_decryption_version = 1 indicate?
30An application needs to encrypt sensitive data before storing it in a database. The security team wants to use Vault's encryption as a service to avoid managing encryption keys. Which Vault secrets engine should they enable?
31A DevOps engineer is configuring Vault to encrypt data in transit for a microservice. They create a key in the transit engine and want to encrypt a base64-encoded plaintext. Which API path and operation should they use?
32An organization uses the transit engine with key rotation. They want to ensure that data encrypted with an older key version can be decrypted by Vault, but only if the key has not been deleted. Which of the following must be true?
33An organization wants to encrypt sensitive fields in their database using Vault. They have multiple applications that need to encrypt different types of data. What approach should they take?
34A developer wants to encrypt data using Vault's transit engine but does not want to base64 encode the ciphertext after encryption. What is the recommended way to handle this?
35A security engineer needs to ensure that if a key is compromised, previous ciphertext can be re-encrypted with a new key version without exposing the plaintext. Which Vault operation should they use?
36A compliance requirement states that encryption keys must be automatically rotated every 90 days. Which Vault feature can be used to enforce this?
37An application encrypts data using the transit engine and stores the ciphertext in a database. After a key rotation, the application can no longer decrypt the data. What is the most likely cause?
38A developer wants to encrypt a string "hello" using Vault's transit engine. What must they send in the API request?
39Which TWO of the following are valid uses of the Vault transit secrets engine?
40Which THREE of the following best practices should be followed when using Vault's encryption as a service with the transit engine?
41Which TWO of the following are benefits of using Vault's transit engine for encryption as a service?
42Refer to the exhibit. A DevOps engineer runs `vault read -format=json transit/keys/mykey` and receives the output shown. A microservice attempts to decrypt data that was encrypted with version 1 of the key. Will the decryption succeed?
43Refer to the exhibit. An application token has the above policy. Which operation will fail?
44Refer to the exhibit. A developer receives this error when attempting to decrypt data. What is the most likely cause?
45A development team is building a microservices application that needs to encrypt sensitive customer data before storing it in a shared database. They want to minimize changes to their existing code and avoid managing encryption keys themselves. Which Vault feature should they use?
46A security auditor requires that all encryption keys used to protect customer data must be periodically rotated according to company policy. The company uses Vault's Transit secrets engine. What is the recommended approach to rotate the encryption key?
47Which TWO are benefits of using Vault's encryption as a service?
48Which THREE are appropriate use cases for Vault's Transit secrets engine?
49A healthcare company uses Vault Transit to encrypt patient records before storing them in a database. Each request to encrypt a small field (e.g., SSN) takes about 200ms due to network latency and cryptographic overhead. The application needs to encrypt millions of records daily, causing performance bottlenecks. The team wants to reduce latency per encryption operation. After reviewing the Vault documentation, they consider the following options: A. Use the batch encryption endpoint to encrypt multiple plaintexts in a single API call. B. Deploy a local caching proxy on each application server to intercept encryption calls. C. Enable Vault's built-in encryption result caching. D. Use a dedicated, high-performance Vault cluster with more resources. Which option most directly reduces per-operation latency?
50A fintech company uses Vault Transit to encrypt credit card numbers (PANs) for PCI-DSS compliance. The security team enforces key rotation every 30 days, and Vault keeps previous key versions to allow decryption of old data. One day, a developer accidentally runs a command that deletes the latest key version before the rotation is complete. The company has Vault configured with key version soft-delete enabled. The incident response team needs to recover the ability to decrypt ciphertexts that were encrypted with the deleted key version. Which action should they take first?
51A company is using Vault Transit to encrypt files before uploading them to an S3 bucket. They notice that for a given plaintext file, the ciphertext output is always identical, even when encrypting at different times. They are using the `encrypt` endpoint with the default AES-GCM algorithm. The team is concerned about security because the repeated ciphertext leaks information (e.g., file equality). What is the most likely cause of this behavior?
52A data analytics company needs to encrypt streaming data (e.g., clickstream events) before sending to a cloud data lake. Each event is about 1KB. They use Vault Transit to encrypt each event individually. The encryption rate is too slow for the volume (100,000 events/second). The team considers options to improve performance. Which approach is most effective for reducing the number of API calls to Vault while maintaining security?
53A company wants to encrypt sensitive data at rest in its application using HashiCorp Vault. They need to ensure that each application instance uses a unique encryption key without storing keys locally. Which TWO actions should the security team take to meet these requirements?
54A financial services company uses HashiCorp Vault's transit engine to encrypt customer credit card numbers. The application sends each credit card number individually to Vault for encryption, and the response time is acceptable. However, during peak hours, the company needs to encrypt large batches of 10,000 credit card numbers. Users report that encrypting the entire batch takes several minutes, causing timeouts. The Vault cluster is healthy and not under high load. The security team wants to reduce the encryption time without changing the encryption algorithm or key strength. What should they do?
The Explain encryption as a service domain covers the key concepts tested in this area of the VA-003 exam blueprint published by HashiCorp. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all VA-003 domains — no account required.
The Courseiva VA-003 question bank contains 54 questions in the Explain encryption as a service domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Explain encryption as a service domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included