Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Explain encryption as a service practice sets

VA-003 Explain encryption as a service • Complete Question Bank

VA-003 Explain encryption as a service — All Questions With Answers

Complete VA-003 Explain encryption as a service question bank — all 0 questions with answers and detailed explanations.

54
Questions
Free
No signup
Certifications/VA-003/Practice Test/Explain encryption as a service/All Questions
Question 1mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare application needs to encrypt sensitive patient data before storing it in a legacy database that does not support encryption. The team wants to use Vault's encryption as a service. However, the application is running on a restricted network that cannot make outbound HTTP requests to Vault. Which solution should the team implement?

Question 2hardmultiple choice
Read the full NAT/PAT explanation →

A DevOps team uses Vault's transit engine to encrypt secrets in CI/CD pipelines. They report that encryption operations are failing with 'permission denied' errors. The team has a policy granting 'create' and 'update' capabilities on the transit key path. What is the most likely missing capability?

Question 3easymultiple choice
Read the full NAT/PAT explanation →

A developer wants to encrypt data using Vault's transit engine with a key named 'payment-key'. The key already exists and is set to allow encryption. Which API path should the developer use to encrypt the data?

Question 4easymultiple choice
Read the full Explain encryption as a service explanation →

An organization wants to encrypt data at rest in a cloud storage bucket. They plan to use Vault's transit engine to generate a data key and then encrypt the data locally. Which transit endpoint should they use to get a data key?

Question 5mediummulti select
Read the full Explain encryption as a service explanation →

Which TWO capabilities are required in a Vault policy to allow a client to encrypt data using a key named 'app-key' in the transit engine? (Assume the key already exists.)

Question 6hardmulti select
Read the full Explain encryption as a service explanation →

Which THREE statements are true about Vault's encryption as a service using the transit engine?

Question 7hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation uses Vault Enterprise with the transit engine to encrypt sensitive financial data across multiple cloud regions. Each region has its own Vault cluster, and they use performance replication to synchronize transit keys. Recently, the team in the Asia-Pacific region reports that encryption operations are slower than in other regions. They also notice that some decryption requests for data encrypted with a key that was rotated in the primary region are failing with 'key version not found' errors. The transit key is named 'fin-key' and has been rotated three times. The Asia-Pacific cluster is up-to-date with replication according to the replication status dashboard. Which action should the operations team take to resolve the decryption failures?

Question 8easymultiple choice
Read the full NAT/PAT explanation →

A DevOps team needs to encrypt sensitive configuration data before storing it in a version control system. They want to use Vault's encryption as a service to encrypt the data using a named encryption key. Which Vault path should they use to perform the encryption?

Question 9mediummulti select
Read the full Explain encryption as a service explanation →

Which TWO statements correctly describe Vault's encryption as a service using the Transit secrets engine?

Question 10hardmultiple choice
Read the full Explain encryption as a service explanation →

After rotating the 'payment-key', Vault successfully decrypts data encrypted with the old key (v1). What is the most likely reason the decryption succeeded?

Exhibit

Refer to the exhibit.

```
$ vault write -f transit/keys/payment-key
Success! Data written to: transit/keys/payment-key

$ vault write transit/encrypt/payment-key plaintext=$(base64 <<< "4111111111111111")
Key        Value
---        -----
ciphertext vault:v1:abc123...

$ vault write -f transit/keys/payment-key/rotate
Success! Data written to: transit/keys/payment-key/rotate

$ vault write transit/encrypt/payment-key plaintext=$(base64 <<< "4111111111111111")
Key        Value
---        -----
ciphertext vault:v2:def456...

$ vault write transit/decrypt/payment-key ciphertext=vault:v1:abc123...
Key          Value
---          -----
plaintext    NDExMTExMTExMTExMTExMQ==
```
Question 11mediummulti select
Read the full Explain encryption as a service explanation →

A DevOps team needs to implement encryption as a service for application data stored in a PostgreSQL database. They want to use Vault's transit secrets engine to encrypt sensitive fields before storage. Which TWO actions should the team take to ensure the encryption keys are rotated automatically and securely?

Question 12easymultiple choice
Read the full NAT/PAT explanation →

A financial technology company uses Vault Enterprise to manage encryption keys for its payment processing system. The system uses the transit secrets engine to encrypt credit card numbers before storing them in a legacy database. The security team mandates that all encryption keys must be automatically rotated every 30 days. The operations team configures the key 'payment-cards' with 'auto_rotate_period' set to 30 days. After the first rotation, the payment processing application starts failing with 'permission denied' errors when trying to decrypt previously encrypted data. The application uses a token with a policy that grants 'create' and 'update' capabilities on 'transit/decrypt/payment-cards'. The application does not use the 'rewrap' endpoint. The Vault audit logs show that the decryption requests are being made to the correct path. What is the most likely cause of the failure?

Question 13mediumdrag order
Read the full Explain encryption as a service explanation →

Drag and drop the steps to configure Vault's AWS secrets engine to generate IAM credentials into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 14mediummatching
Read the full Explain encryption as a service explanation →

Match each Vault response wrapping feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Lifetime of the wrapping token

Single-use token to unwrap response

Token-scoped storage for wrapped data

Retrieve the original response

Question 15mediummultiple choice
Read the full Explain encryption as a service explanation →

A developer wants to encrypt a password before storing it in a database. The encryption must be deterministic so that the same plaintext always produces the same ciphertext. Which encryption mode should be used in the transit secrets engine?

Question 16easymultiple choice
Read the full Explain encryption as a service explanation →

A DevOps team needs to encrypt large files (several GB) using Vault's transit engine. What is the recommended approach?

Question 17hardmultiple choice
Read the full Explain encryption as a service explanation →

A team has set up automatic key rotation on a transit key. After rotation, encrypted data that was encrypted with the previous key version can no longer be decrypted. What is the most likely cause?

Question 18mediummultiple choice
Read the full Explain encryption as a service explanation →

An application needs to encrypt credit card numbers. The encryption must be deterministic for indexing purposes but also support key rotation. Which approach should be used?

Question 19easymultiple choice
Read the full Explain encryption as a service explanation →

What is the primary purpose of the Vault transit secrets engine?

Question 20hardmultiple choice
Read the full Explain encryption as a service explanation →

A security policy requires that encryption keys used in transit must never leave Vault's memory. However, development teams need to perform encryption offline in CI/CD pipelines. How can this be accomplished?

Question 21mediummultiple choice
Read the full Explain encryption as a service explanation →

A user receives an error 'invalid ciphertext' when trying to decrypt data. The ciphertext was created by another Vault instance. What is the most likely issue?

Question 22easymultiple choice
Read the full NAT/PAT explanation →

Which Vault API path is used to encrypt data with the transit engine?

Question 23hardmultiple choice
Read the full Explain encryption as a service explanation →

An organization wants to ensure that even Vault administrators cannot see the plaintext of data encrypted with the transit engine, but they want to use Vault for key management. What feature should be enabled?

Question 24mediummulti select
Read the full Explain encryption as a service explanation →

A company uses Vault transit to encrypt secrets. They want to periodically rotate the encryption key to comply with compliance requirements. Which TWO actions should be taken? (Choose two.)

Question 25hardmulti select
Read the full Explain encryption as a service explanation →

An application uses transit encryption with convergent encryption enabled. Which THREE statements are true about convergent encryption? (Choose three.)

Question 26mediummulti select
Read the full Explain encryption as a service explanation →

Which THREE are valid operations in the Vault transit secrets engine? (Choose three.)

Question 27mediummultiple choice
Read the full Explain encryption as a service explanation →

Refer to the exhibit. What is the purpose of the -field=ciphertext flag in this command?

Exhibit

$ vault write -address=https://vault.example.com -field=ciphertext transit/encrypt/my-key plaintext=$(base64 <<< "secret data")
Question 28hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. Based on this policy, which actions can the associated token perform? (Assume all paths exist.)

Exhibit

path "transit/keys/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}
path "transit/encrypt/*" {
  capabilities = ["update"]
}
path "transit/decrypt/*" {
  capabilities = ["update"]
}
Question 29easymultiple choice
Read the full Explain encryption as a service explanation →

Refer to the exhibit. What does min_decryption_version = 1 indicate?

Exhibit

$ vault read transit/keys/my-key
Key                       Value
---                       -----
allow_plaintext_backup    false
deletion_allowed          false
derived                   false
exportable                false
keys                      map[1:...]
latest_version            2
min_available_version     0
min_decryption_version    1
min_encryption_version    0
name                      my-key
supports_encryption       true
supports_decryption       true
supports_derivation       true
supports_key_rotation     true
type                      aes256-gcm96
Question 30easymultiple choice
Read the full Explain encryption as a service explanation →

An application needs to encrypt sensitive data before storing it in a database. The security team wants to use Vault's encryption as a service to avoid managing encryption keys. Which Vault secrets engine should they enable?

Question 31mediummultiple choice
Read the full NAT/PAT explanation →

A DevOps engineer is configuring Vault to encrypt data in transit for a microservice. They create a key in the transit engine and want to encrypt a base64-encoded plaintext. Which API path and operation should they use?

Question 32hardmultiple choice
Read the full Explain encryption as a service explanation →

An organization uses the transit engine with key rotation. They want to ensure that data encrypted with an older key version can be decrypted by Vault, but only if the key has not been deleted. Which of the following must be true?

Question 33mediummultiple choice
Read the full Explain encryption as a service explanation →

An organization wants to encrypt sensitive fields in their database using Vault. They have multiple applications that need to encrypt different types of data. What approach should they take?

Question 34easymultiple choice
Read the full Explain encryption as a service explanation →

A developer wants to encrypt data using Vault's transit engine but does not want to base64 encode the ciphertext after encryption. What is the recommended way to handle this?

Question 35hardmultiple choice
Read the full Explain encryption as a service explanation →

A security engineer needs to ensure that if a key is compromised, previous ciphertext can be re-encrypted with a new key version without exposing the plaintext. Which Vault operation should they use?

Question 36mediummultiple choice
Read the full Explain encryption as a service explanation →

A compliance requirement states that encryption keys must be automatically rotated every 90 days. Which Vault feature can be used to enforce this?

Question 37hardmultiple choice
Read the full Explain encryption as a service explanation →

An application encrypts data using the transit engine and stores the ciphertext in a database. After a key rotation, the application can no longer decrypt the data. What is the most likely cause?

Question 38easymultiple choice
Read the full Explain encryption as a service explanation →

A developer wants to encrypt a string "hello" using Vault's transit engine. What must they send in the API request?

Question 39easymulti select
Read the full Explain encryption as a service explanation →

Which TWO of the following are valid uses of the Vault transit secrets engine?

Question 40mediummulti select
Read the full Explain encryption as a service explanation →

Which THREE of the following best practices should be followed when using Vault's encryption as a service with the transit engine?

Question 41hardmulti select
Read the full Explain encryption as a service explanation →

Which TWO of the following are benefits of using Vault's transit engine for encryption as a service?

Question 42mediummultiple choice
Read the full Explain encryption as a service explanation →

Refer to the exhibit. A DevOps engineer runs `vault read -format=json transit/keys/mykey` and receives the output shown. A microservice attempts to decrypt data that was encrypted with version 1 of the key. Will the decryption succeed?

Exhibit

{
  "request_id": "1",
  "data": {
    "allow_plaintext_backup": false,
    "deletion_allowed": false,
    "derived": false,
    "exportable": false,
    "keys": {
      "1": {
        "creation_time": "2023-01-01T00:00:00Z",
        "name": "mykey"
      },
      "2": {
        "creation_time": "2023-06-01T00:00:00Z",
        "name": "mykey"
      }
    },
    "latest_version": 2,
    "min_encryption_version": 0,
    "min_decryption_version": 1,
    "name": "mykey"
  }
}
Question 43hardmultiple choice
Read the full Explain encryption as a service explanation →

Refer to the exhibit. An application token has the above policy. Which operation will fail?

Exhibit

path "transit/keys/mykey" {
  capabilities = ["create", "update", "delete"]
}
path "transit/keys/mykey/rotate" {
  capabilities = ["update"]
}
path "transit/encrypt/mykey" {
  capabilities = ["create", "update"]
}
path "transit/decrypt/mykey" {
  capabilities = ["create", "update"]
}
Question 44easymultiple choice
Read the full Explain encryption as a service explanation →

Refer to the exhibit. A developer receives this error when attempting to decrypt data. What is the most likely cause?

Exhibit

Error making API request.

URL: POST http://vault.example.com/v1/transit/decrypt/mykey
Code: 400. Errors:

* invalid ciphertext: invalid base64 string
Question 45mediummultiple choice
Read the full Explain encryption as a service explanation →

A development team is building a microservices application that needs to encrypt sensitive customer data before storing it in a shared database. They want to minimize changes to their existing code and avoid managing encryption keys themselves. Which Vault feature should they use?

Question 46hardmultiple choice
Read the full Explain encryption as a service explanation →

A security auditor requires that all encryption keys used to protect customer data must be periodically rotated according to company policy. The company uses Vault's Transit secrets engine. What is the recommended approach to rotate the encryption key?

Question 47easymulti select
Read the full Explain encryption as a service explanation →

Which TWO are benefits of using Vault's encryption as a service?

Question 48mediummulti select
Read the full Explain encryption as a service explanation →

Which THREE are appropriate use cases for Vault's Transit secrets engine?

Question 49mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare company uses Vault Transit to encrypt patient records before storing them in a database. Each request to encrypt a small field (e.g., SSN) takes about 200ms due to network latency and cryptographic overhead. The application needs to encrypt millions of records daily, causing performance bottlenecks. The team wants to reduce latency per encryption operation. After reviewing the Vault documentation, they consider the following options: A. Use the batch encryption endpoint to encrypt multiple plaintexts in a single API call. B. Deploy a local caching proxy on each application server to intercept encryption calls. C. Enable Vault's built-in encryption result caching. D. Use a dedicated, high-performance Vault cluster with more resources. Which option most directly reduces per-operation latency?

Question 50hardmultiple choice
Read the full Explain encryption as a service explanation →

A fintech company uses Vault Transit to encrypt credit card numbers (PANs) for PCI-DSS compliance. The security team enforces key rotation every 30 days, and Vault keeps previous key versions to allow decryption of old data. One day, a developer accidentally runs a command that deletes the latest key version before the rotation is complete. The company has Vault configured with key version soft-delete enabled. The incident response team needs to recover the ability to decrypt ciphertexts that were encrypted with the deleted key version. Which action should they take first?

Question 51mediummultiple choice
Read the full Explain encryption as a service explanation →

A company is using Vault Transit to encrypt files before uploading them to an S3 bucket. They notice that for a given plaintext file, the ciphertext output is always identical, even when encrypting at different times. They are using the `encrypt` endpoint with the default AES-GCM algorithm. The team is concerned about security because the repeated ciphertext leaks information (e.g., file equality). What is the most likely cause of this behavior?

Question 52easymultiple choice
Read the full Explain encryption as a service explanation →

A data analytics company needs to encrypt streaming data (e.g., clickstream events) before sending to a cloud data lake. Each event is about 1KB. They use Vault Transit to encrypt each event individually. The encryption rate is too slow for the volume (100,000 events/second). The team considers options to improve performance. Which approach is most effective for reducing the number of API calls to Vault while maintaining security?

Question 53easymulti select
Read the full Explain encryption as a service explanation →

A company wants to encrypt sensitive data at rest in its application using HashiCorp Vault. They need to ensure that each application instance uses a unique encryption key without storing keys locally. Which TWO actions should the security team take to meet these requirements?

Question 54mediummultiple choice
Read the full Explain encryption as a service explanation →

A financial services company uses HashiCorp Vault's transit engine to encrypt customer credit card numbers. The application sends each credit card number individually to Vault for encryption, and the response time is acceptable. However, during peak hours, the company needs to encrypt large batches of 10,000 credit card numbers. Users report that encrypting the entire batch takes several minutes, causing timeouts. The Vault cluster is healthy and not under high load. The security team wants to reduce the encryption time without changing the encryption algorithm or key strength. What should they do?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

VA-003 Practice Test 1 — 10 Questions→VA-003 Practice Test 2 — 10 Questions→VA-003 Practice Test 3 — 10 Questions→VA-003 Practice Test 4 — 10 Questions→VA-003 Practice Test 5 — 10 Questions→VA-003 Practice Exam 1 — 20 Questions→VA-003 Practice Exam 2 — 20 Questions→VA-003 Practice Exam 3 — 20 Questions→VA-003 Practice Exam 4 — 20 Questions→Free VA-003 Practice Test 1 — 30 Questions→Free VA-003 Practice Test 2 — 30 Questions→Free VA-003 Practice Test 3 — 30 Questions→VA-003 Practice Questions 1 — 50 Questions→VA-003 Practice Questions 2 — 50 Questions→VA-003 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Compare authentication methodsAssess Vault tokensCreate Vault policiesManage Vault leasesCompare and configure secrets enginesUtilize Vault CLI and APIExplain Vault architectureExplain encryption as a service

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Explain encryption as a service setsAll Explain encryption as a service questionsVA-003 Practice Hub