A developer wants to encrypt data using Vault's transit engine but does not want to base64 encode the ciphertext after encryption. What is the recommended way to handle this?
Correct: output is always base64.
Why this answer
Option A is correct because the Vault Transit Secrets Engine always returns ciphertext as a base64-encoded string, regardless of whether the input plaintext was base64-encoded or raw. The API specification requires the client to decode the base64 ciphertext after receiving it if the original plaintext was raw bytes. There is no parameter to disable base64 encoding of the ciphertext output.
Exam trap
HashiCorp often tests the misconception that you can set a `base64=false` parameter to get raw ciphertext, but the Vault API strictly enforces base64 encoding on both input and output for the transit engine.
How to eliminate wrong answers
Option B is wrong because the `/transit/encrypt` endpoint does not support a `base64=false` parameter; the ciphertext is always base64-encoded by design. Option C is wrong because the `plaintext` parameter must be base64-encoded; passing raw bytes will cause an error or unexpected behavior. Option D is wrong because the `ciphertext` parameter is used for decryption, not encryption.
Option E is wrong because the `plaintext` parameter always expects base64-encoded input, not raw bytes.