CCNA Explain encryption as a service Questions

54 questions · Explain encryption as a service · All types, answers revealed

1
MCQhard

A security auditor requires that all encryption keys used to protect customer data must be periodically rotated according to company policy. The company uses Vault's Transit secrets engine. What is the recommended approach to rotate the encryption key?

A.Use Vault's key rotation endpoint to rewrap the key
B.Use the `vault write -f transit/keys/my-key/rotate` command to rotate the key
C.Delete the existing key and create a new one with the same name
D.Generate a new key with a different name and update the application configuration
AnswerB

This creates a new key version; old ciphertexts remain decryptable with the previous version.

Why this answer

Option B is correct because the Vault Transit secrets engine provides a dedicated `rotate` endpoint that creates a new encryption key version while keeping the previous version available for decryption of existing ciphertext. This allows the key to be rotated without re-encrypting all data, and the new key version is automatically used for future encryption operations. The `-f` flag forces the rotation without requiring interactive confirmation.

Exam trap

HashiCorp often tests the misconception that 'rewrapping' is the same as 'rotating,' but rewrapping only re-encrypts data under a new key version without creating a new key version, whereas rotation creates a new key version and is the correct first step in a key lifecycle management process.

How to eliminate wrong answers

Option A is wrong because Vault's 'rewrap' endpoint re-encrypts ciphertext under a new key version but does not rotate the key itself; rotation is a separate operation that creates a new key version. Option C is wrong because deleting the existing key would render all previously encrypted data permanently undecryptable, violating data integrity and availability requirements. Option D is wrong because generating a new key with a different name and updating application configuration is an operational workaround that adds complexity and does not leverage Vault's built-in key versioning, which is the recommended approach for seamless rotation.

2
MCQmedium

A healthcare application needs to encrypt sensitive patient data before storing it in a legacy database that does not support encryption. The team wants to use Vault's encryption as a service. However, the application is running on a restricted network that cannot make outbound HTTP requests to Vault. Which solution should the team implement?

A.Set up Vault replication from a central Vault to a local Vault instance.
B.Deploy Vault Agent in sidecar mode with a configured encrypt stanza to handle encryption locally.
C.Use Vault's HTTP API from the application to encrypt data directly.
D.Enable the transit secrets engine and call Vault's encrypt endpoint.
AnswerB

Vault Agent can process encryption locally via a Unix socket.

Why this answer

Option B is correct because Vault Agent in sidecar mode runs alongside the application on the same host, handling encryption locally without requiring outbound HTTP requests. The encrypt stanza in the agent configuration allows it to proxy encryption operations to Vault's transit secrets engine, while the application communicates with the agent over a local loopback interface, bypassing network restrictions.

Exam trap

HashiCorp often tests the misconception that enabling the transit secrets engine alone solves the network restriction, but the key point is that the application still needs a way to call Vault's API—Vault Agent sidecar provides that local proxy without requiring outbound HTTP.

How to eliminate wrong answers

Option A is wrong because Vault replication replicates data between Vault clusters (e.g., for disaster recovery or performance), but it does not enable local encryption operations without outbound HTTP calls; the application would still need to make requests to the local Vault instance, which may still require network connectivity. Option C is wrong because using Vault's HTTP API directly from the application requires outbound HTTP requests to Vault, which is explicitly prohibited by the restricted network. Option D is wrong because enabling the transit secrets engine and calling Vault's encrypt endpoint also requires the application to make outbound HTTP requests to Vault, violating the network restriction.

3
MCQhard

An application encrypts data using the transit engine and stores the ciphertext in a database. After a key rotation, the application can no longer decrypt the data. What is the most likely cause?

A.The ciphertext was generated with a different key
B.The token used for decryption has been revoked
C.The key was rotated and the old version was automatically deleted
D.The `min_decryption_version` was set to a value higher than the old key version
E.The transit engine was disabled
AnswerD

This prevents decryption with older versions, a common misconfiguration.

Why this answer

Option D is correct because the `min_decryption_version` parameter in Vault's transit engine specifies the minimum key version that can be used for decryption. After a key rotation, if this value is set higher than the old key version, the engine will refuse to decrypt data encrypted with that older version, even if the old key data is still present in the key ring. This is a common misconfiguration that leads to decryption failures post-rotation.

Exam trap

HashiCorp often tests the misconception that key rotation automatically deletes old keys, leading candidates to choose Option C, but the real issue is the `min_decryption_version` parameter that explicitly blocks decryption with older key versions.

How to eliminate wrong answers

Option A is wrong because the ciphertext is always generated with the current key version at the time of encryption; after rotation, the key used for encryption is still valid for decryption unless explicitly restricted. Option B is wrong because the transit engine does not use tokens for decryption; tokens are used for authentication and authorization, not for the cryptographic operation itself. Option C is wrong because Vault's transit engine does not automatically delete old key versions upon rotation; they are retained by default to allow decryption of existing ciphertexts.

Option E is wrong because disabling the transit engine would prevent all cryptographic operations, not just decryption of old data, and the question states the application can no longer decrypt, not that the engine is unavailable.

4
Multi-Selectmedium

A DevOps team needs to implement encryption as a service for application data stored in a PostgreSQL database. They want to use Vault's transit secrets engine to encrypt sensitive fields before storage. Which TWO actions should the team take to ensure the encryption keys are rotated automatically and securely?

Select 2 answers
A.Set 'min_decryption_version' to the latest key version to force re-encryption of old data.
B.Use a key derivation function with a unique context per application context to ensure each encryption produces distinct ciphertext.
C.Disable key rotation and rely on manual key updates using the transit key/rotate endpoint.
D.Restrict access to the decryption capability to prevent adversaries from learning the key material.
E.Configure a key rotation period using the 'auto_rotate_period' parameter when creating or tuning the encryption key.
AnswersB, E

Key derivation per context ensures that even if a ciphertext is exposed, it cannot be used across different contexts.

Why this answer

Option B is correct because using a key derivation function (KDF) with a unique context per application ensures that each encryption operation produces distinct ciphertext even if the same plaintext and key are used. This prevents ciphertext correlation attacks and is a recommended practice when encrypting many records with the same key. Option E is correct because Vault's transit secrets engine supports the 'auto_rotate_period' parameter, which allows you to set a time-based automatic rotation schedule for the encryption key, ensuring keys are rotated without manual intervention.

Exam trap

HashiCorp often tests the distinction between key rotation (creating new key versions) and re-encryption of data (rewrapping ciphertext), and the trap here is that candidates confuse setting 'min_decryption_version' with automatically re-encrypting old data, when in fact it only controls which key versions are allowed for decryption.

5
MCQeasy

An application needs to encrypt sensitive data before storing it in a database. The security team wants to use Vault's encryption as a service to avoid managing encryption keys. Which Vault secrets engine should they enable?

A.AWS
B.KV v2
C.Consul
D.Transit
E.PKI
AnswerD

The Transit engine is designed for encryption/decryption, signing, and HMAC operations without exposing keys.

Why this answer

The Transit secrets engine is designed specifically for encryption as a service, allowing applications to encrypt and decrypt data without ever having direct access to the encryption keys. The keys are stored and managed entirely within Vault, which meets the security team's requirement to avoid managing encryption keys themselves.

Exam trap

HashiCorp often tests the distinction between a secrets engine that stores secrets (KV v2) and one that processes cryptographic operations (Transit), leading candidates to mistakenly choose KV v2 because they think 'storing encrypted data' is the same as 'encrypting data'.

How to eliminate wrong answers

Option A is wrong because the AWS secrets engine is used to generate dynamic AWS credentials (access keys), not to perform encryption operations. Option B is wrong because KV v2 is a key-value store for static secrets, not an encryption engine; it stores data as-is without providing encrypt/decrypt API endpoints. Option C is wrong because the Consul secrets engine generates Consul API tokens for service mesh access, not encryption services.

Option E is wrong because the PKI secrets engine generates X.509 certificates for TLS/SSL, not for encrypting arbitrary data.

6
MCQhard

Refer to the exhibit. Based on this policy, which actions can the associated token perform? (Assume all paths exist.)

A.Only encrypt and decrypt data.
B.Create and read keys, encrypt and decrypt data.
C.Only manage keys, not encrypt/decrypt.
D.Create keys only.
E.Create, read, update, delete keys; encrypt and decrypt data.
AnswerE

All listed capabilities are granted.

Why this answer

The exhibit shows a policy that grants the 'manage' capability on a key, which in Vault (the implied technology) includes create, read, update, and delete operations. Additionally, the policy includes 'encrypt' and 'decrypt' capabilities, allowing the token to perform both key management and cryptographic operations. Therefore, the token can create, read, update, delete keys, and encrypt/decrypt data.

Exam trap

HashiCorp often tests the distinction between 'manage' (which implies full CRUD on keys) and individual capabilities like 'create' or 'read', leading candidates to underestimate the scope of the 'manage' capability.

How to eliminate wrong answers

Option A is wrong because it only mentions encrypt and decrypt, ignoring the key management capabilities explicitly granted by the policy. Option B is wrong because it includes 'create and read keys' but omits 'update' and 'delete', which are part of the 'manage' capability. Option C is wrong because it states 'only manage keys, not encrypt/decrypt', but the policy also grants encrypt and decrypt capabilities.

Option D is wrong because it limits the token to 'create keys only', while the policy grants a broader set of key management actions and cryptographic operations.

7
Multi-Selecthard

An application uses transit encryption with convergent encryption enabled. Which THREE statements are true about convergent encryption? (Choose three.)

Select 3 answers
A.It requires a separate key for each context.
B.It produces the same ciphertext for the same plaintext and context.
C.It is typically slower than non-convergent encryption.
D.It can be used for deduplication of encrypted data.
E.It uses a nonce that is derived from the plaintext.
AnswersB, D, E

Deterministic output is a key feature of convergent encryption.

Why this answer

Convergent encryption derives the encryption key from the plaintext content itself, typically by hashing the plaintext. Because the same plaintext always produces the same key, and the encryption algorithm is deterministic (no random nonce), the resulting ciphertext is identical for identical plaintexts. This property directly enables deduplication of encrypted data, as identical ciphertexts can be identified and stored only once.

Exam trap

HashiCorp often tests the misconception that convergent encryption requires a separate key for each context (Option A), when in fact the key is derived from the plaintext and is the same for identical data regardless of context.

8
MCQhard

A fintech company uses Vault Transit to encrypt credit card numbers (PANs) for PCI-DSS compliance. The security team enforces key rotation every 30 days, and Vault keeps previous key versions to allow decryption of old data. One day, a developer accidentally runs a command that deletes the latest key version before the rotation is complete. The company has Vault configured with key version soft-delete enabled. The incident response team needs to recover the ability to decrypt ciphertexts that were encrypted with the deleted key version. Which action should they take first?

A.Use the `vault write transit/keys/credit-cards/undelete` API to recover the soft-deleted key version
B.Restore the entire Vault cluster from the latest backup snapshot
C.Use the `rewrap` endpoint to re-encrypt all ciphertexts with the current key version
D.Restore the deleted key version from a secondary Vault cluster using replication
AnswerA

Soft-delete allows undeletion of key versions quickly and without data loss.

Why this answer

Option A is correct because Vault's Transit secrets engine supports soft-delete for key versions, which allows recovery of a deleted key version using the `undelete` API before the deletion grace period expires. Since the company has soft-delete enabled, the key version is not permanently purged and can be restored without data loss, enabling decryption of ciphertexts encrypted with that version.

Exam trap

HashiCorp often tests the distinction between soft-delete and permanent deletion, and the trap here is that candidates may assume a deleted key version is irrecoverable and jump to a disruptive recovery method like restoring from backup, ignoring the soft-delete feature specifically designed for this scenario.

How to eliminate wrong answers

Option B is wrong because restoring the entire Vault cluster from a backup snapshot is an extreme measure that risks data loss from other changes and is unnecessary when soft-delete can recover the specific key version. Option C is wrong because the `rewrap` endpoint re-encrypts ciphertexts using the current key version, but it requires the original key to be available for decryption first, which is not possible if the key version is deleted and not yet recovered. Option D is wrong because restoring from a secondary cluster using replication would require the key version to exist in the secondary cluster's data, which is not guaranteed if the deletion propagated via replication, and it is not the first action to take when soft-delete is available.

9
Multi-Selectmedium

Which TWO statements correctly describe Vault's encryption as a service using the Transit secrets engine?

Select 2 answers
A.Ciphertext is stored within Vault for later retrieval.
B.Data is encrypted and decrypted on the server side without the client having direct access to the encryption key.
C.Encryption always produces a unique ciphertext even with the same plaintext and key.
D.Key rotation is not supported; the key version is fixed.
E.The encryption key can be derived per context using key derivation, ensuring unique ciphertext per context.
AnswersB, E

Transit encrypts data server-side using a managed key, never exposing the key to clients.

Why this answer

Option B is correct because the Transit secrets engine in Vault performs encryption and decryption on the server side, meaning the client sends plaintext to Vault and receives ciphertext back without ever having direct access to the underlying encryption key. This is the core of encryption as a service: the key remains securely stored within Vault's barrier, and the client only interacts with the key via API calls, never seeing the key material itself.

Exam trap

HashiCorp often tests the misconception that encryption as a service always produces unique ciphertext by default, but the trap here is that Vault's Transit engine uses deterministic encryption unless key derivation or convergent encryption is explicitly configured, so candidates must remember that uniqueness is not guaranteed without additional settings.

10
Multi-Selecthard

Which TWO of the following are benefits of using Vault's transit engine for encryption as a service?

Select 2 answers
A.The encryption key is stored in the application's memory
B.Applications can encrypt/decrypt data without accessing the key material
C.Keys can be exported and used in external applications
D.Only the root token can manage keys
E.Key rotation is handled centrally without downtime
AnswersB, E

Vault holds the keys and performs operations on behalf of applications.

Why this answer

Vault's transit engine enables applications to encrypt and decrypt data without ever having access to the underlying key material. The encryption keys are stored securely within Vault, and applications only interact with the engine via API calls, ensuring that the keys remain protected and never exposed to client memory or logs.

Exam trap

HashiCorp often tests the misconception that 'encryption as a service' requires exporting keys to applications, but the transit engine's core benefit is that applications never touch the key material, ensuring centralized control and security.

11
MCQmedium

A company is using Vault Transit to encrypt files before uploading them to an S3 bucket. They notice that for a given plaintext file, the ciphertext output is always identical, even when encrypting at different times. They are using the `encrypt` endpoint with the default AES-GCM algorithm. The team is concerned about security because the repeated ciphertext leaks information (e.g., file equality). What is the most likely cause of this behavior?

A.They are using the wrong key
B.They are using a deterministic encryption scheme
C.They are using convergent encryption
D.They are not providing an encryption context
AnswerC

Convergent encryption derives the key from the plaintext, resulting in identical ciphertexts for identical plaintexts.

Why this answer

The correct answer is C because convergent encryption is a deterministic scheme where the encryption key is derived from the hash of the plaintext. When using Vault Transit with the default AES-GCM algorithm, the ciphertext will be identical for the same plaintext if the same key and nonce are used. This behavior matches the scenario described, as convergent encryption is designed to produce identical ciphertexts for identical plaintexts, which leaks file equality information.

Exam trap

HashiCorp often tests the distinction between deterministic encryption (which can be secure with proper nonce management) and convergent encryption (which is inherently deterministic for deduplication), and the trap here is that candidates confuse 'deterministic encryption' (a general property) with 'convergent encryption' (a specific implementation that uses plaintext-derived keys).

How to eliminate wrong answers

Option A is wrong because using the wrong key would result in decryption failure or different ciphertext, not identical ciphertext for the same plaintext. Option B is wrong because deterministic encryption (e.g., AES-SIV) can produce identical ciphertext for the same plaintext and key, but Vault Transit's default AES-GCM is non-deterministic (uses a random nonce), so this is not the cause unless a fixed nonce is explicitly set. Option D is wrong because encryption context is an optional authenticated additional data (AAD) in AWS KMS, not in Vault Transit; omitting it does not cause deterministic ciphertext output.

12
MCQeasy

A developer wants to encrypt data using Vault's transit engine with a key named 'payment-key'. The key already exists and is set to allow encryption. Which API path should the developer use to encrypt the data?

A.POST /v1/transit/decrypt/payment-key
B.POST /v1/transit/rewrap/payment-key
C.POST /v1/transit/keys/payment-key
D.POST /v1/transit/encrypt/payment-key
AnswerD

Correct path for encryption.

Why this answer

Option D is correct because the Vault transit engine exposes the `/v1/transit/encrypt/<key_name>` endpoint for encrypting plaintext data using a named encryption key. Since the key 'payment-key' already exists and is allowed to encrypt, a POST request to this path will perform the encryption operation and return the ciphertext.

Exam trap

HashiCorp often tests the distinction between key management endpoints (like `/keys/`) and cryptographic operation endpoints (like `/encrypt/`), trapping candidates who confuse managing the key with using the key to encrypt data.

How to eliminate wrong answers

Option A is wrong because `/v1/transit/decrypt/payment-key` is used for decryption, not encryption; it would attempt to reverse the encryption process. Option B is wrong because `/v1/transit/rewrap/payment-key` is used to re-encrypt existing ciphertext under a new version of the key, not to encrypt new plaintext. Option C is wrong because `/v1/transit/keys/payment-key` is used to manage the key itself (e.g., read configuration, rotate, or delete), not to perform cryptographic operations on data.

13
MCQeasy

A developer wants to encrypt a string "hello" using Vault's transit engine. What must they send in the API request?

A.The ciphertext of "hello"
B.Both the key name and the ciphertext
C.A reference to the key
D.The plaintext "hello" in raw bytes
E.The plaintext "hello" as a base64 encoded string
AnswerE

Correct, the API expects base64-encoded plaintext.

Why this answer

E is correct because Vault's transit engine requires plaintext to be base64-encoded before encryption. The API endpoint expects the plaintext as a base64-encoded string in the `plaintext` field of the request body. This ensures binary-safe transmission and consistent encoding across different systems.

Exam trap

HashiCorp often tests the requirement for base64 encoding of plaintext in transit engine operations, trapping candidates who assume raw bytes or ciphertext are acceptable inputs.

How to eliminate wrong answers

Option A is wrong because sending ciphertext would be for decryption, not encryption; the transit engine encrypts plaintext, not ciphertext. Option B is wrong because the key name is required, but ciphertext is not sent for encryption—only plaintext is provided. Option C is wrong because a reference to the key is insufficient; the actual plaintext data must be included in the request.

Option D is wrong because raw bytes are not accepted; Vault requires base64 encoding to avoid issues with binary data in JSON.

14
MCQeasy

A DevOps team needs to encrypt sensitive configuration data before storing it in a version control system. They want to use Vault's encryption as a service to encrypt the data using a named encryption key. Which Vault path should they use to perform the encryption?

A.POST /v1/transit/encrypt/my-key
B.POST /v1/transit/sign/my-key
C.POST /v1/transit/hmac/my-key
D.POST /v1/transit/random
E.POST /v1/transit/decrypt/my-key
AnswerA

The encryption endpoint is /encrypt under the transit engine path, providing encryption as a service.

Why this answer

The correct path for encrypting data using Vault's encryption-as-a-service is POST /v1/transit/encrypt/my-key. The Transit secrets engine provides encryption as a service, and the /encrypt endpoint is specifically designed to encrypt plaintext data using a named encryption key. The key name 'my-key' in the path identifies which key in the Transit engine should be used for the encryption operation.

Exam trap

HashiCorp often tests the distinction between encryption (/encrypt), signing (/sign), and HMAC (/hmac) endpoints, and candidates frequently confuse the purpose of /encrypt with /sign or /hmac because all three involve cryptographic operations on data.

How to eliminate wrong answers

Option B is wrong because POST /v1/transit/sign/my-key is used for cryptographic signing (creating digital signatures), not encryption. Option C is wrong because POST /v1/transit/hmac/my-key is used to generate an HMAC hash for data integrity verification, not encryption. Option D is wrong because POST /v1/transit/random generates random bytes from the Vault's entropy source, not encryption of user-provided data.

Option E is wrong because POST /v1/transit/decrypt/my-key is the decryption endpoint, which reverses the encryption operation but does not perform encryption itself.

15
MCQmedium

A development team is building a microservices application that needs to encrypt sensitive customer data before storing it in a shared database. They want to minimize changes to their existing code and avoid managing encryption keys themselves. Which Vault feature should they use?

A.Vault's Database secrets engine
B.Vault's PKI secrets engine
C.Vault's Transit secrets engine
D.Vault's Key Management Secrets Engine
AnswerC

Transit engine allows encryption as a service, offloading key management to Vault.

Why this answer

The Transit secrets engine is designed for encryption-as-a-service, allowing applications to encrypt data without exposing encryption keys to the application code. It performs encryption and decryption operations on the Vault server, so the development team can minimize code changes and avoid managing keys themselves.

Exam trap

The trap here is that candidates confuse the Key Management Secrets Engine (KMSE) with encryption-as-a-service, but KMSE only distributes keys to external KMS providers and does not perform server-side encryption operations, which is the core requirement for minimizing code changes.

How to eliminate wrong answers

Option A is wrong because the Database secrets engine is used to dynamically generate database credentials, not to encrypt data. Option B is wrong because the PKI secrets engine generates X.509 certificates for TLS/SSL, not for encrypting arbitrary data. Option D is wrong because the Key Management Secrets Engine (KMSE) distributes encryption keys to external services like AWS KMS or Azure Key Vault, but still requires the application to manage the encryption operations, whereas the Transit secrets engine handles the cryptographic operations server-side.

16
Drag & Dropmedium

Drag and drop the steps to configure Vault's AWS secrets engine to generate IAM credentials into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Enable, configure root, create role, generate creds, rotate root.

17
MCQhard

An organization uses the transit engine with key rotation. They want to ensure that data encrypted with an older key version can be decrypted by Vault, but only if the key has not been deleted. Which of the following must be true?

A.The key's `min_decryption_version` must be set to 1
B.The key must have the `allow_plaintext_backup` setting enabled
C.The key must have a `deletion_allowed` set to false
D.The key's `latest_version` must be greater than 0
E.The key must not have been archived
AnswerE

Archived key versions are removed from the decryption set and cannot be used.

Why this answer

In Vault's transit engine, key rotation creates new key versions while preserving older ones. The ability to decrypt data encrypted with an older key version depends on whether that version is still available in the key's version history. Archiving a key removes all versions from the active key ring, making decryption of data encrypted with any version of that key impossible.

Therefore, the key must not have been archived to allow decryption of data encrypted with an older key version, provided the key itself has not been deleted.

Exam trap

HashiCorp often tests the distinction between key deletion and key archiving, where candidates mistakenly assume that as long as a key is not deleted, older versions remain decryptable, overlooking that archiving also removes access to all versions.

How to eliminate wrong answers

Option A is wrong because `min_decryption_version` controls the minimum version allowed for decryption, not the ability to decrypt older versions; setting it to 1 would allow decryption of all versions, but it does not address the condition that the key must not be deleted. Option B is wrong because `allow_plaintext_backup` permits exporting the key in plaintext for backup purposes, but it has no effect on the ability to decrypt data with older key versions. Option C is wrong because `deletion_allowed` controls whether the key can be deleted entirely, but even if deletion is not allowed, the key could still be archived, which would prevent decryption of older versions.

Option D is wrong because `latest_version` being greater than 0 simply indicates that at least one version exists; it does not guarantee that older versions are available for decryption if the key has been archived.

18
Multi-Selecthard

Which THREE statements are true about Vault's encryption as a service using the transit engine?

Select 3 answers
A.Encryption keys cannot be rotated once created.
B.Data encrypted with a key can be decrypted with a later version of the same key if the key is rotated.
C.The transit engine supports convergent encryption.
D.Vault stores the plaintext data for audit purposes.
E.Clients can provide their own key material when creating a key.
AnswersB, C, E

Old versions are kept for decryption.

Why this answer

Option B is correct because Vault's transit engine supports key rotation while maintaining the ability to decrypt data encrypted with previous key versions. When a key is rotated, Vault creates a new version of the key, but the old version is retained for decryption purposes. This allows clients to decrypt ciphertext that was encrypted with an earlier key version, ensuring data remains accessible after rotation.

Exam trap

HashiCorp often tests the misconception that key rotation invalidates previous ciphertext, but Vault's transit engine retains old key versions specifically to allow decryption of data encrypted before rotation.

19
MCQhard

A multinational corporation uses Vault Enterprise with the transit engine to encrypt sensitive financial data across multiple cloud regions. Each region has its own Vault cluster, and they use performance replication to synchronize transit keys. Recently, the team in the Asia-Pacific region reports that encryption operations are slower than in other regions. They also notice that some decryption requests for data encrypted with a key that was rotated in the primary region are failing with 'key version not found' errors. The transit key is named 'fin-key' and has been rotated three times. The Asia-Pacific cluster is up-to-date with replication according to the replication status dashboard. Which action should the operations team take to resolve the decryption failures?

A.Verify that the policy in the Asia-Pacific cluster grants 'decrypt' capability on the key path for older key versions.
B.Increase the performance standby count in the Asia-Pacific cluster.
C.Manually copy the key material from the primary to the secondary cluster.
D.Re-encrypt all data encrypted with version 1 of 'fin-key' using the current version.
AnswerA

Policy might be missing decrypt on older versions.

Why this answer

The decryption failures are caused by missing key versions in the Asia-Pacific cluster's transit engine. Even though performance replication synchronizes transit keys, older key versions may not be replicated if the transit engine's key version caching or policy does not explicitly grant access to them. Verifying that the policy includes 'decrypt' capability on the key path for older key versions ensures that the cluster can serve decryption requests for data encrypted with rotated keys.

Exam trap

HashiCorp often tests the misconception that replication automatically grants all capabilities, but the trap here is that policy must explicitly allow access to older key versions, and candidates may incorrectly focus on replication health or manual key copying instead.

How to eliminate wrong answers

Option B is wrong because increasing the performance standby count improves read scalability and failover speed, but does not resolve missing key versions or policy restrictions. Option C is wrong because manually copying key material violates Vault's security model and replication design; performance replication automatically synchronizes transit keys, and manual intervention is neither supported nor necessary. Option D is wrong because re-encrypting all data with the current version is a costly workaround that does not address the root cause—the policy or replication issue preventing access to older key versions.

20
Multi-Selecteasy

Which TWO are benefits of using Vault's encryption as a service?

Select 2 answers
A.Enables encryption of data at rest in cloud storage
B.Allows applications to delegate encryption/decryption to Vault without handling keys
C.Provides automatic key rotation and versioning
D.Eliminates the need for any network connectivity to Vault
E.Supports only symmetric key algorithms
AnswersB, C

Core benefit of encryption as a service.

Why this answer

Option B is correct because Vault's encryption as a service allows applications to offload encryption and decryption operations to Vault via its API, without the application ever handling or storing encryption keys. This reduces the risk of key exposure and simplifies compliance with security policies.

Exam trap

HashiCorp often tests the misconception that encryption as a service is for encrypting cloud storage at rest, when in fact it is for application-level data encryption without key management exposure.

21
MCQeasy

A data analytics company needs to encrypt streaming data (e.g., clickstream events) before sending to a cloud data lake. Each event is about 1KB. They use Vault Transit to encrypt each event individually. The encryption rate is too slow for the volume (100,000 events/second). The team considers options to improve performance. Which approach is most effective for reducing the number of API calls to Vault while maintaining security?

A.Use a different secrets engine like Database or PKI.
B.Generate a local data encryption key (DEK) and encrypt it with Vault's Transit engine (KEK). Encrypt each event locally with the DEK, storing the encrypted DEK alongside the data.
C.Increase the number of Vault nodes and load balance requests.
D.Use Vault's batch encryption to send multiple events in one request.
AnswerB

Envelope encryption reduces Vault calls to one per DEK rotation, enabling high throughput with minimal API overhead.

Why this answer

Option B is correct because it implements an envelope encryption pattern: a local Data Encryption Key (DEK) encrypts each event locally, avoiding an API call per event, while the DEK itself is encrypted by Vault's Transit engine (Key Encryption Key, KEK). This reduces the number of Vault API calls from 100,000 per second to a single call per DEK rotation, drastically improving throughput without exposing the DEK in plaintext.

Exam trap

HashiCorp often tests the misconception that Vault's Transit engine can batch multiple data items in a single API call, but Transit only supports single-item encrypt/decrypt operations per request, making envelope encryption the only viable solution for high-throughput streaming data.

How to eliminate wrong answers

Option A is wrong because switching to Database or PKI secrets engines does not provide encryption-as-a-service; they generate credentials or certificates, not encrypt data, and would not reduce API calls for encryption. Option C is wrong because scaling Vault nodes and load balancing only distributes the same per-event API call load, not reducing the number of calls; the bottleneck is the per-event encryption request, not node capacity. Option D is wrong because Vault's Transit engine does not support batch encryption in a single API call; each event still requires a separate encrypt operation, so batching is not a feature of Transit and would not reduce API calls.

22
MCQeasy

Which Vault API path is used to encrypt data with the transit engine?

A./v1/transit/enc/
B./v1/transit/encrypt/
C./v1/transit/encrypt/{keyname}
D./v1/transit/encryption/
E./v1/transit/encryption/{keyname}
AnswerC

This is the standard endpoint for transit encryption.

Why this answer

Option C is correct because the Vault transit engine uses the exact path `/v1/transit/encrypt/{keyname}` to encrypt plaintext data. The `{keyname}` parameter specifies the named encryption key stored in the transit engine, and the API endpoint expects a POST request with the plaintext base64-encoded in the request body. This path aligns with Vault's RESTful design where the action (`encrypt`) is a sub-path under the transit mount, and the key name is a required path parameter.

Exam trap

HashiCorp often tests the exact API path syntax, and the trap here is that candidates confuse the action verb 'encrypt' with the noun 'encryption' or use abbreviations, leading them to pick options like D or E that sound correct but use the wrong word.

How to eliminate wrong answers

Option A is wrong because `/v1/transit/enc/` uses an incomplete and non-standard abbreviation ('enc' instead of 'encrypt'), which does not match Vault's documented API. Option B is wrong because `/v1/transit/encrypt/` omits the required key name parameter; Vault's transit encrypt endpoint requires the key name as part of the path, not as a query parameter or request body field. Option D is wrong because `/v1/transit/encryption/` uses the full word 'encryption' instead of the correct action verb 'encrypt', and also lacks the key name.

Option E is wrong because while it includes the key name, it uses 'encryption' instead of 'encrypt'; Vault's API is case-sensitive and uses the exact verb 'encrypt' for this operation.

23
MCQmedium

Refer to the exhibit. A DevOps engineer runs `vault read -format=json transit/keys/mykey` and receives the output shown. A microservice attempts to decrypt data that was encrypted with version 1 of the key. Will the decryption succeed?

A.Yes, because min_decryption_version does not affect decryption.
B.Yes, because min_decryption_version is 1, which allows decryption with version 1 and higher.
C.No, because min_decryption_version is 1, so only version 2 and higher can decrypt.
D.No, because the data was encrypted with version 1 and min_decryption_version is 1, so decryption is blocked.
AnswerB

Correct interpretation of min_decryption_version.

Why this answer

Option B is correct because the `min_decryption_version` parameter in Vault's transit secrets engine specifies the lowest key version that can be used for decryption. In the exhibit, `min_decryption_version` is set to 1, meaning any version from 1 upward is allowed. Since the data was encrypted with version 1, decryption will succeed.

This parameter does not block decryption with version 1; it only prevents decryption with versions lower than the specified value.

Exam trap

The trap here is that candidates often misinterpret `min_decryption_version` as a minimum version that is required (i.e., only versions above that number are allowed), when in fact it means the minimum version that is still permitted — so version 1 is allowed if the value is 1.

How to eliminate wrong answers

Option A is wrong because `min_decryption_version` does affect decryption — it explicitly controls which key versions are permitted for decryption operations. Option C is wrong because a `min_decryption_version` of 1 allows decryption with version 1 and higher, not only version 2 and higher. Option D is wrong because setting `min_decryption_version` to 1 does not block decryption with version 1; it actually permits it.

24
MCQeasy

Refer to the exhibit. What does min_decryption_version = 1 indicate?

A.Data encrypted with version 1 can only be decrypted with version 1.
B.Only data encrypted with version 1 or higher can be decrypted.
C.Version 1 is the minimum version that can be used for decryption.
D.All ciphertext must be rewrapped to version 1.
E.Version 1 keys are not allowed for decryption.
AnswerC

Decryption requests must use a key version >= min_decryption_version.

Why this answer

In Vault Enterprise, the `min_decryption_version` parameter on a transit key specifies the lowest key version that is allowed to decrypt existing ciphertext. Setting `min_decryption_version = 1` means that any key version from 1 up to the current version can be used for decryption; version 1 is the minimum allowed. This ensures backward compatibility while allowing newer versions to be used for encryption.

Exam trap

HashiCorp often tests the distinction between `min_encryption_version` and `min_decryption_version`; the trap here is confusing which parameter controls encryption versus decryption, leading candidates to incorrectly assume `min_decryption_version` restricts encryption or forces rewrapping.

How to eliminate wrong answers

Option A is wrong because `min_decryption_version = 1` does not restrict decryption to only version 1; it allows version 1 and any higher version to decrypt. Option B is wrong because it implies a minimum encryption version, but `min_decryption_version` controls decryption, not encryption; data encrypted with version 1 can be decrypted by version 1 or higher, but the statement is reversed and imprecise. Option D is wrong because `min_decryption_version` does not force rewrapping of ciphertext; rewrapping is a separate operation (e.g., `rewrap` API) and is not automatically triggered by this setting.

Option E is wrong because version 1 keys are explicitly allowed for decryption when `min_decryption_version = 1`; setting it to 1 means version 1 is the lowest permitted, not forbidden.

25
MCQeasy

Refer to the exhibit. A developer receives this error when attempting to decrypt data. What is the most likely cause?

A.The ciphertext is encrypted with a different key
B.The Vault server is not configured with the transit engine
C.The key mykey does not exist
D.The ciphertext provided is not valid base64
E.The token used does not have permission to decrypt
AnswerD

Directly matches the error message.

Why this answer

The error indicates that the ciphertext provided is not valid base64. Vault's transit engine expects ciphertext to be base64-encoded; if the input is malformed or not properly encoded, the decryption operation fails with this specific error. This is the most direct cause given the error message.

Exam trap

HashiCorp often tests the distinction between encoding errors (base64) and cryptographic errors (key mismatch, permissions) to see if candidates understand that Vault validates input format before attempting decryption.

How to eliminate wrong answers

Option A is wrong because if the ciphertext were encrypted with a different key, the decryption would fail with a different error (e.g., 'invalid ciphertext' or 'key mismatch'), not a base64 validation error. Option B is wrong because if the Vault server lacked the transit engine, the error would indicate that the path or engine is not mounted, not a base64 encoding issue. Option C is wrong because if the key 'mykey' did not exist, the error would be 'key not found' or 'no such key', not a base64 validation error.

Option E is wrong because a permission error would return a 'permission denied' or 'forbidden' message, not a base64 encoding error.

26
Multi-Selectmedium

Which TWO capabilities are required in a Vault policy to allow a client to encrypt data using a key named 'app-key' in the transit engine? (Assume the key already exists.)

Select 2 answers
A.read on /transit/keys/app-key
B.encrypt on /transit/encrypt/app-key
C.update on /transit/keys/app-key
D.create on /transit/keys/app-key
E.list on /transit/keys/app-key
AnswersA, B

Required to read key metadata.

Why this answer

Option A is correct because the 'read' capability on the policy path `/transit/keys/app-key` is required for the client to retrieve the public key information or verify the key exists before encryption. Option B is correct because the 'encrypt' capability on the path `/transit/encrypt/app-key` is the specific permission needed to submit data to the transit engine's encryption endpoint, which uses the named key to perform the encryption operation.

Exam trap

HashiCorp often tests the distinction between capabilities on the key configuration path (`/transit/keys/`) versus the operation path (`/transit/encrypt/`), and candidates mistakenly select 'create' or 'update' thinking they are needed for encryption, when only 'encrypt' on the operation path is required.

27
MCQeasy

A DevOps team needs to encrypt large files (several GB) using Vault's transit engine. What is the recommended approach?

A.Use Vault's batch encryption
B.Use Vault's seal-wrapping feature
C.Use Vault's datakey endpoint to get a data encryption key, encrypt locally, then wrap with Vault
D.Encrypt the file directly with Vault's transit encrypt API
E.Split the file into chunks and encrypt each chunk via transit
AnswerC

Envelope encryption: the data key is used locally and its ciphertext is stored alongside the encrypted file.

Why this answer

The transit engine is designed for encrypting small data payloads (typically a few KB), not multi-GB files. The recommended approach is to use the `/transit/datakey/plaintext` endpoint to generate a data encryption key (DEK), encrypt the large file locally with that DEK using a symmetric algorithm like AES-256-GCM, and then wrap (encrypt) the DEK with Vault using the transit engine. This keeps the large file out of Vault while still leveraging Vault for key management and audit logging.

Exam trap

HashiCorp often tests the misconception that Vault's transit engine can handle large payloads directly, leading candidates to choose Option D, but the actual limitation is that transit encrypt/decrypt operations are designed for small data (e.g., database fields, tokens) and envelope encryption is required for large files.

How to eliminate wrong answers

Option A is wrong because Vault does not have a 'batch encryption' feature; batch operations in Vault refer to token or request batching, not encryption. Option B is wrong because seal-wrapping is a mechanism to protect Vault's own master key or unseal keys, not a method for encrypting application data. Option D is wrong because the transit encrypt API has a payload size limit (typically 512 KB or less depending on the backend) and is not designed for multi-GB files.

Option E is wrong because splitting a file into chunks and encrypting each via transit would still require sending each chunk to Vault, incurring massive network overhead and hitting payload limits, making it impractical.

28
MCQeasy

What is the primary purpose of the Vault transit secrets engine?

A.Encryption and decryption as a service
B.Token generation
C.Certificate management
D.Dynamic database credentials
E.Secure storage of secrets
AnswerA

Transit engine is designed for cryptographic operations.

Why this answer

The Vault transit secrets engine is designed to provide encryption and decryption as a service, allowing applications to encrypt and decrypt data without managing cryptographic keys directly. It offloads the cryptographic operations to Vault, which securely stores and rotates the encryption keys, ensuring that plaintext data never leaves the application unencrypted. This enables centralized key management and policy-based access control for encryption operations.

Exam trap

HashiCorp often tests the distinction between 'encryption as a service' (transit engine) and 'secure storage of secrets' (KV engine), leading candidates to mistakenly choose Option E because they conflate encrypting data at rest with storing secrets.

How to eliminate wrong answers

Option B is wrong because token generation is the primary function of Vault's token authentication method or the token helper, not the transit secrets engine. Option C is wrong because certificate management is handled by the Vault PKI secrets engine, which issues and manages X.509 certificates, not the transit engine. Option D is wrong because dynamic database credentials are provided by the database secrets engine, which generates temporary credentials for databases, not encryption services.

Option E is wrong because secure storage of secrets is the core purpose of Vault's generic KV (Key-Value) secrets engine or the overall Vault platform, while the transit engine specifically focuses on cryptographic operations.

29
Multi-Selecteasy

A company wants to encrypt sensitive data at rest in its application using HashiCorp Vault. They need to ensure that each application instance uses a unique encryption key without storing keys locally. Which TWO actions should the security team take to meet these requirements?

Select 2 answers
A.Create a separate transit key for each application instance.
B.Enable key derivation on the transit key.
C.Enable automatic key rotation on the transit key.
D.Store encryption keys in the KV secrets engine.
E.Use the transit secrets engine to encrypt data.
AnswersB, E

Allows deriving unique keys per context without storing them.

Why this answer

Option B and E are correct. Using the transit secrets engine allows encryption as a service. Enabling key derivation for the key allows each application instance to derive a unique key from a master key, avoiding local storage.

Option A is wrong because the KV secrets engine is for static secrets, not encryption. Option C is wrong because auto-rotation is about rotating the key periodically, not per-instance uniqueness. Option D is wrong because transit engine does not require a separate key per instance; key derivation handles that.

30
Multi-Selecteasy

Which TWO of the following are valid uses of the Vault transit secrets engine?

Select 2 answers
A.Signing arbitrary data for verification
B.Encrypting data using a managed key
C.Generating random bytes for cryptographic salt
D.Exporting the encryption key for use outside Vault
E.Storing static secrets like API keys
AnswersA, B

Transit supports signing and verification operations.

Why this answer

Option A is correct because the Vault transit secrets engine can sign arbitrary data using a managed key, allowing verification of the signature's authenticity without exposing the key. This is a core encryption-as-a-service feature, enabling data integrity and non-repudiation for external systems.

Exam trap

HashiCorp often tests the distinction between the transit engine's cryptographic operations (encrypt, decrypt, sign, verify) and the KV engine's static storage, leading candidates to mistakenly select 'storing static secrets' as a valid use.

31
MCQmedium

A healthcare company uses Vault Transit to encrypt patient records before storing them in a database. Each request to encrypt a small field (e.g., SSN) takes about 200ms due to network latency and cryptographic overhead. The application needs to encrypt millions of records daily, causing performance bottlenecks. The team wants to reduce latency per encryption operation. After reviewing the Vault documentation, they consider the following options: A. Use the batch encryption endpoint to encrypt multiple plaintexts in a single API call. B. Deploy a local caching proxy on each application server to intercept encryption calls. C. Enable Vault's built-in encryption result caching. D. Use a dedicated, high-performance Vault cluster with more resources. Which option most directly reduces per-operation latency?

A.Deploy a local caching proxy
B.Use a dedicated, high-performance Vault cluster
C.Use the batch encryption endpoint
D.Enable Vault's built-in encryption result caching
AnswerC

Batch encryption combines multiple plaintexts into one request, significantly reducing average latency per encryption.

Why this answer

The batch encryption endpoint in Vault Transit allows multiple plaintexts to be encrypted in a single API call, amortizing the fixed overhead of network latency and cryptographic setup across all records in the batch. This directly reduces per-operation latency because the 200ms cost is incurred once per batch rather than once per individual encryption. Options that address caching or cluster performance do not reduce the per-call overhead of the encryption operation itself.

Exam trap

HashiCorp often tests the misconception that caching encryption results is effective, but encryption outputs are unique per plaintext and key version, making caching useless for distinct data; the correct answer is always about reducing the number of API calls.

How to eliminate wrong answers

Option A is wrong because deploying a local caching proxy would cache encryption results, but since each SSN is unique, cache hits are extremely rare; it does not reduce latency for new encryption operations. Option B is wrong because using a dedicated, high-performance Vault cluster improves throughput and reduces server-side latency, but the dominant factor is the per-request network round-trip and cryptographic overhead, which remains unchanged per operation. Option D is wrong because Vault does not have a built-in encryption result caching feature; this is a distractor that misleads candidates into thinking Vault caches encryption outputs, which it does not for security reasons.

32
MCQmedium

A financial services company uses HashiCorp Vault's transit engine to encrypt customer credit card numbers. The application sends each credit card number individually to Vault for encryption, and the response time is acceptable. However, during peak hours, the company needs to encrypt large batches of 10,000 credit card numbers. Users report that encrypting the entire batch takes several minutes, causing timeouts. The Vault cluster is healthy and not under high load. The security team wants to reduce the encryption time without changing the encryption algorithm or key strength. What should they do?

A.Enable key derivation on the transit key to allow parallel encryption.
B.Use the `batch_input` parameter to encrypt multiple plaintexts in one API call.
C.Enable convergent encryption to reuse ciphertexts.
D.Switch to an AES-256-GCM key for faster encryption.
AnswerB

Batch encryption reduces overhead.

Why this answer

Option B is correct. The `batch_input` parameter allows sending multiple plaintexts in a single API call, significantly reducing network round trips. Option A is wrong because key derivation is for generating unique keys per context, not for performance.

Option C is wrong because increasing key size (e.g., to AES-256) would slow encryption. Option D is wrong because convergent encryption adds computational overhead and is for deduplication, not performance.

33
MCQeasy

A financial technology company uses Vault Enterprise to manage encryption keys for its payment processing system. The system uses the transit secrets engine to encrypt credit card numbers before storing them in a legacy database. The security team mandates that all encryption keys must be automatically rotated every 30 days. The operations team configures the key 'payment-cards' with 'auto_rotate_period' set to 30 days. After the first rotation, the payment processing application starts failing with 'permission denied' errors when trying to decrypt previously encrypted data. The application uses a token with a policy that grants 'create' and 'update' capabilities on 'transit/decrypt/payment-cards'. The application does not use the 'rewrap' endpoint. The Vault audit logs show that the decryption requests are being made to the correct path. What is the most likely cause of the failure?

A.The key rotation changed the encryption algorithm, making old ciphertexts incompatible with the new key.
B.The application's token has expired after the key rotation, requiring a new token with updated policies.
C.The application must use the 'rewrap' endpoint to re-encrypt all ciphertexts with the new key version before decryption.
D.The application is not specifying the key version in the decryption request, and Vault defaults to the latest key version which cannot decrypt data encrypted with the old version.
AnswerD

By default, Vault uses the latest key version for decryption. To decrypt with an older version, the ciphertext must include a version reference, or the application must use the 'rewrap' endpoint.

Why this answer

Option D is correct because when Vault rotates a key in the transit secrets engine, it creates a new key version but retains the old version for decryption of existing ciphertexts. By default, decryption requests that do not specify a key version use the latest version, which cannot decrypt data encrypted with an older version. The application must explicitly include the `?version=` parameter or use the ciphertext's embedded version information to target the correct key version for decryption.

Exam trap

The trap here is that candidates assume key rotation automatically makes old ciphertexts decryptable with the new key, when in fact Vault requires explicit version targeting or use of the ciphertext's embedded version metadata to decrypt with the correct key version.

How to eliminate wrong answers

Option A is wrong because key rotation in Vault's transit secrets engine does not change the encryption algorithm; it only creates a new key version under the same algorithm (e.g., AES-GCM). Option B is wrong because token expiration is unrelated to key rotation; the token's policy and TTL remain unchanged unless explicitly revoked or expired by the token's own TTL, which is not indicated in the scenario. Option C is wrong because the `rewrap` endpoint is used to re-encrypt data with the latest key version without exposing plaintext, but it is not a prerequisite for decryption; decryption can succeed by specifying the correct key version.

34
MCQhard

A security engineer needs to ensure that if a key is compromised, previous ciphertext can be re-encrypted with a new key version without exposing the plaintext. Which Vault operation should they use?

A.Rewrap
B.Rotate
C.Encode
D.Transform
E.Rekey
AnswerA

Rewrap processes ciphertext without exposing plaintext.

Why this answer

The Rewrap operation in Vault allows a ciphertext to be decrypted with the current key version and re-encrypted with a new key version without exposing the plaintext to the caller. This ensures that if a key is compromised, previous ciphertext can be rotated to a new key version while maintaining data confidentiality.

Exam trap

HashiCorp often tests the distinction between key rotation (creating new key versions) and re-encrypting existing data (Rewrap), where candidates mistakenly choose Rotate thinking it automatically re-encrypts ciphertext.

How to eliminate wrong answers

Option B (Rotate) is wrong because Rotate creates a new key version but does not re-encrypt existing ciphertext; it only affects future encryption operations. Option C (Encode) is wrong because Encode is a generic data transformation (e.g., base64) and does not involve key management or re-encryption. Option D (Transform) is wrong because Transform applies a cryptographic function (e.g., tokenization, masking) but does not re-encrypt ciphertext under a new key version.

Option E (Rekey) is wrong because Rekey changes the master key or encryption key for the entire Vault cluster, not for individual ciphertexts, and does not provide a per-ciphertext re-encryption operation.

35
Multi-Selectmedium

Which THREE of the following best practices should be followed when using Vault's encryption as a service with the transit engine?

Select 3 answers
A.Allow deletion of keys to clean up unused keys
B.Use a unique encryption key per application
C.Enable key rotation automatically
D.Use encryption context to bind encrypted data to its intended use
E.Store the key name in the application code for easy access
AnswersB, C, D

Provides isolation and limits blast radius.

Why this answer

Option B is correct because using a unique encryption key per application ensures cryptographic isolation: if one application's key is compromised, other applications' data remains secure. Vault's transit engine supports this by allowing you to create and manage multiple named keys, each with its own policy and rotation schedule, preventing cross-application data exposure.

Exam trap

HashiCorp often tests the misconception that key deletion is a safe cleanup practice, but in the transit engine, deletion is irreversible and can cause data loss, whereas disabling or archiving keys is the correct approach.

36
MCQmedium

A compliance requirement states that encryption keys must be automatically rotated every 90 days. Which Vault feature can be used to enforce this?

A.Setting `auto_rotate` on the transit key
B.Using Vault's cron-like scheduler
C.Periodic rotation using the transit engine's `min_decryption_version`
D.Key rotation schedule policy
E.Using a periodic token to call the rotate endpoint
AnswerA

The `auto_rotate_period` parameter on a transit key enables automatic rotation.

Why this answer

Option A is correct because the Vault Transit Secrets Engine supports an `auto_rotate` parameter that can be set on a key to enforce automatic rotation every 90 days. When enabled, Vault automatically rotates the encryption key at the specified interval without manual intervention, directly meeting the compliance requirement for automated 90-day rotation.

Exam trap

HashiCorp often tests the distinction between automatic rotation enforcement (`auto_rotate`) and manual or policy-based controls (`min_decryption_version`, periodic tokens), leading candidates to confuse decryption version management with rotation scheduling.

How to eliminate wrong answers

Option B is wrong because Vault does not have a built-in cron-like scheduler; rotation scheduling is handled internally by the Transit engine's `auto_rotate` or via external tools like cron jobs. Option C is wrong because `min_decryption_version` controls which key versions can decrypt data, not the rotation schedule; it is a decryption policy, not an enforcement mechanism for rotation timing. Option D is wrong because there is no 'key rotation schedule policy' in Vault; rotation is configured per key using parameters like `auto_rotate` or `rotation_period`, not through a separate policy object.

Option E is wrong because using a periodic token to call the rotate endpoint requires external scripting and does not enforce automatic rotation; it is a manual or semi-automated workaround, not a built-in enforcement feature.

37
MCQmedium

A developer wants to encrypt a password before storing it in a database. The encryption must be deterministic so that the same plaintext always produces the same ciphertext. Which encryption mode should be used in the transit secrets engine?

A.chacha20-poly1305
B.convergent-encryption
C.aes128-gcm96
D.aes-gcm
E.padding
AnswerB

Convergent encryption derives the nonce from the plaintext and context, making output deterministic.

Why this answer

The transit secrets engine in Vault supports convergent encryption, which is a deterministic encryption mode where the same plaintext and context always produce the same ciphertext. This is achieved by using the plaintext itself as part of the encryption key derivation, ensuring repeatable output. The question specifically requires deterministic encryption, making convergent encryption the correct choice.

Exam trap

HashiCorp often tests the misconception that any AES-GCM mode is deterministic, but in practice, AES-GCM requires a unique nonce for each encryption, making it non-deterministic unless combined with convergent encryption or a fixed nonce (which would break security guarantees).

How to eliminate wrong answers

Option A is wrong because chacha20-poly1305 is an authenticated encryption algorithm, not a mode that provides deterministic output; it uses a nonce, so the same plaintext produces different ciphertexts each time. Option C is wrong because aes128-gcm96 is an AEAD algorithm that requires a unique nonce for each encryption, making it non-deterministic. Option D is wrong because aes-gcm is a generic algorithm that, without a fixed nonce, produces different ciphertexts for the same plaintext; Vault's transit engine does not support deterministic AES-GCM without convergent encryption.

Option E is wrong because padding is a data transformation technique, not an encryption mode, and does not provide deterministic encryption by itself.

38
MCQmedium

An application needs to encrypt credit card numbers. The encryption must be deterministic for indexing purposes but also support key rotation. Which approach should be used?

A.Use Vault's cubbyhole
B.Use Vault's transformations engine
C.Use datakey encryption
D.Use convergent encryption with key rotation
E.Use standard encryption and re-encrypt all data on rotation
AnswerD

Convergent encryption allows deterministic output and supports key rotation via rewrapping.

Why this answer

Option D is correct because convergent encryption uses a deterministic key derived from the data itself (e.g., SHA-256 hash of the plaintext), which ensures the same credit card number always produces the same ciphertext for indexing. Key rotation is supported by re-encrypting the data encryption key (DEK) with a new key encryption key (KEK), without changing the underlying ciphertext, thus preserving determinism while rotating the wrapping key.

Exam trap

HashiCorp often tests the misconception that 'deterministic encryption' requires a single static key, leading candidates to choose standard encryption (E) or datakey encryption (C), while ignoring convergent encryption's ability to combine determinism with key rotation via key wrapping.

How to eliminate wrong answers

Option A is wrong because Vault's cubbyhole is a per-request temporary storage mechanism that does not provide deterministic encryption or key rotation capabilities. Option B is wrong because Vault's transformations engine (e.g., FPE or tokenization) is designed for format-preserving encryption or masking, not for deterministic encryption with key rotation; it typically uses a single key and does not natively support rotating the key without re-processing all data. Option C is wrong because datakey encryption generates a unique random data key per encryption operation, producing non-deterministic ciphertexts that cannot be used for deterministic indexing.

Option E is wrong because standard encryption (e.g., AES-GCM) with a static key is non-deterministic due to random IVs, and re-encrypting all data on rotation is operationally expensive and defeats the purpose of efficient key rotation.

39
Multi-Selectmedium

A company uses Vault transit to encrypt secrets. They want to periodically rotate the encryption key to comply with compliance requirements. Which TWO actions should be taken? (Choose two.)

Select 2 answers
A.Update the min_decryption_version to the newest version immediately.
B.Export the key and re-encrypt all data manually.
C.Rewrap all existing ciphertext with the new key version.
D.Delete old key versions after rotation.
E.Rotate the key using Vault's key rotation endpoint.
AnswersC, E

Rewrapping updates ciphertext to the new version without revealing plaintext.

Why this answer

Option C is correct because Vault's `vault rewrap` command re-encrypts existing ciphertext with the latest key version without decrypting the underlying plaintext, preserving the data's confidentiality. This is essential after a key rotation to ensure all ciphertext uses the new key, meeting compliance requirements for periodic key rotation.

Exam trap

HashiCorp often tests the misconception that you must delete old key versions immediately after rotation, but the correct practice is to keep them until all ciphertext is rewrapped to avoid data loss.

40
MCQhard

An organization wants to ensure that even Vault administrators cannot see the plaintext of data encrypted with the transit engine, but they want to use Vault for key management. What feature should be enabled?

A.Seal wrapping
B.Convergent encryption
C.Client-side encryption with datakey
D.Key deletion prevention
E.Key derivation
AnswerC

Datakey allows local encryption; Vault only stores and unwraps the key.

Why this answer

Option C is correct because client-side encryption with a datakey allows the application to encrypt data locally using a key obtained from Vault, ensuring that Vault administrators never see the plaintext. The datakey is generated by Vault and returned in both plaintext and ciphertext forms; the application encrypts data with the plaintext key and then discards it, storing only the ciphertext key alongside the encrypted data. This decouples key management from data encryption, meeting the requirement that even Vault administrators cannot access the plaintext.

Exam trap

HashiCorp often tests the distinction between server-side encryption (where Vault handles encryption/decryption) and client-side encryption (where the application handles encryption using a Vault-provided key), and candidates mistakenly choose seal wrapping or key derivation because they sound like they add security layers, but they do not prevent administrators from accessing plaintext.

How to eliminate wrong answers

Option A is wrong because seal wrapping encrypts Vault's own data (e.g., storage backend entries) using a seal mechanism, but it does not prevent administrators from seeing plaintext data encrypted via the transit engine; it protects Vault's internal state, not user data. Option B is wrong because convergent encryption uses the data's hash as part of the encryption key, enabling deduplication, but it does not prevent administrators from seeing plaintext; the transit engine still holds the key and can decrypt data on demand. Option D is wrong because key deletion prevention (e.g., deletion protection in Vault) prevents accidental or malicious deletion of encryption keys, but it does not address plaintext visibility; administrators can still use the key to decrypt data.

Option E is wrong because key derivation (e.g., using derived keys per context) creates unique keys for different contexts, but the transit engine still manages the encryption and decryption operations, meaning administrators could potentially decrypt data if they have access to the key.

41
MCQhard

Refer to the exhibit. An application token has the above policy. Which operation will fail?

A.Rotating the key mykey
B.Decrypting data using the key mykey
C.Encrypting data using the key mykey
D.Deleting the key mykey
E.Listing keys in the transit engine
AnswerE

Listing requires list capability on `transit/keys/`, which is not granted.

Why this answer

The policy shown in the exhibit grants 'create', 'update', 'delete', and 'deny' capabilities on the transit engine, but it does not include a 'list' capability. In Vault's transit secrets engine, listing keys requires the 'list' capability on the engine path. Without it, the operation will fail due to insufficient permissions, even though other key management operations are allowed.

Exam trap

HashiCorp often tests the distinction between key-level operations (encrypt, decrypt, rotate, delete) and path-level operations (list), where candidates mistakenly assume that having 'create' or 'update' on keys implies the ability to list them.

How to eliminate wrong answers

Option A is wrong because rotating a key requires the 'update' capability on the specific key path, which is granted by the policy. Option B is wrong because decrypting data requires the 'update' capability on the key for decryption, which is allowed. Option C is wrong because encrypting data requires the 'create' or 'update' capability on the key, both of which are present.

Option D is wrong because deleting a key requires the 'delete' capability, which is explicitly granted in the policy.

42
MCQmedium

An organization wants to encrypt sensitive fields in their database using Vault. They have multiple applications that need to encrypt different types of data. What approach should they take?

A.Use the PKI engine to issue certificates for each application
B.Use the KV engine to store encryption keys
C.Create a separate transit key per application
D.Use a single key for all applications to simplify management
E.Encrypt data in the database using a static key stored in Vault
AnswerC

Isolates encryption domains; follows least privilege principle.

Why this answer

Option C is correct because the Vault Transit Secrets Engine provides encryption-as-a-service, allowing each application to have its own named encryption key. This ensures cryptographic isolation: if one key is compromised, only the data encrypted with that specific key is at risk. Using separate keys per application also simplifies key rotation and access control, as each application can only use its designated key.

Exam trap

HashiCorp often tests the distinction between secret storage (KV engine) and encryption-as-a-service (Transit engine), leading candidates to incorrectly choose Option B because they confuse storing keys with performing encryption operations.

How to eliminate wrong answers

Option A is wrong because the PKI engine is used for issuing X.509 certificates for TLS/mTLS authentication, not for encrypting data fields in a database. Option B is wrong because the KV (Key-Value) engine is designed for static secret storage, not for performing encryption operations; it cannot encrypt data on demand. Option D is wrong because using a single key for all applications violates the principle of least privilege and creates a single point of failure; if that key is compromised, all encrypted data is exposed.

Option E is wrong because storing a static key in Vault and using it outside Vault for encryption defeats the purpose of Vault's encryption-as-a-service; the Transit engine should perform the encryption/decryption operations, not just store a key.

43
MCQmedium

A DevOps engineer is configuring Vault to encrypt data in transit for a microservice. They create a key in the transit engine and want to encrypt a base64-encoded plaintext. Which API path and operation should they use?

A.POST /v1/transit/encrypt/{key_name} with ciphertext in payload
B.GET /v1/transit/encrypt/{key_name} with query param
C.POST /v1/transit/encrypt/{key_name} with plaintext in payload
D.POST /v1/transit/sign/{key_name}
E.POST /v1/transit/hmac/{key_name}
AnswerC

Correct API call; plaintext must be base64-encoded.

Why this answer

Option C is correct because the Vault Transit Secrets Engine exposes a POST endpoint at `/v1/transit/encrypt/{key_name}` that accepts a JSON payload containing the `plaintext` field, which must be base64-encoded. This operation encrypts the provided plaintext using the named encryption key and returns the ciphertext. The POST method is required because the operation modifies state (encrypts data) and the plaintext is sent in the request body, not as a query parameter.

Exam trap

HashiCorp often tests the distinction between the input field names (`plaintext` vs `ciphertext`) and the correct HTTP method (POST vs GET) for state-changing operations, leading candidates to confuse the encrypt endpoint with the decrypt endpoint or to incorrectly assume a GET request can be used.

How to eliminate wrong answers

Option A is wrong because the payload should contain `plaintext`, not `ciphertext`; the ciphertext is the output of the encryption operation, not an input. Option B is wrong because the encrypt operation requires a POST request, not a GET; GET requests are idempotent and cannot carry a request body for the plaintext. Option D is wrong because `/v1/transit/sign/{key_name}` is used for digital signing, not encryption; it computes a signature over the input data.

Option E is wrong because `/v1/transit/hmac/{key_name}` is used for HMAC-based message authentication, not encryption; it produces a hash-based message authentication code.

44
MCQeasy

A developer wants to encrypt data using Vault's transit engine but does not want to base64 encode the ciphertext after encryption. What is the recommended way to handle this?

A.The ciphertext is always base64 encoded, so the client must decode it after receiving
B.Use the `/transit/encrypt` endpoint with `base64=false`
C.Set the `plaintext` parameter to the raw bytes
D.Use the `ciphertext` parameter
E.Use the `plaintext` parameter directly without base64 encoding
AnswerA

Correct: output is always base64.

Why this answer

Option A is correct because the Vault Transit Secrets Engine always returns ciphertext as a base64-encoded string, regardless of whether the input plaintext was base64-encoded or raw. The API specification requires the client to decode the base64 ciphertext after receiving it if the original plaintext was raw bytes. There is no parameter to disable base64 encoding of the ciphertext output.

Exam trap

HashiCorp often tests the misconception that you can set a `base64=false` parameter to get raw ciphertext, but the Vault API strictly enforces base64 encoding on both input and output for the transit engine.

How to eliminate wrong answers

Option B is wrong because the `/transit/encrypt` endpoint does not support a `base64=false` parameter; the ciphertext is always base64-encoded by design. Option C is wrong because the `plaintext` parameter must be base64-encoded; passing raw bytes will cause an error or unexpected behavior. Option D is wrong because the `ciphertext` parameter is used for decryption, not encryption.

Option E is wrong because the `plaintext` parameter always expects base64-encoded input, not raw bytes.

45
Multi-Selectmedium

Which THREE are appropriate use cases for Vault's Transit secrets engine?

Select 3 answers
A.Providing cryptographic offloading for applications running in untrusted environments
B.Generating and managing TLS certificates for internal services
C.Storing and retrieving static secrets like API keys
D.Performing signing and verification operations (e.g., for digital signatures)
E.Encrypting sensitive fields in a database without exposing encryption keys to the application
AnswersA, D, E

Transit allows secure crypto operations without exposing keys to the application.

Why this answer

Option A is correct because the Transit secrets engine performs encryption and decryption operations entirely on the server side, never exposing the encryption keys to the client. This allows applications running in untrusted environments to offload cryptographic processing securely, as the keys remain within Vault's encrypted storage and are never transmitted to or stored by the application.

Exam trap

HashiCorp often tests the distinction between Transit (encryption as a service) and other secrets engines like PKI (certificates) and KV (static secrets), so candidates mistakenly associate Transit with any cryptographic task, including certificate management or secret storage.

46
Matchingmedium

Match each Vault response wrapping feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Lifetime of the wrapping token

Single-use token to unwrap response

Token-scoped storage for wrapped data

Retrieve the original response

Why these pairings

These are key aspects of response wrapping.

47
MCQhard

After rotating the 'payment-key', Vault successfully decrypts data encrypted with the old key (v1). What is the most likely reason the decryption succeeded?

A.The old key version is retained and used for decryption when the ciphertext references that version.
B.The old key version is automatically deleted after rotation, but the ciphertext contains the key version and is decrypted by the new key.
C.The ciphertext contains the original plaintext, so decryption simply extracts it.
D.The plaintext is stored in Vault during encryption, so decryption retrieves the stored plaintext.
AnswerA

Vault retains old key versions for decryption, and the ciphertext includes the version identifier, allowing decryption with the appropriate key.

Why this answer

A is correct because Vault uses key versioning: when a key is rotated, the old key version (v1) is retained for decryption purposes. The ciphertext includes metadata referencing the key version used for encryption, so Vault automatically selects the correct old key version to decrypt data encrypted before rotation. This ensures backward compatibility without re-encrypting existing data.

Exam trap

HashiCorp often tests the misconception that key rotation invalidates old ciphertext, but the trap here is that candidates assume the old key is deleted or replaced, when in fact Vault retains it for decryption based on ciphertext metadata.

How to eliminate wrong answers

Option B is wrong because Vault does not automatically delete the old key version after rotation; it retains it for decryption, and the new key cannot decrypt data encrypted with the old key due to different cryptographic material. Option C is wrong because ciphertext does not contain the original plaintext; it contains encrypted data that requires the correct key and algorithm to decrypt. Option D is wrong because Vault does not store plaintext during encryption; it only stores ciphertext and metadata, and decryption is a cryptographic operation, not a retrieval of stored plaintext.

48
MCQhard

A security policy requires that encryption keys used in transit must never leave Vault's memory. However, development teams need to perform encryption offline in CI/CD pipelines. How can this be accomplished?

A.Use exportable keys and export them
B.Use Vault's transit encrypt with context
C.Use Vault's ciphertext rewrap
D.Use Vault's datakey endpoint to get a wrapped key that can be unwrapped offline
E.It is not possible; keys must stay in Vault
AnswerD

The datakey response includes a ciphertext that can be decrypted later to retrieve the data key for local encryption.

Why this answer

Option D is correct because Vault's `datakey` endpoint generates a data encryption key (DEK) that is wrapped by a Vault-managed key. The wrapped DEK can be safely stored and used offline in CI/CD pipelines, while the unwrapped key material never leaves Vault's memory — the DEK is unwrapped only when needed, and the wrapping key remains in Vault. This satisfies the policy requirement that encryption keys used in transit must never leave Vault's memory, as the DEK itself is not a transit key but a data key that can be used offline.

Exam trap

The trap here is that candidates may think offline encryption is impossible if keys cannot leave Vault, but Vault's datakey endpoint provides a wrapped key that can be used offline without exposing the underlying transit key.

How to eliminate wrong answers

Option A is wrong because exportable keys would allow the raw key material to leave Vault's memory, directly violating the security policy. Option B is wrong because Vault's transit encrypt with context only encrypts data within Vault's memory; it does not provide a wrapped key for offline use in CI/CD pipelines. Option C is wrong because ciphertext rewrap is used to rotate encryption keys without decrypting data, not to provide offline encryption capabilities.

Option E is wrong because Vault's datakey endpoint provides a mechanism to achieve offline encryption while keeping the wrapping key secure in Vault.

49
MCQmedium

Refer to the exhibit. What is the purpose of the -field=ciphertext flag in this command?

A.It sets the ciphertext field for encryption.
B.It enables field-level encryption.
C.It specifies the encryption key name.
D.It outputs the command result to a file named ciphertext.
E.It instructs Vault to only return the ciphertext field from the response.
AnswerE

This is the correct behavior of the -field flag.

Why this answer

The `-field=ciphertext` flag in a Vault command instructs the CLI to extract and return only the value of the `ciphertext` key from the JSON response object. This is a standard Vault output filtering mechanism that allows users to isolate a specific field without parsing the full response, which is especially useful in scripting and automation.

Exam trap

HashiCorp often tests the distinction between output filtering (`-field`) and actual encryption configuration, leading candidates to confuse the flag with setting encryption parameters or enabling field-level encryption.

How to eliminate wrong answers

Option A is wrong because the flag does not set or configure the ciphertext field for encryption; it filters the output to show only that field. Option B is wrong because field-level encryption is a separate concept involving encrypting individual data fields within a record, not a CLI output filter. Option C is wrong because the encryption key name is specified via a different parameter (e.g., `-key` or `key_name`), not the `-field` flag.

Option D is wrong because the `-field` flag does not redirect output to a file; file output is achieved with shell redirection (`>`) or the `-output` flag.

50
MCQhard

A team has set up automatic key rotation on a transit key. After rotation, encrypted data that was encrypted with the previous key version can no longer be decrypted. What is the most likely cause?

A.The key was deleted
B.The key's min_decryption_version is set too high
C.The key's min_encryption_version is set too high
D.The team used the 'rewrap' operation incorrectly
E.The key is not exportable
AnswerB

If min_decryption_version is higher than the version used for encryption, decryption requests are rejected.

Why this answer

Option B is correct because the `min_decryption_version` setting on a key in a key management system (such as AWS KMS or GCP Cloud KMS) controls the minimum key version that can be used to decrypt ciphertext. If this value is set too high (e.g., to the current version), older key versions are effectively disabled for decryption, causing any data encrypted with a previous key version to become undecryptable. This is a common misconfiguration when automating key rotation without properly managing version policies.

Exam trap

HashiCorp often tests the distinction between `min_encryption_version` and `min_decryption_version`, trapping candidates who confuse the two or assume that key rotation automatically invalidates old decryption capabilities.

How to eliminate wrong answers

Option A is wrong because deleting the key would make all data encrypted with any version of that key permanently undecryptable, not just data encrypted with the previous version. Option C is wrong because `min_encryption_version` controls which key version can be used for new encryption operations, not decryption of existing ciphertext. Option D is wrong because the `rewrap` operation (e.g., `ReEncrypt` in AWS KMS) is used to re-encrypt data under a new key version without exposing plaintext; using it incorrectly would not cause decryption failures for data encrypted with the previous version.

Option E is wrong because the exportability of a key affects whether the key material can be exported from the service, not whether ciphertext can be decrypted using the key versions stored within the service.

51
MCQmedium

A user receives an error 'invalid ciphertext' when trying to decrypt data. The ciphertext was created by another Vault instance. What is the most likely issue?

A.Different key names
B.The Vault instance is sealed
C.Different key types
D.The ciphertext includes key version info that doesn't match
E.The user lacks permissions to decrypt
AnswerD

Transit ciphertext is tied to a specific key version; if that version is missing, decryption fails.

Why this answer

Option D is correct because Vault's transit secrets engine appends key version information to the ciphertext by default. When decrypting, Vault checks that the key version embedded in the ciphertext matches a version of the key that exists in the destination Vault instance. If the ciphertext was created by a different Vault instance with a different key version history, the version embedded in the ciphertext will not correspond to any known key version, causing the 'invalid ciphertext' error.

Exam trap

HashiCorp often tests the misconception that 'invalid ciphertext' errors are caused by permission issues or key name mismatches, when in fact the error is specifically triggered by a version mismatch in the ciphertext header that prevents the decryption key from being derived.

How to eliminate wrong answers

Option A is wrong because the error 'invalid ciphertext' is not caused by key name mismatches; a key name mismatch would result in a 'key not found' or 'permission denied' error, not an invalid ciphertext error. Option B is wrong because a sealed Vault instance cannot perform any cryptographic operations at all, so the user would receive a 'Vault is sealed' error, not an 'invalid ciphertext' error. Option C is wrong because different key types (e.g., AES256-GCM96 vs.

ChaCha20-Poly1305) would cause a decryption failure, but Vault would typically return a 'key type mismatch' or 'unsupported key type' error, not a generic 'invalid ciphertext' error. Option E is wrong because insufficient permissions would result in a 'permission denied' or 'forbidden' HTTP 403 error, not an 'invalid ciphertext' error, which is a cryptographic validation failure.

52
MCQhard

A DevOps team uses Vault's transit engine to encrypt secrets in CI/CD pipelines. They report that encryption operations are failing with 'permission denied' errors. The team has a policy granting 'create' and 'update' capabilities on the transit key path. What is the most likely missing capability?

A.The 'read' capability is missing.
B.The 'encrypt' capability is missing.
C.The 'delete' capability is missing.
D.The 'list' capability is missing.
AnswerB

Encrypt capability is required for encryption operations.

Why this answer

The Vault transit engine uses distinct capabilities for key management versus data operations. 'Create' and 'update' allow managing the key itself (e.g., creating or rotating the key), but encryption of data requires the 'encrypt' capability on the transit key path. Without 'encrypt', the API call to encrypt data fails with a 'permission denied' error, even if the key exists and is properly configured.

Exam trap

HashiCorp often tests the misconception that 'write' or 'create' capabilities on a key path implicitly grant the ability to encrypt data, when in fact Vault requires explicit 'encrypt' and 'decrypt' capabilities for data-plane operations.

How to eliminate wrong answers

Option A is wrong because 'read' capability allows retrieving key metadata or configuration, not performing encryption operations; missing 'read' would cause a different error (e.g., 'permission denied' on read requests, not encrypt). Option C is wrong because 'delete' capability is for removing the key entirely, which is unrelated to encrypting data; its absence would not affect encryption operations. Option D is wrong because 'list' capability is for enumerating keys under a path, not for encrypting data; missing 'list' would only block listing operations, not encryption.

53
MCQeasy

An organization wants to encrypt data at rest in a cloud storage bucket. They plan to use Vault's transit engine to generate a data key and then encrypt the data locally. Which transit endpoint should they use to get a data key?

A.POST /v1/transit/datakey/plaintext/my-key
B.POST /v1/transit/encrypt/my-key
C.POST /v1/transit/decrypt/my-key
D.POST /v1/transit/datakey/ciphertext/my-key
AnswerA

Returns both plaintext and ciphertext data key.

Why this answer

The correct endpoint to retrieve a data key that can be used for local client-side encryption is POST /v1/transit/datakey/plaintext/my-key. This endpoint returns both the plaintext data key (for local encryption) and the ciphertext version of the key (for secure storage alongside the encrypted data). The 'plaintext' in the path indicates that the response includes the key in plaintext form, which is necessary for performing encryption locally.

Exam trap

HashiCorp often tests the distinction between 'datakey/plaintext' and 'datakey/ciphertext' endpoints, where candidates mistakenly choose the ciphertext-only endpoint thinking it provides the key for local encryption, but it actually omits the plaintext key required for that purpose.

How to eliminate wrong answers

Option B is wrong because POST /v1/transit/encrypt/my-key is used to encrypt an existing piece of data using Vault's transit engine, not to generate a new data key. Option C is wrong because POST /v1/transit/decrypt/my-key is used to decrypt ciphertext that was previously encrypted by the transit engine, not to generate a data key. Option D is wrong because POST /v1/transit/datakey/ciphertext/my-key returns only the ciphertext version of the data key, not the plaintext key needed for local encryption; this endpoint is used when the client only needs to store the key and does not need to perform local encryption.

54
Multi-Selectmedium

Which THREE are valid operations in the Vault transit secrets engine? (Choose three.)

Select 3 answers
A.issue
B.revoke
C.rewrap
D.decrypt
E.encrypt
AnswersC, D, E

Rewrap updates ciphertext to a newer key version.

Why this answer

The Vault transit secrets engine provides encryption as a service, and its core operations are encrypt, decrypt, rewrap, and datakey generation. Rewrap is valid because it decrypts ciphertext and re-encrypts it with the latest key version without exposing the plaintext to the caller, maintaining security during key rotation.

Exam trap

HashiCorp often tests candidates by mixing terms from different Vault secrets engines (e.g., PKI 'issue/revoke' with transit 'encrypt/decrypt') to see if you can distinguish the specific operations each engine supports.

Ready to test yourself?

Try a timed practice session using only Explain encryption as a service questions.