Which TWO of the following are correct statements about Vault secrets engines?
Transit acts as an encryption service; it stores keys but not the data payloads.
Why this answer
Option B is correct: dynamic secrets engines generate credentials on demand with a TTL. Option E is correct: the Transit secrets engine performs encryption operations without storing the data. Option A is incorrect because each engine instance is mounted at a single path, though the same engine type can be enabled at multiple paths.
Option C is incorrect because static secrets (e.g., database static roles) can have rotation. Option D is incorrect because each KV engine is either v1 (unversioned) or v2 (versioned), not both.