Use this screenshot to answer the question below: Where on this page would you click to view a secret located at secret/my-secret?
Correct Answer: C
In the HashiCorp Vault UI, secrets are organized in a tree-like structure. To view a secret located at secret/my- secret, you would click on the "secret/" folder in the tree, then click on the "my-secret" file. In this screenshot, the "secret/" folder is located at option C. This folder contains the secrets that are stored in the key/value secrets engine, which is the default secrets engine in Vault. The key/value secrets engine allows you to store arbitrary secrets as key/value pairs. The key is the path of the secret, and the value is the data of the secret. For example, the secret located at secret/my-secret has a key of "my-secret" and a value of whatever data you stored there. : [KV - Secrets Engines | Vault | HashiCorp Developer]
Question 87
When configuring Vault replication and monitoring its status, you keep seeing something called 'WALs'. What are WALs?
Correct Answer: C
Comprehensive and Detailed in Depth Explanation: * C:WALs (Write-Ahead Logs) ensure data consistency in replication. Correct. Overall Explanation from Vault Docs: "Replication uses Write-Ahead Logs (WALs) for log shipping between clusters..." Reference:https://developer.hashicorp.com/vault/docs/internals/replication
Question 88
True or False? Performing a rekey operation using the vault operator rekey command creates new unseal /recovery keys as well as a new root key?
Correct Answer: B
Comprehensive and Detailed In-Depth Explanation: False. The vault operator rekey command updates unseal/recovery keys, not the master key (often confused with "root key"). The Vault documentation states: "The operator rekey command generates a new set of unseal keys. This can optionally change thetotal number of key shares or the required threshold of those key shares to reconstruct the master key. This operation is zero downtime, but it requires that Vault is unsealed and a quorum of existing unseal keys are provided." -Vault Commands: operator rekey * B: Correct. Only unseal keys are recreated: "When performing a rekey operation using the vault operator rekey command, new unseal/recovery keys are generated, but the root key remains the same." -Vault Commands: operator rekey * A: Incorrect; the master key persists. References: Vault Commands: operator rekey
Question 89
What is the proper command to enable the AWS secrets engine at the default path?
Correct Answer: B
Comprehensive and Detailed in Depth Explanation: Enabling a secrets engine in Vault follows a specific syntax: * A:Incorrect syntax; jumbled order. * B:Correct: vault secrets enable <type> enables the AWS engine at aws/. Correct. * C:Incorrect word order. * D:Incorrect syntax. Overall Explanation from Vault Docs: "The command vault secrets enable <type> enables a secrets engine at its default path (e.g., aws/ for AWS)." Reference:https://developer.hashicorp.com/vault/docs/commands/secrets
Question 90
What is a benefit of response wrapping?
Correct Answer: D
Response wrapping is a feature that allows Vault to take the response it would have sentto a client and instead insert it into the cubbyhole of a single-use token, returning that token instead. The client can then unwrap the token and retrieve the original response. Response wrapping has several benefits, such as providing cover, malfeasance detection, and lifetime limitation for the secret data. One of the benefits is to ensure that only a single party can ever unwrap the token and see what's inside, as the token can be used only once and cannot be unwrapped by anyone else, even the root user or the creator of the token. This provides a way to securely distribute secrets to the intended recipients and detect any tampering or interception along the way5. The other options are not benefits of response wrapping: * Log every use of a secret: Response wrapping does not log every use of a secret, as the secret is not directly exposed to the client or the network. However, Vault does log the creation and deletion of the response-wrapping token, and the client can use the audit device to log the unwrapping operation6. * Load balance secret generation across a Vault cluster: Response wrapping does not load balance secret generation across a Vault cluster, as the secret is generated by the Vault server that receives the request and the response-wrapping token is bound to that server. However, Vault does support high availability and replication modes that can distribute the load and improve the performance of the cluster7. * Provide error recovery to a secret so it is not corrupted in transit: Response wrapping does not provide error recovery to a secret so it is not corrupted in transit, as the secret is encrypted and stored in the cubbyhole of the token and cannot be modified or corrupted by anyone. However, if the token is lost or expired, the secret cannot be recovered either, so the client should have a backup or retry mechanism to handle such cases. 5 (https://developer.hashicorp.com/vault/docs/concepts/response-wrapping), 6 (https://developer.hashicorp.com/vault/docs/secrets), 7 (https://developer.hashicorp.com/vault/docs/secrets), 8 (https://developer.hashicorp.com/vault/tutorials/secrets-management/cubbyhole-response-wrapping)
