Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. HashiCorp
  5. HCVA0-003

HashiCorp HCVA0-003 Exam
HashiCorp Certified: Vault Associate (003) (Page 3 )

Updated On: 7-Feb-2026
Page 3 of 58
PDF with 285 Questions

By default, what TCP port does Vault replication use?

  1. tcp/8200
  2. tcp/8300
  3. tcp/8201
  4. tcp/8301

Answer(s): C

Explanation:

Comprehensive and Detailed in Depth
Vault replication ensures data consistency across clusters, using a specific port:

A: 8200 - Default HTTP API port, not replication.
B: 8300 - Raft protocol port, not replication.
C: 8201 - Default replication port. Correct.
D: 8301 - Serf protocol port, not replication.
Overall Explanation from Vault Docs:
"Replication occurs on TCP port 8201 by default... distinct from the API (8200) and Raft (8300) ports."


Reference:

https://developer.hashicorp.com/vault/tutorials/day-one-raft/raft-reference- architecture#network-connectivity



What is the proper command to enable the AWS secrets engine at the default path?

  1. vault enable aws secrets engine
  2. vault secrets enable aws
  3. vault secrets aws enable
  4. vault enable secrets aws

Answer(s): B

Explanation:

Comprehensive and Detailed in Depth
Enabling a secrets engine in Vault follows a specific syntax:
A: Incorrect syntax; jumbled order.
B: Correct: vault secrets enable <type> enables the AWS engine at aws/. Correct.
C: Incorrect word order.
D: Incorrect syntax.
Overall Explanation from Vault Docs:
"The command vault secrets enable <type> enables a secrets engine at its default path (e.g., aws/ for AWS)."


Reference:

https://developer.hashicorp.com/vault/docs/commands/secrets



In regards to the Transit secrets engine, which of the following is true given the following command and output (select three):
$ vault write encryption/encrypt/creditcard plaintext=$(base64 <<< "1234 5678 9101 1121") Key: ciphertext Value:
vault:v3:cZNHVx+sxdMErXRSuDa1q/pz49fXTn1PScKfhf+PIZPvy8xKfkytpwKcbC0fF2U=

  1. The Transit secrets engine is mounted at the encryption path
  2. The name of the keyring used to encrypt the data is creditcard
  3. There are at least three data keys associated with this keyring
  4. The data was written to the encryption path, which is provided by default when enabling the Transit secrets engine

Answer(s): A,B,C

Explanation:

Comprehensive and Detailed in Depth
A: The command uses encryption/encrypt/creditcard, indicating the Transit engine is mounted at encryption/. Correct.
B: The endpoint creditcard specifies the key name used for encryption. Correct.
C: The output vault:v3: shows key version 3, implying at least three versions (v1, v2, v3) after rotations. Correct.
D: The default path for Transit is transit/, not encryption/. This is a custom mount, not default.
Incorrect.

Overall Explanation from Vault Docs:
"The Transit engine encrypts data at a specified key name... Key versions (e.g., v3) indicate rotations."


Reference:

https://developer.hashicorp.com/vault/docs/secrets/transit



Which of the following statements are true regarding Vault seal and unseal (select three)?

  1. By default, Vault uses the Shamir Sharing algorithm to create unseal keys during the initialization process
  2. When using Vault Auto Unseal feature, Vault returns unseal keys to the user when it is initialized
  3. Vault can use a third-party KMS solution to automatically unseal during a service restart
  4. Vault supports high availability for the Auto Unseal feature, allowing you to point to multiple keys

Answer(s): A,C,D

Explanation:

Comprehensive and Detailed in Depth
A: Vault uses Shamir's Secret Sharing by default for unseal keys. Correct.
B: Auto Unseal uses KMS or similar; it returns recovery keys, not unseal keys. Incorrect.
C: Third-party KMS (e.g., AWS KMS) can auto-unseal Vault. Correct.
D: Auto Unseal supports HA with multiple keys for redundancy. Correct.
Overall Explanation from Vault Docs:
"Vault uses Shamir's algorithm by default... Auto Unseal with KMS supports HA and does not return unseal keys but recovery keys."


Reference:

https://developer.hashicorp.com/vault/docs/concepts/seal#seal-unseal



If Bobby is currently assigned the following policy, what additional policy can be added to ensure Bobby cannot access the data stored at secret/apps/confidential but still read all other secrets? path "secret/apps/*" { capabilities = ["create", "read", "update", "delete", "list"] }

  1. path "secret/apps/confidential" { capabilities = ["deny"] }
  2. path "secret/*" { capabilities = ["read", "deny"] }
  3. path "secret/apps/*" { capabilities = ["deny"] }
  4. path "secret/apps/confidential/*" { capabilities = ["deny"] }

Answer(s): A

Explanation:

Comprehensive and Detailed in Depth
A: Denies all access to secret/apps/confidential, overriding the original policy's permissions. Correct.
B: Applies to all secret/*, overly restrictive and unclear with mixed capabilities. Incorrect.
C: Denies all secret/apps/*, blocking more than required. Incorrect.

D: Denies subpaths under confidential, not the path itself. Incorrect.
Overall Explanation from Vault Docs:
"A deny capability takes precedence over any allow... Use it to restrict specific paths."


Reference:

https://developer.hashicorp.com/vault/docs/concepts/policies#capabilities






Post your Comments and Discuss HashiCorp HCVA0-003 exam prep with other Community members:

Join the HCVA0-003 Discussion