Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. HashiCorp
  5. HCVA0-003

Free HashiCorp HCVA0-003 Exam Questions (page: 6)

Page 6 of 73
PDF with 285 Questions

You want to encrypt a credit card number using the Transit secrets engine. You enter the following command and receive an error.
What can you do to ensure that the credit card number is properly encrypted and the ciphertext is returned?
$ vault write -format=json transit/encrypt/creditcards plaintext="1234 5678 9101 1121" Error: * illegal base64 data at input byte 4

  1. The plain text data needs to be encoded to base64
  2. The token used to issue the encryption request does not have the appropriate permissions
  3. Credit card numbers are not supported using the Transit secrets engine since it is considered sensitive data
  4. The credit card number should not include spaces

Answer(s): A

Explanation:

Comprehensive and Detailed in Depth
The error indicates a problem with the plaintext input format. Let's analyze:
A: The Transit engine requires plaintext to be base64-encoded for safe transport, as it may include non-text data. The error illegal base64 data occurs because "1234 5678 9101 1121" isn't base64- encoded. Correct: use plaintext=$(base64 <<< "1234 5678 9101 1121").
B: Permission errors would return a 403, not a base64 error. Incorrect.
C: Transit supports encrypting sensitive data like credit card numbers. Incorrect.
D: Spaces aren't the issue; the format must be base64. Incorrect.
Overall Explanation from Vault Docs:
"When you send data to Vault for encryption, it must be base64-encoded plaintext... This ensures safe transport of binary or text data."


Reference:

https://developer.hashicorp.com/vault/docs/secrets/transit#usage



Which of the following token attributes can be used to renew a token in Vault (select two)?

  1. TTL
  2. Token ID
  3. Identity policy
  4. Token accessor

Answer(s): B,D

Explanation:

Comprehensive and Detailed in Depth
Token renewal extends a token's TTL. Let's evaluate:
A: TTL - Defines expiration time, not used for renewal. Incorrect.
B: Token ID - The token's unique identifier; can be specified to renew it (e.g., vault token renew <token-id>). Correct.
C: Identity policy - Relates to access control, not renewal. Incorrect.
D: Token accessor - A unique identifier for operations like renewal without exposing the token (e.g., vault token renew -accessor <accessor>). Correct.
Overall Explanation from Vault Docs:
"Tokens can be renewed with vault token renew using either the token ID or accessor... TTL is not an attribute for renewal."


Reference:

https://developer.hashicorp.com/vault/docs/commands/token/renew#token-renew



When generating dynamic credentials, Vault also creates associated metadata, including information like time duration, renewability, and more, and links it to the credentials.
What is this referred to as?

  1. Secret
  2. Token
  3. Lease
  4. Secrets engine

Answer(s): C

Explanation:

Comprehensive and Detailed in Depth
A: Secrets are the credentials themselves, not the metadata. Incorrect.
B: Tokens authenticate clients, not the metadata for credentials. Incorrect.
C: A lease is metadata tied to dynamic secrets, managing their lifecycle (TTL, renewability). Correct.
D: Secrets engines generate secrets, not the metadata. Incorrect.
Overall Explanation from Vault Docs:
"With every dynamic secret... Vault creates a lease: metadata containing TTL, renewability, etc."


Reference:

https://developer.hashicorp.com/vault/docs/concepts/lease



You are using an orchestrator to deploy a new application. Even though the orchestrator creates a new AppRole secret ID, security requires that only the new application has the combination of the role ID and secret ID. What feature can you use to meet these requirements?

  1. Have the application authenticate with the role ID to retrieve the secret ID
  2. Use response wrapping and provide the application server with the unwrapping token instead
  3. Use a batch token instead of a traditional service token
  4. Secure the communication between the orchestrator and Vault using TLS

Answer(s): B

Explanation:

Comprehensive and Detailed in Depth
A: Exposes the secret ID, violating the requirement. Incorrect.
B: Response wrapping delivers the secret ID in a single-use token, ensuring only the application unwraps it. Correct.
C: Batch tokens don't address secret ID delivery security. Incorrect.
D: TLS secures communication but doesn't restrict access to the secret ID. Incorrect.
Overall Explanation from Vault Docs:
"Response wrapping... wraps the secret in a single-use token, ensuring only the intended recipient unwraps it."


Reference:

https://developer.hashicorp.com/vault/tutorials/auth-methods/approle



Viewing page 6 of 73
Viewing questions 21 - 24 out of 285 questions



Post your Comments and Discuss HashiCorp HCVA0-003 exam prep with other Community members:

HCVA0-003 Exam Discussions & Posts