QUESTION: 21 Exam Topic: 1, Exam Pool A

True or False? When encrypting data with the Transit secrets engine, Vault always stores the ciphertext in a dedicated KV store along with the associated encryption key.

True
False

Answer(s): B

Explanation:

Comprehensive and Detailed in Depth
A: Incorrect. Transit doesn't store ciphertext; it returns it to the client.
B: Correct. The Transit engine performs encryption/decryption without persisting data.
Overall Explanation from Vault Docs:
"The Vault Transit secrets engine does NOT store any data... Ciphertext is returned to the caller."

Reference:

https://developer.hashicorp.com/vault/docs/secrets/transit

Show Answer Next Question

QUESTION: 22 Exam Topic: 1, Exam Pool A

What is the default maximum time-to-live (TTL) for a token, measured in days?

32 days (768 hours)
7 days (168 hours)
14 days (336 hours)
31 days (744 hours)

Answer(s): A

Explanation:

Comprehensive and Detailed in Depth
A: Vault's default max TTL is 768 hours (32 days). Correct.
B, C, D: Incorrect values per Vault's defaults.
Overall Explanation from Vault Docs:
"The system max TTL is 768 hours (32 days) unless overridden..."

Reference:

https://developer.hashicorp.com/vault/docs/concepts/tokens#token-time-to-live- periodic-tokens-and-explicit-max-ttls

Show Answer Next Question

QUESTION: 23 Exam Topic: 1, Exam Pool A

After decrypting data using the Transit secrets engine, the plaintext output does not match the plaintext credit card number that you encrypted.
Which of the following answers provides a solution?
$ vault write transit/decrypt/creditcard ciphertext="vault:v1:cZNHVx+sxdMEr......." Key: plaintext Value: Y3JlZGl0LWNhcmQtbnVtYmVyCg==

Vault is sealed, therefore the data cannot be decrypted. Unseal Vault to properly decrypt the data
The user doesn't have permission to decrypt the data, therefore Vault returns false data
The resulting plaintext data is base64-encoded. To reveal the original plaintext, use the base64 -- decode command
The data is corrupted. Execute the encryption command again using a different data key

Answer(s): C

Explanation:

Comprehensive and Detailed in Depth
A: Sealing would prevent decryption, not return encoded data. Incorrect.
B: Permission issues don't return encoded data. Incorrect.
C: Transit returns base64-encoded plaintext; decoding Y3JlZGl0LWNhcmQtbnVtYmVyCg== yields "credit-card-number". Correct.
D: No evidence of corruption; it's a format issue. Incorrect.
Overall Explanation from Vault Docs:
"All plaintext data must be base64-encoded... Decode it to reveal the original value."

Reference:

https://developer.hashicorp.com/vault/docs/secrets/transit

Show Answer Next Question

QUESTION: 24 Exam Topic: 1, Exam Pool A

True or False? The Vault Secrets Operator does NOT encrypt client cache, such as Vault tokens and leases, by default in Kubernetes Secrets.

True
False

Answer(s): A

Explanation:

Comprehensive and Detailed in Depth
A: VSO doesn't encrypt client cache by default; it requires extra configuration. Correct.
B: Incorrect; encryption is optional, not default.
Overall Explanation from Vault Docs:
"Client cache persistence and encryption are not enabled by default... Requires Transit engine configuration."

Reference:

https://developer.hashicorp.com/vault/docs/platform/k8s/vso/sources/vault#vault- client-cache

Show Answer Next Question

Free HashiCorp HCVA0-003 Exam Questions (page: 7)

QUESTION: 21 Exam Topic: 1, Exam Pool A

Explanation:

Reference:

QUESTION: 22 Exam Topic: 1, Exam Pool A

Explanation:

Reference:

QUESTION: 23 Exam Topic: 1, Exam Pool A

Explanation:

Reference:

QUESTION: 24 Exam Topic: 1, Exam Pool A

Explanation:

Reference:

HCVA0-003 Exam Discussions & Posts