QUESTION: 25 Exam Topic: 1, Exam Pool A

True or False? When using the Transit secrets engine, setting the min_decryption_version will determine the minimum key length of the data key (i.e., 2048, 4096, etc.).

True
False

Answer(s): B

Explanation:

Comprehensive and Detailed in Depth

A: Incorrect. min_decryption_version sets the minimum key version, not length.
B: Correct. It controls versioning, not key size.
Overall Explanation from Vault Docs:
"min_decryption_version specifies the minimum key version for decryption... Key length is a separate configuration."

Reference:

https://developer.hashicorp.com/vault/docs/secrets/transit#usage

Show Answer Next Question

QUESTION: 26 Exam Topic: 1, Exam Pool A

After issuing the command to delete a secret, you run a vault kv list command, but the path to the secret still seems to exist.
What command would permanently delete the path from Vault?

vault kv delete -force kv/applications/app01
vault kv destroy -versions=1 kv/applications/app01
vault kv metadata delete kv/applications/app01
vault kv delete -all kv/applications/app01

Answer(s): C

Explanation:

Comprehensive and Detailed in Depth
A: Soft-deletes data, not metadata. Incorrect.
B: Destroys a version, not the path. Incorrect.
C: Deletes all metadata and versions, removing the path. Correct.
D: Invalid syntax. Incorrect.
Overall Explanation from Vault Docs:
"kv metadata delete deletes all versions and metadata for the key, permanently removing it."

Reference:

https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v2#key-metadata

Show Answer Next Question

QUESTION: 27 Exam Topic: 1, Exam Pool A

When using the Vault Secrets Operator, where is the secret written to after being retrieved from Vault?

The secret is never written to any service or persistent storage
Directly to the filesystem of the pod
Kubernetes Secrets
To the cloud-provider's native secret manager (Azure Key Vault, AWS Secrets Manager, etc.)

Answer(s): C

Explanation:

Comprehensive and Detailed in Depth
A: Incorrect; VSO writes to Kubernetes Secrets.
B: Incorrect; not written to pod filesystem.
C: VSO syncs secrets to Kubernetes Secrets. Correct.
D: Incorrect; no automatic cloud provider integration.
Overall Explanation from Vault Docs:
"VSO synchronizes secrets from Vault to Kubernetes Secrets..."

Reference:

https://developer.hashicorp.com/vault/docs/platform/k8s/vso

Show Answer Next Question

QUESTION: 28 Exam Topic: 1, Exam Pool A

A user is assigned the following policy, and they can successfully retrieve secrets using the CLI. However, the user reports receiving an error message in the UI.
Why can't the user access the secret in the Vault UI?
path "kv/apps/app01" { capabilities = ["read"] }

Successful retrieval using the CLI

(Error: Permission denied in UI)

The user doesn't know what they're doing
The user doesn't have permissions to retrieve the data from the UI, only the CLI
The user needs list permissions to browse the UI
The user's token is invalid

Answer(s): C

Explanation:

Comprehensive and Detailed in Depth
A: Irrelevant to permissions. Incorrect.
B: UI and CLI use the same permissions. Incorrect.
C: UI browsing requires list on parent paths; read alone isn't enough. Correct.
D: Token works via CLI, so it's valid. Incorrect.
Overall Explanation from Vault Docs:
"To browse the UI, users need list permissions on paths leading to the secret..."

Reference:

https://developer.hashicorp.com/vault/docs/concepts/policies#list

Show Answer Next Question

Free HashiCorp HCVA0-003 Exam Questions (page: 8)

QUESTION: 25 Exam Topic: 1, Exam Pool A

Explanation:

Reference:

QUESTION: 26 Exam Topic: 1, Exam Pool A

Explanation:

Reference:

QUESTION: 27 Exam Topic: 1, Exam Pool A

Explanation:

Reference:

QUESTION: 28 Exam Topic: 1, Exam Pool A

Explanation:

Reference:

HCVA0-003 Exam Discussions & Posts