CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. HashiCorp
  5. VA-002-P

Free VA-002-P Exam Braindumps (page: 16)

Page 16 of 51
PDF with 200 Questions

How can Vault be used to programmatically obtain a generated code for MFA, somewhat similar to Google Authenticator?

  1. cubbyhole
  2. the identity secrets engine
  3. TOTP secrets engine
  4. the random byte generator

Answer(s): C

Explanation:

The TOTP secrets engine generates time-based credentials according to the TOTP standard. The secrets engine can also be used to generate a new key and validate passwords generated by that key. The TOTP secrets engine can act as both a generator (like Google Authenticator) and a provider (like the Google.com sign-in service).
As a Generator
The TOTP secrets engine can act as a TOTP code generator. In this mode, it can replace traditional TOTP generators like Google Authenticator. It provides an added layer of security since the ability to generate codes is guarded by policies and the entire process is audited.


Reference:

https://www.vaultproject.io/docs/secrets/totp



From the unseal options listed below, select the options you can use if you're deploying Vault on- premises. (select four)

  1. transit
  2. AWS KMS
  3. certificates
  4. key shards
  5. HSM PKCS11

Answer(s): A,B,D,E

Explanation:

Certificates are not a valid unseal option for HashiCorp Vault.



In regards to the transit secrets engine, which of the following is true given the following command and output: (select three)
1. $ vault write encryption/encrypt/creditcard plaintext=$(base64 <<< "1234 5678 9101 1121")
2. Key Value
3. --- -----
4. ciphertext vault:v3:cZNHVx+sxdMErXRSuDa1q/pz49fXTn1PScKfhf+PIZPvy8xKfkytpwKcbC0fF2U=

  1. there are at least three data keys associated with this keyring
  2. the name of the keyring used to encrypt the data is creditcard
  3. the data was written to the encryption path, which is provided by default when enabling the transit secrets engine
  4. the transit secrets engine is mounted at the encryption path

Answer(s): A,B,D

Explanation:

The encryption key used to encrypt the plaintext is regarded as a data key. This data key needs to be protected so that your encrypted data cannot be decrypted comfortably by an unauthorized party. In this case, data has been encrypted by specifying the keyring name creditcard.



After encrypting data using the transit secrets engine, you've received the following output. Which of the following is true based upon the output?
1. Key Value
2. --- -----
3. ciphertext vault:v2:45f9zW6cglbrzCjI0yCyC6DBYtSBSxnMgUn9B5aHcGEit71xefPEmmjMbrk3

  1. the original encryption key has been rotated at least once
  2. this is the second version of the encrypted data
  3. similar to the KV secrets engine, the transit secrets engine was enabled using the transit v2 option
  4. the data is stored in Vault using a KV v2 secrets engine

Answer(s): A

Explanation:

When data is encrypted using Vault, the resulting ciphertext is prepended by the version of the key used to encrypt it. In this case, the version is v2, which means that the encryption key was rotated at least one time. Any data that was encrypted with the original key would have been prepended with vault:v1
To rotate a key, use the command vault write -f transit/keys/<key name>/rotate


Reference:

https://learn.hashicorp.com/vault/encryption-as-a-service/eaas-transit



Page 16 of 51



Post your Comments and Discuss HashiCorp VA-002-P exam with other Community members:

Bruno commented on October 10, 2023
PDF is Vault, EXM is Teraform.
UNITED STATES
upvote