HashiCorp HashiCorp Certifications VA-002-P Questions & Answers

• Question 131:

  What feature of Vault would allow you to architect a "Vault within a Vault"?

  A. sentinel

  B. secrets engines

  C. control groups

  D. namespaces

  Correct Answer: D

  Namespaces are isolated environments that functionally exist as "Vaults within a Vault." They have separate login paths and support creating and managing data isolated to their namespace. This data includes the following:

  -Secret Engines

  -Auth Methods

  -Policies

  -Identities (Entities, Groups)

  -Tokens Reference link:- https://www.vaultproject.io/docs/enterprise/namespaces

• Question 132:

  After enabling the vault to autocomplete feature, you type vault and press the tab button, but nothing happens. Why doesn't vault display the available completions?

  1.

  $ vault -autocomplete-install

  2.

  $ vault

  A. your SSH client doesn't support autocompletion

  B. the SSH session needs to be restarted upon installation

  C. you don't have the permissions to use autocomplete

  D. you didn't use -force when enabling the feature

  Correct Answer: B

  Be sure to restart your shell after installing autocompletion!

• Question 133:

  After decrypting data using the transit secrets engine, the plaintext output does not match the plaintext credit card number that you encrypted. Which of the following answers provides a solution?

  1. $ vault write transit/decrypt/creditcard\ ciphertext="vault:v1:cZNHVx+sxdMErXRSuDa1q/pz49fXTn1PScKfhf+PIZPvy8xKfkytpwKcbC0fF2U=" \ 2.

  3.

  Key Value

  4.

  --- ----

  5.

  plaintext Y3JlZGl0LWNhcmQtbnVtYmVyCg==

  A. The resulting plaintext data is base64-encoded. To reveal the original plaintext, use the base64 -decode command.

  B. The data is corrupted. Execute the encryption command again using a different data key

  C. the user doesn't have permission to decrypt the data, therefore Vault returns false data so as not to reveal if the data was actually encrypted by Vault

  D. Vault is sealed, therefore the data cannot be decrypted. Unseal Vault to properly decrypt the data

  Correct Answer: A

  All plaintext data must be base64-encoded. The reason for this requirement is that Vault does not require that the plaintext is "text". It could be a binary file such as a PDF or image. The easiest safe transport mechanism for this data as part of a JSON payload is to base64-encode it. Reference link:- https:// learn.hashicorp.com/vault/encryption-as-a-service/eaas-transit

• Question 134:

  You've logged into the Vault CLI and attempted to enable an auth method, but received this error message. What can be done to resolve the error and configure Vault? Error enabling userpass auth: Post https://127.0.0.1:8200/v1/sys/auth/userpass: http: server gave HTTP response to HTTPS client

  A. change 'userpass' to 'username and password'

  B. restart the Vault service on this node

  C. set the VAULT_ADDR environment variable to HTTP

  D. ask an admin to grant you permission to enable the userpass auth method

  Correct Answer: C

  If you're running Vault in a non-prod environment, you can configure Vault to disable TLS. In this case, TLS

  has been disabled but the default value for VAULT_ADDR is https://127.0.0.1:8200, therefore Vault is

  sending the request over HTTPS but Vault is responding using HTTP since TLS is disabled.

  To handle this error, set the VAULT_ADDR environment variable to "http://127.0.0.1:8200".

• Question 135:

  What could you do with the feature found in the screenshot below? (select two)

  

  A. encrypt the Vault master key that is stored in memory

  B. using a short TTL, you could encrypt data in order to place only the encrypted data in Vault

  C. encrypt sensitive data to send to a colleague over email

  D. use response-wrapping to protect data

  Correct Answer: CD

  Vault includes a feature called response wrapping. When requested, Vault can take the response it would have sent to an HTTP client and instead insert it into the cubbyhole of a single-use token, returning that single-use token instead.

• Question 136:

  By default, the max TTL for a token is how many days?

  A. 14 days

  B. 32 days

  C. 31 days

  D. 7 days

  Correct Answer: B

  The system max TTL, which is 32 days but can be changed in Vault's configuration file. The max TTL set on a mount using mount tuning. This value is allowed to override the system max TTL -- it can be longer or shorter, and if set this value will be respected. A value suggested by the auth method that issued the token. This might be configured on a per-role, per-group, or per-user basis. This value is allowed to be less than the mount max TTL (or, if not set, the system max TTL), but it is not allowed to be longer. Reference link:- https://www.vaultproject.io/docs/concepts/tokens

• Question 137:

  After encrypting data using the transit secrets engine, you've received the following output. Which of the following is true based upon the output?

  1.

  Key Value

  2.

  --- ----

  3.

  ciphertext vault:v2:45f9zW6cglbrzCjI0yCyC6DBYtSBSxnMgUn9B5aHcGEit71xefPEmmjMbrk3

  A. the original encryption key has been rotated at least once

  B. this is the second version of the encrypted data

  C. similar to the KV secrets engine, the transit secrets engine was enabled using the transit v2 option

  D. the data is stored in Vault using a KV v2 secrets engine

  Correct Answer: A

  When data is encrypted using Vault, the resulting ciphertext is prepended by the version of the key used to encrypt it. In this case, the version is v2, which means that the encryption key was rotated at least one time. Any data that was encrypted with the original key would have been prepended with vault:v1 To rotate a key, use the command vault write -f transit/keys//rotate Reference link:- https:// learn.hashicorp.com/vault/encryption-as-a-service/eaas-transit

• Question 138:

  In regards to the transit secrets engine, which of the following is true given the following command and output: (select three)

  1.

  $ vault write encryption/encrypt/creditcard plaintext=$(base64 <<< "1234 5678 9101 1121")

  2.

  Key Value

  3.

  --- ----

  4.

  ciphertext vault:v3:cZNHVx+sxdMErXRSuDa1q/pz49fXTn1PScKfhf+PIZPvy8xKfkytpwKcbC0fF2U=

  A. there are at least three data keys associated with this keyring

  B. the name of the keyring used to encrypt the data is creditcard

  C. the data was written to the encryption path, which is provided by default when enabling the transit secrets engine

  D. the transit secrets engine is mounted at the encryption path

  Correct Answer: ABD

  The encryption key used to encrypt the plaintext is regarded as a data key. This data key needs to be protected so that your encrypted data cannot be decrypted comfortably by an unauthorized party. In this case, data has been encrypted by specifying the keyring name creditcard.

• Question 139:

  From the unseal options listed below, select the options you can use if you're deploying Vault on-premises. (select four)

  A. transit

  B. AWS KMS

  C. certificates

  D. key shards

  E. HSM PKCS11

  Correct Answer: ABDE

  Certificates are not a valid unseal option for HashiCorp Vault.

• Question 140:

  How can Vault be used to programmatically obtain a generated code for MFA, somewhat similar to Google Authenticator?

  A. cubbyhole

  B. the identity secrets engine

  C. TOTP secrets engine

  D. the random byte generator

  Correct Answer: C

  The TOTP secrets engine generates time-based credentials according to the TOTP standard. The secrets engine can also be used to generate a new key and validate passwords generated by that key. The TOTP secrets engine can act as both a generator (like Google Authenticator) and a provider (like the Google.com sign-in service). As a Generator The TOTP secrets engine can act as a TOTP code generator. In this mode, it can replace traditional TOTP generators like Google Authenticator. It provides an added layer of security since the ability to generate codes is guarded by policies and the entire process is audited. Reference link:- https://www.vaultproject.io/ docs/secrets/totp