HCVA0-003 HashiCorp Certified: Vault Associate (003)Exam Questions and Answers

The vault lease operations that use a lease_id as an argument are renew and revoke. The renew operation allows a client to extend the validity of a lease associated with a secret or a token. The revoke operation allows a client to terminate a lease immediately and invalidate the secret or the token. Both operations require a lease_id as an argument to identify the lease to be renewed or revoked. The lease_id can be obtained from the response of reading a secret or creating a token, or from the vault lease list command. The other operations, revoke-prefix, create, and describe, do not use a lease_id as an argument. The revoke-prefix operation allows a client to revoke all secrets or tokens generated under a given prefix. The create operation allows a client to create a new lease for a secret. The describe operation allows a client to view information about a lease, such as its TTL, policies, and metadata. References:  Lease, Renew, and Revoke | Vault | HashiCorp Developer ,  vault lease - Command | Vault | HashiCorp Developer

Vault policies are path-based. This means authorization rules are written against Vault paths and the capabilities allowed on those paths. Policies do not need to be created separately for every individual secret because wildcard and path patterns can cover groups of secrets. Vault policies do not support full regular expressions, and permission types are not arbitrarily extended as plugins. The * wildcard is a glob wildcard and is limited in how it can be used; in standard ACL path rules, it is used only as a suffix glob at the end of a path pattern. Vault also supports path matching through its policy syntax, but not unrestricted wildcard placement everywhere in the path. Therefore, the two correct statements are that policies support suffix globbing with * and that policies are path-based.

================

Comprehensive and Detailed in Depth Explanation:

Sealing a Vault instance is a critical security operation that involves locking down the system to prevent access until it is explicitly unsealed. The HashiCorp Vault documentation states: " Sealing a Vault will throw away the root key in memory and require another unseal process to restore it. " This is achieved by running the vault operator seal command, which " securely discards the master key from memory and prevents further operations until unsealed. " This action ensures that no data can be accessed without the unseal process, making it the correct description of sealing.

Disabling TLS certificates via vault secrets disable pki affects the PKI secrets engine, not the sealing process. Running vault operator rotate rotates encryption keys, not seals the Vault. Revoking leases with vault lease revoke terminates secret access but keeps the master key in memory, unlike sealing, which discards it. Thus, only option C accurately reflects the sealing process.

Comprehensive and Detailed In-Depth Explanation:

Certain operations require unseal keys:

B. Unsealing : " Unsealing the Vault requires a threshold of unseal keys. "

C. Root Token : " Generating a new root token requires a threshold of unseal keys. "

D. Recovery Keys : " Changing the unseal/recovery keys requires the current threshold. "

Incorrect Option :

A. Key Rotation : " An online operation and does not cause downtime, " no shares needed.

Comprehensive and Detailed In-Depth Explanation:

AppRole’s flexibility allows human use:

A. True : " Although AppRole is primarily designed for machine-to-machine authentication, it can also be used by humans to authenticate to Vault if needed. " It uses a role_id and secret_id, which, while less convenient for humans, are technically usable. " Yeah, absolutely. Although it’s not super friendly for us humans to remember the values, you could use it if you wanted to. "

Incorrect Option :

B. False : Incorrect; it’s not restricted to machines only.

This adaptability broadens AppRole’s applicability.

Comprehensive and Detailed In-Depth Explanation:

In HashiCorp Vault, the default TTL (Time To Live) for tokens, when not explicitly specified, is 768 hours , equivalent to 32 days . This applies to both the initial TTL and the maximum TTL unless overridden.

Default Configuration : The documentation states: " When no specific TTL is provided, a generated token will inherit the default TTL which is 768 hours (32 days). " This long default ensures usability in many scenarios while allowing customization.

Customization Option : Operators can adjust this using commands like vault write sys/mounts/auth/token/tune default_lease_ttl=1h max_lease_ttl=24h, but without such tuning, 768 hours applies.

Incorrect Options :

A. 24 hours : Too short for Vault’s default; it’s a common custom setting instead.

B. 15 minutes : Far too brief and not aligned with Vault’s defaults.

D. 60 minutes : Another common custom value, not the default.

This default balances usability with security, encouraging explicit configuration for shorter-lived tokens when needed.

Comprehensive and Detailed In-Depth Explanation:

Batch tokens are identified by:

B, C : " In newer versions of Vault (Vault 1.10+), batch tokens are prepended with hvb. "

Incorrect Options :

A : hvr prefix is invalid.

D : hvs indicates service token.

Comprehensive and Detailed In-Depth Explanation:

Correct syntax is:

A. vault secrets enable -path=k8s-cluster kubernetes : " The secrets enable command enables a secrets engine at a given path. " The -path flag precedes the engine type.

Incorrect Options :

B : kv put is for key-value data, not enabling engines.

C : Incorrect CLI syntax; API-focused.

D : Reversed order; path must come first.

Comprehensive and Detailed In-Depth Explanation:

Vault supports various storage backends, but only some are designed to provide high availability (HA) , ensuring data consistency and fault tolerance across multiple nodes. The four backends that support HA are:

A. Consul : Consul uses a distributed key-value store with a consensus protocol, enabling HA by replicating data across nodes. The documentation notes: " Consul’s distributed nature and fault-tolerant design make it a suitable option for ensuring high availability in Vault deployments. "

B. etcd : etcd employs the Raft consensus algorithm for distributed coordination, ensuring data consistency and availability. It’s explicitly supported for HA in Vault: " etcd’s design ensures data consistency and fault tolerance. "

C. DynamoDB : Amazon’s managed NoSQL service, DynamoDB, offers replication and fault tolerance, making it HA-capable. Vault leverages these features: " DynamoDB’s replication and fault tolerance mechanisms make it a robust choice. "

D. Integrated Storage (raft) : Vault’s built-in storage backend uses the Raft consensus algorithm, providing HA without external dependencies. " Integrated Storage (raft) supports high availability by ensuring data consistency and fault tolerance. "

Incorrect Options :

E. Amazon S3 : While S3 offers durability, it’s an object store not optimized for HA in Vault’s context due to latency and lack of native consensus. " It may not be the best choice for ensuring high availability of Vault data. "

F. In-Memory : This stores data in volatile memory, losing it on restart, and does not support HA. " In-Memory storage backend does not support high availability as it is volatile. "

These HA-capable backends ensure Vault remains operational and consistent in multi-node setups.

Comprehensive and Detailed In-Depth Explanation:

Unsealing a new Vault:

C. Correct : " When a Vault server is started, it starts in a sealed state. Unsealing is the process of obtaining the plaintext root key necessary to read the decryption key to decrypt the data. "

Incorrect Options :

A, B, D : Misrepresent unsealing process.

Comprehensive and Detailed In-Depth Explanation:

Supported auth methods:

A, B, C, D, E, G : " All of the options are valid auth methods except for Cubbyhole. " Detailed in Vault docs.

Incorrect Option :

F : " Cubbyhole is a secrets engine. "

Comprehensive and Detailed In-Depth Explanation:

For independence from parent TTL:

B. Orphan token : " Orphan tokens are not children of their parent; therefore, orphan tokens do not expire when their parent does. "

Incorrect Options :

A : Use limit doesn’t affect TTL linkage.

C : Periodic tokens renew but follow parent TTL.

D : Root tokens are unrestricted.

Comprehensive and Detailed In-Depth Explanation:

Dynamic secrets are managed actively:

A. True : " Once the lease for a dynamic secret has expired, Vault automatically revokes the credentials on the backend platform for which they were created. " This cleanup reduces technical debt.

Incorrect Option :

B. False : Incorrect; revocation is automatic.

" When a lease expires, Vault does indeed revoke the credentials on the platform. "

Comprehensive and Detailed In-Depth Explanation:

For integrating a MySQL database on an EC2 instance with Vault, the database secrets engine is the appropriate choice:

B. database : " The ' database ' secrets engine in Vault is specifically designed for integrating with databases like MySQL. " It generates dynamic credentials, manages rotations, and supports MySQL plugins, ideal for Jarrad’s use case. " To manage the database resource, the database secrets engine should be used, specifically with the MySQL plugin. "

Incorrect Options :

A. azure : For Azure-specific credential management, not databases. " Used for generating Azure service principal credentials. "

C. kv : Stores static secrets, not dynamic database credentials. " Used for storing arbitrary secrets in a key-value pair format. "

D. aws : Manages AWS credentials, not database integration. " Used for generating AWS access keys. "

The database engine’s MySQL support is agnostic to the hosting platform (EC2 vs. RDS), focusing on the database itself.

Comprehensive and Detailed In-Depth Explanation:

Vault can decrypt if the key version is available:

A. Yes : " The minimum decryption version set to 4 indicates that Vault will be able to decrypt data encrypted with version 4 of the key. "

Incorrect Option :

B. No : " The latest version being 6 does not impact Vault’s ability to decrypt earlier versions. "

Comprehensive and Detailed In-Depth Explanation:

Vault allows key export under specific conditions:

A. Yes, if Exportable : " When creating the key, the exportable flag must be set as true. By default, it is false. " If set, " this enables the keys to be exportable, " allowing retrieval for external storage. " Once set, this cannot be disabled. "

Incorrect Option :

B. No : Incorrect if the key is exportable. " You cannot export the encryption key from Vault if it was not configured to be exportable. "

This feature, while not best practice, supports disaster recovery scenarios.

Comprehensive and Detailed In-Depth Explanation:

Unsealing involves:

C. Reconstructing the root key : " Unsealing is the process of obtaining the plaintext root key necessary to read the decryption key to decrypt the data, allowing access to the Vault. " The unseal keys reconstruct this root key via Shamir’s Secret Sharing.

Incorrect Options :

A : Recovery keys are separate.

B : Keys aren’t exported during unseal.

D : Data decryption is a result, not the action.

Comprehensive and Detailed In-Depth Explanation:

To clean up disrupted leases:

C. vault lease revoke -force : " Using the vault lease revoke -force flag is the correct way to manually remove leases in Vault. " With -prefix, it targets specific leases (e.g., vault lease revoke -force -prefix database/creds/ < role > ). " This is meant for recovery situations where the secret was manually removed. "

Incorrect Options :

A : Waiting risks ongoing issues. " May take time and could cause disruptions. "

B : Inaccurate; -force is needed. " Not a valid approach without -force. "

D : Too broad, affects other leases. " May impact other valid credentials. "

Comprehensive and Detailed In-Depth Explanation:

Integrated Storage (Raft) requires a quorum:

B. Unavailable : " If a cluster cannot achieve quorum, the cluster becomes unavailable and cannot commit new logs. " Quorum is " a majority of members from a peer set, " e.g., 3 of 5 nodes.

Incorrect Options :

A. Read-Only : " Does not continue to operate in read-only mode. "

C. Auto-Promotion : " Does not automatically promote a standby node. "

D. Local Storage : " Does not temporarily switch to local storage. "

Quorum loss halts operations to ensure consistency.

Comprehensive and Detailed In-Depth Explanation:

To ensure consistent access permissions for Sarah across multiple authentication methods (LDAP and GitHub), the correct approach in Vault is to create an entity for Sarah and map both her LDAP and GitHub identities as entity aliases to this single entity .

Entities and Aliases in Vault : Vault’s Identity secrets engine allows the creation of entities, which are logical representations of users or machines. Each entity can have multiple aliases, where an alias corresponds to an identity from a specific auth method. By mapping Sarah’s LDAP identity (e.g., her LDAP username) and GitHub identity (e.g., her GitHub username) as aliases to a single entity, Vault associates both identities with one set of policies. The documentation states: " Vault clients can be mapped as entities and their corresponding accounts with authentication providers can be mapped as aliases. "

Why This Works : Assigning policies to the entity ensures that Sarah’s permissions remain consistent regardless of whether she logs in via LDAP or GitHub. This centralizes policy management and eliminates discrepancies.

Incorrect Options :

B. External Group Approach : Creating an external group and adding LDAP and GitHub providers as members does not inherently synchronize permissions for a single user like Sarah. External groups are better suited for mapping group memberships from external systems to Vault policies, not individual identity unification.

C. Separate Policies : Managing separate policies per auth method is error-prone and inefficient. Manual synchronization risks inconsistencies, undermining security and manageability.

D. Trust Relationship : Vault does not support configuring trust relationships between auth methods like LDAP and GitHub to sync accounts. This is a misunderstanding of Vault’s architecture.

This entity-based approach leverages Vault’s identity system to unify Sarah’s access, simplifying administration and ensuring consistency.

Comprehensive and Detailed in Depth Explanation:

The Vault Secrets Operator (VSO) enhances secrets management in Kubernetes. The HashiCorp Vault documentation lists its benefits: " The following features are supported by the Vault Secrets Operator:

Support for syncing from multiple secret sources.

Automatic secret drift and remediation.

Automatic secret rotation for Deployment, ReplicaSet, StatefulSet Kubernetes resource types. "

The docs explain: " VSO watches for changes to its supported Custom Resource Definitions (CRDs) and synchronizes secrets from Vault to Kubernetes Secrets, ensuring consistency (A). It detects and corrects unauthorized changes (C) and rotates secrets for specified resource types (D). " Bi-directional sync (B) is not supported—sync is one-way from Vault to Kubernetes. Thus, A, C, and D are correct.

Comprehensive and Detailed in Depth Explanation:

The Transit secrets engine focuses on cryptographic operations, not data storage or modification. The HashiCorp Vault documentation states: " The transit secrets engine handles cryptographic functions on data in-transit. Vault doesn’t store the data sent to the secrets engine. It can also be viewed as ‘cryptography as a service’ or ‘encryption as a service’. The transit secrets engine can also sign and verify data; generate hashes and HMACs of data; and act as a source of random bytes. "

It further notes: " You can, however, rewrap data when the key has been rotated to ensure data is encrypted with the latest version. " Supported actions include encrypt , decrypt , and rewrap , but update is not a function, as Transit doesn’t store or modify data. Thus, D is correct.

Comprehensive and Detailed in Depth Explanation:

For machine-to-machine authentication, AppRole is the ideal method. The HashiCorp Vault documentation states: " Although it’s not the only method for applications, the ideal method for machine-to-machine authentication is AppRole. The other options are frequently reserved for human access. " AppRole allows machines or services to authenticate using a role ID and secret ID, providing a secure, automated approach without human intervention.

The documentation elaborates: " The AppRole auth method provides a workflow tailored to machine-to-machine authentication. It allows applications to authenticate with Vault-defined roles and retrieve a token. " Okta , UserPass , and GitHub are better suited for human users, not automated systems. Thus, D (AppRole) is correct.

Comprehensive and Detailed in Depth Explanation:

Storage backends in Vault are responsible for storing persistent data, impacting its operation. The HashiCorp Vault documentation states: " The storage stanza configures the storage backend, which represents the location for the durable storage of Vault’s information. Each backend has pros, cons, advantages, and trade-offs. For example, some backends support high availability while others provide a more robust backup and restoration process. " This includes secrets, policies, and audit logs, affecting scalability and performance.

The docs add: " Vault uses a storage backend to persist its encrypted data, configuration, and metadata. " Option B is incorrect as encryption is handled by Vault, not the backend. C and D are wrong—backends store all persistent data, not just tokens or unseal keys. Thus, A is correct.

Comprehensive and Detailed in Depth Explanation:

The Vault Secrets Operator (VSO) enhances secrets management in Kubernetes. The HashiCorp Vault documentation states: " The Vault Secrets Operator operates by watching for changes to its supported set of Custom Resource Definitions (CRD). Each CRD provides the specification required to allow the operator to synchronize from one of the supported sources for secrets to a Kubernetes Secret. The operator writes the source secret data directly to the destination Kubernetes Secret, ensuring that any changes made to the source are replicated to the destination over its lifetime. "

It further explains: " In this way, an application only needs to have access to the destination secret in order to make use of the secret data contained within. " This aligns with C : " It continuously reconciles and synchronizes secrets from Vault to Kubernetes, ensuring secrets are always updated. " Option A is false—it augments, not replaces, the Kubernetes Secrets API and isn’t a CA. Option B is incorrect—it’s not a Vault server but an operator. Option D is wrong—it syncs secrets, not provisions clusters. Thus, C is correct.

Comprehensive and Detailed in Depth Explanation:

The statement is False . Saving the root token outside of Vault for day-to-day operations is not a recommended practice and contradicts Vault’s security principles. The HashiCorp Vault documentation explicitly states: " For day-to-day operations, the root token should be revoked after configuring other auth methods, which admins and Vault clients will use. " This is because the root token has unrestricted access to all Vault operations, posing a significant security risk if stored externally and used routinely. Instead, Vault encourages the use of less-privileged tokens or alternative authentication methods post-initialization.

The documentation further elaborates under the " Root Tokens " section: " Root tokens are tokens with an infinite TTL that have the ' root ' policy attached to them. Because of their power, it is strongly recommended that they be used only as necessary and then immediately revoked when no longer needed. " Storing the root token outside Vault increases the risk of compromise, and Vault’s design assumes it is used sparingly—typically only during initial setup—and then replaced with more secure, limited-privilege mechanisms. Thus, the correct operational approach is to revoke the root token after setup, not save it externally, making B (False) the correct answer.

Comprehensive and Detailed in Depth Explanation:

After successful authentication, the CLI and UI interfaces in Vault automatically assume the token for subsequent requests, simplifying user interaction. The HashiCorp Vault documentation states: " After authenticating, the UI and CLI automatically assume the token for all subsequent requests. The API, however, requires the user to extract the token from the server response after authenticating in order to send with subsequent requests. " This is facilitated by Vault’s token helper mechanism for CLI and session management in the UI.

The documentation under " Token Helper " explains: " The Vault CLI uses a token helper to store the token locally after login (e.g., vault login), and future commands automatically use this token without requiring it to be specified each time. " Similarly, the UI stores the token in the browser session post-login. In contrast, the API requires explicit inclusion of the token in each request header (e.g., X-Vault-Token), making manual token management necessary. Thus, A (CLI) and C (UI) are correct.

Comprehensive and Detailed in Depth Explanation:

HCP Vault Dedicated is a managed cloud service offering specific benefits over self-managed Vault. The HashiCorp Vault documentation outlines its advantages: " Vault Enterprise running on the HashiCorp Cloud Platform (HCP) enables users to secure, store, and tightly control access to tokens, passwords, certificates, and encryption keys within one unified cloud-based platform. " It lists the following benefits relevant to the options:

B (Helps reduce operational overhead for organizations with push-button deployment and fully managed upgrades) : The documentation states, " Reduce operational overhead: Push-button deployment, fully managed upgrades, and backups mean organizations can focus on adoption and integration instead of operational overhead. " This reflects HCP Vault Dedicated’s managed nature, automating deployment and maintenance tasks.

C (Increases reliability and ease of use so you can onboard applications and teams easily) : It notes, " Ease of use: HCP Vault Dedicated is built around making cloud security automation simple. Get up and running quickly so that you can onboard applications and teams easily, " and " Reliability: HashiCorp has experience supporting thousands of commercial Vault Enterprise clusters and HCP Vault Dedicated brings that expertise directly to users. " This simplifies onboarding and ensures dependable operation.

D (Increases security across clouds and machines through a single interface) : The docs confirm, " Increase security across clouds and machines: Secure your infrastructure across all your environments through a single interface and globally control and restrict access to sensitive data and systems, " highlighting centralized security management.

However, A (Provides 100% feature parity compared to Vault self-managed clusters) is false. The documentation clarifies under " Feature Parity " : " HCP Vault Dedicated does not provide 100% feature parity compared to Vault self-managed clusters. While it offers many of the same features and capabilities, there may be some differences or limitations in functionality between the two deployment options. " Thus, B, C, and D are true.

Comprehensive and Detailed in Depth Explanation:

Vault supports auto-unseal to simplify operations. The HashiCorp Vault documentation states: " Vault supports opt-in automatic unsealing via cloud technologies: AliCloud KMS, AWS KMS, Azure Key Vault, Google Cloud KMS, and OCI KMS, " and includes HSM and Transit as additional options. It explains: " Auto unseal is used to automatically unseal Vault using an HSM or cloud HSM service. " The valid options are:

A (HSM) : " HSM (Hardware Security Module) can automatically unseal Vault by securely storing and managing the master key used for encryption and decryption operations. "

B (Azure KMS) : " Azure KMS can automatically unseal Vault by utilizing Azure Key Management Service to manage the master key. "

C (AWS KMS) : " AWS KMS can automatically unseal Vault upon the start of the service by using AWS Key Management Service to manage the master key. "

D (Transit) : " Transit can automatically unseal Vault by using a pre-configured encryption key stored in Vault itself to encrypt the unseal key. "

The documentation clarifies: " Key Shards require the user to provide unseal keys to reconstruct the master key, " making E (Key Shards) a manual process, not auto-unseal. Thus, A, B, C, and D are correct.

Comprehensive and Detailed in Depth Explanation:

To restrict the values of a key/value pair to only " true " or " false " and prevent mistyping or capitalization errors, the allowed_parameters feature in a Vault policy is the most effective solution. The HashiCorp Vault documentation explains that allowed_parameters can be used to " permit a list of keys and values that are permitted on the given path. " By specifying allowed_parameters with the exact values " true " and " false, " the policy ensures that only these values are accepted, rejecting any deviations (e.g., " True, " " TRUE, " or " flase " ). This provides fine-grained control and eliminates the risk of human error impacting the batch job.

Adding a deny statement for all possible misspellings is impractical and error-prone, as it requires anticipating every potential mistake, which is neither scalable nor efficient. The list capability allows listing and reading values but does not restrict what can be written, failing to address the problem of enforcing specific values. Using a wildcard (*) at the end of the policy permits unrestricted values, which directly contradicts the need to limit entries to " true " or " false. " Thus, allowed_parameters is the precise tool for this use case.

Comprehensive and Detailed in Depth Explanation:

Vault’s encryption mechanism is a core security feature. The HashiCorp Vault documentation states: " When a Vault server is started, it starts in a sealed state. In this state, Vault is configured to know where and how to access the physical storage, but doesn’t know how to decrypt any of it. Unsealing is the process of obtaining the plaintext root key necessary to read the decryption key to decrypt the data, allowing access to the Vault. " It further explains: " Vault uses encryption to secure data at rest and in transit, using an encryption key protected by the root key. "

The documentation details: " The data stored by Vault is encrypted using an encryption key in the keyring. This keyring is itself encrypted by the root key, which is protected by the unseal process (e.g., Shamir’s Secret Sharing or auto-unseal). Vault ensures data is encrypted both at rest in the storage backend and in transit over the network using TLS. " Option B is false—the root key is never stored in plaintext. Option C is incorrect—data is encrypted at rest, not just in transit. Option D is wrong—Vault performs encryption internally, not via third-party services. Thus, A is correct.

Comprehensive and Detailed in Depth Explanation:

To invalidate a specific dynamic credential without affecting others, Holly should use the vault lease revoke command with the exact lease ID. The HashiCorp Vault documentation states: " The lease revoke command revokes the lease on a secret, invalidating the underlying secret. To revoke a lease, you can specify the path and lease ID attached to the creds. " The command vault lease revoke aws/creds/admin/27e1b9a1-27b8-83d9-9fe0-d99d786bdc83 targets the specific credential by its unique lease ID, ensuring precision without broader impact.

Deleting the credential on the cloud platform (B) doesn’t guarantee Vault recognizes it as revoked. vault lease revoke -all (C) revokes all leases, affecting unrelated credentials. vault lease revoke aws/creds/admin/* (D) revokes all leases under that path, potentially impacting other valid credentials. Thus, A is the correct command.

Comprehensive and Detailed in Depth Explanation:

Once a dynamic secret’s lease expires, it cannot be renewed or reused; a new secret must be requested. The HashiCorp Vault documentation states: " A lease must be renewed before it has expired. Once it has expired, it is permanently revoked and a new secret must be requested. " This means that after expiration, the secret is invalidated, and the application must obtain a new secret with a new lease to regain access.

Trying an expired secret (A) is futile as it’s revoked. Performing a lease renewal (B) is impossible post-expiration, as the docs note: " Renewal must occur before the lease expires. " Extending the TTL (D) isn’t an option for an expired lease. Thus, C is the correct action.

Comprehensive and Detailed in Depth Explanation:

Vault creates two default policies upon initialization: root and default . The HashiCorp Vault documentation states: " Vault creates two default policies, root and default. The root policy cannot be deleted or modified. The default policy is attached to all tokens, by default, however, this action can be modified if needed. " The root policy grants unrestricted access for administrative tasks, while the default policy provides basic permissions for all tokens unless overridden.

Policies like user , admin , base , and vault are not default; they must be explicitly created by users if needed. Thus, A (root) and D (default) are the correct selections.

Comprehensive and Detailed in Depth Explanation:

The statement is True . In a Vault cluster, each node must be individually unsealed after initialization or a restart unless auto-unseal is configured. The HashiCorp Vault documentation states: " Since the encryption key is stored in memory, Vault nodes do not share or replicate the encryption key to other nodes. Therefore, each node needs to individually unseal itself upon Vault initialization or anytime the Vault service is restarted on that node. " This is due to Vault’s design, where the master key (root key) is held in memory and lost on restart, requiring the unseal process to reconstruct it.

The documentation elaborates: " When a Vault server is started, it starts in a sealed state. In this state, Vault is configured to know where and how to access the physical storage, but doesn’t know how to decrypt any of it. Unsealing is the process of obtaining the plaintext root key necessary to read the decryption key to decrypt the data. " Without auto-unseal, this process is manual for each node, making A (True) correct in the default scenario.

Comprehensive and Detailed in Depth Explanation:

When Vault generates a dynamic secret, it returns a lease_id , which is the value a user can use to renew or revoke the lease. The HashiCorp Vault documentation states: " When creating a dynamic secret, Vault always returns a lease_id. This lease_id can be used to do a vault lease renew or a vault lease revoke command to manage the lease of a secret. " The lease_id uniquely identifies the lease associated with the dynamic secret, enabling precise management of its lifecycle.

The documentation under the " Lease Renew and Revoke " section explains: " Every secret in Vault is associated with a lease. When that lease expires, Vault revokes the secret and removes access to it. Associated with every lease is a unique lease_id. This identifier can be used to renew the lease before it expires or revoke it manually. " In contrast, renewable is a boolean indicating if the lease can be renewed, not a value for management. token_ttl relates to token duration, not lease management. lease_max is not a standard term in Vault’s lease system. Thus, D (lease_id) is the correct answer.

Comprehensive and Detailed in Depth Explanation:

The statement is True . The vault lease revoke -prefix aws/ command revokes all leases under the specified prefix. The HashiCorp Vault documentation states: " The vault lease revoke command is used to revoke leases. Using the -prefix flag allows you to revoke entire trees of secrets. " When applied to aws/, it targets all leases associated with the secrets engine mounted at that path.

The docs further explain under " Prefix-Based Revocation " : " The -prefix option allows revocation of all leases that share a common prefix, effectively cleaning up all secrets under a mount point or path. " Thus, A (True) is correct.

Comprehensive and Detailed in Depth Explanation:

The Vault UI includes a feature allowing CLI commands to be executed directly within the interface, known as the CLI emulation or REPL (Read-Eval-Print Loop) terminal. The HashiCorp Vault documentation states: " The Vault GUI includes an advanced mode that uses a read–eval–print loop (REPL) terminal to mimic basic create/read/update/delete/list (CRUDL) commands for users who are more familiar with the Vault CLI than the GUI. " This feature enables Chad to run a command like vault secrets enable < engine > without switching to a separate CLI, fulfilling the requirement.

The documentation under " Explore the Vault UI " adds: " This terminal allows users to execute Vault CLI commands directly from the web interface, enhancing usability for those accustomed to CLI workflows. " Options like user information (B), client count details (C), and access management (D) do not provide CLI execution capabilities. Thus, A is correct.

Comprehensive and Detailed in Depth Explanation:

To connect to an HCP Vault cluster using the Vault CLI, you need to set VAULT_ADDR and VAULT_NAMESPACE . The HashiCorp Vault documentation states: " You can use environment variables to configure the CLI globally. For example, export VAULT_ADDR= ' http://localhost:8200 ' sets the address of your Vault server globally. " For HCP Vault, the default port is 8200, and the default namespace is " admin, " so VAULT_ADDR=https:// < cluster-address > :8200 and VAULT_NAMESPACE=admin are required. A token (via VAULT_TOKEN) is also needed for authentication but is typically set after initial connectivity.

VAULT_CLIENT_KEY isn’t a standard variable for CLI connectivity. VAULT_REDIRECT_ADDR and VAULT_CLUSTER_ADDR are not used for this purpose. Thus, C provides the correct variables.

Comprehensive and Detailed In-Depth Explanation:

The Transit secrets engine in Vault is designed for encryption as a service, allowing applications to encrypt data without managing keys locally. After enabling the engine, two critical steps are required before encryption can begin: creating an encryption key and defining a policy to allow its use.

Option C: You must create an encryption key using a command like vault write -f transit/keys/ < key_name > . This key is stored in Vault and used for encryption/decryption operations. Without it, no encryption can occur, as the Transit engine relies on named keys to perform cryptographic operations.

Option D: A policy must be written to grant the application permissions to use the key, such as path " transit/encrypt/ < key_name > " { capabilities = [ " update " ] } and path " transit/decrypt/ < key_name > " { capabilities = [ " update " ] }. Vault’s access control ensures that only authorized entities can perform encryption, making this step essential.

Option A (exporting the key) contradicts Vault’s security model, as keys should remain in Vault, not be exported to application servers. Option B (enabling the Transit API) is unnecessary, as enabling the engine automatically exposes its API endpoints. The official Transit documentation confirms that key creation and policy configuration are the next steps post-enablement.

Comprehensive and Detailed In-Depth Explanation:

In the Vault UI, the “Policies” tab is visible only if your token’s policy grants access to policy management endpoints (e.g., sys/policy in Vault OSS or sys/policies/acl in Enterprise). If the tab is missing after OIDC authentication, it’s because your policy lacks permissions like read and list on these paths, preventing UI navigation to policy management. For example, a minimal policy to view policies in OSS is path " sys/policy/* " { capabilities = [ " read " , " list " ] }. Without this, the UI hides the tab, aligning with Vault’s least-privilege model.

Option A is false; policies exist in both OSS and Enterprise, with UI support in both. Option B is incorrect; a sealed Vault prevents login entirely, not just policy access. Option C is wrong; the UI does support policy management when permitted. Vault’s policy docs confirm that UI visibility depends on policy permissions.

Comprehensive and Detailed In-Depth Explanation:

The Vault Agent with Auto-Auth is ideal for legacy apps unable to modify for authentication. The Vault documentation states:

" Legacy applications often suffer from the ability to integrate with modern platforms such as Vault. To assist with this, you can use the Vault Agent to authenticate and manage a Vault token automatically. The token is written to a sink (local file) that the application can pick up and use. The Vault Agent Auto Auth feature will manage the lifecycle of the token to ensure there is always a valid token that the application can use. "

— Vault Agent Auto Auth

D : Correct. The Agent handles tokens for Transit encryption:

" Running the Vault Agent on the application server(s) and utilizing the Auto Auth feature is the best way to integrate Vault with the legacy application. "

— Vault Agent Auto Auth

A : Transit doesn’t send data directly.

B : Requires app modification, not feasible.

C : Kubernetes auth requires app changes and Kubernetes context.

Comprehensive and Detailed In-Depth Explanation:

The storage backend is configured in the Vault configuration file. The Vault documentation states:

" The Vault configuration file includes different stanzas and parameters to define a variety of configuration options. These configurations include the storage backend, listener, TLS certificates, seal type, cluster name, log level, UI, cluster IP address, and a few more. Most of these are required to get Vault up and running in the first place, so they must be placed in the configuration file. "

— Vault Configuration

C : Correct. For Integrated Storage:

" Configuring the storage backend to be used by Vault is done in the Vault configuration file. "

— Vault Configuration: Raft Storage

A : systemd manages the service, not storage.

B : Backend must be set before running.

D : Agent sink is for client tokens.

Comprehensive and Detailed In-Depth Explanation:

The Kubernetes auth method addresses Secret Zero by using service account tokens. The Vault documentation states:

" The ' Secret Zero ' problem refers to the bootstrapping challenge of how applications can authenticate to a secrets management system without requiring an initial secret. In a Kubernetes environment, the Kubernetes Auth Method in Vault allows applications to authenticate using their Kubernetes service account tokens, which are automatically provided to pods. The Vault server validates these tokens against the Kubernetes API server, establishing a chain of trust where applications can authenticate to Vault without pre-shared secrets. "

— Vault Auth Methods

C : Correct. Eliminates pre-shared secrets:

" Configuring the Kubernetes auth method in Vault allows applications running in Kubernetes to authenticate to Vault without the need for pre-shared secrets. "

— Vault Auth: Kubernetes

A , B : Introduce static secrets, worsening Secret Zero.

D : Retains pre-shared secrets (role-id/secret-id).

Comprehensive and Detailed In-Depth Explanation:

Secrets engines are Vault’s core components for managing data. The Vault documentation states:

" Secrets engines are components that store, generate, or encrypt data. Secrets engines are incredibly flexible, so it is easiest to think about them in terms of their function. Secrets engines are provided some set of data, they take some action on that data, and they return a result. "

— Vault Secrets Engines

C : Correct. Secrets engines (e.g., KV, Transit) handle storing, generating, or encrypting data:

" The secrets engine is a core component of Vault that is responsible for storing, generating, and encrypting data for organizations. "

— Vault Secrets Engines

A : Auth methods authenticate, not manage data.

B : Storage backends persist encrypted data, not generate or encrypt it directly.

D : Audit devices log actions, not handle data.

Comprehensive and Detailed In-Depth Explanation:

A token accessor is a reference to a token, not the token itself, and supports limited operations:

A : vault token renew -accessor < accessor > extends the token’s TTL if renewable, per the token docs.

B : vault token revoke -accessor < accessor > revokes the token, making it invalid, a supported accessor action.

D : vault token lookup -accessor < accessor > displays token properties (e.g., TTL, policies), a key accessor use case.

C : Creating child tokens requires the parent token, not just its accessor, as it involves authentication and policy inheritance, which accessors can’t perform.

Accessors can’t authenticate to Vault for secret access; they’re for management tasks like these, per the tokens documentation.

Comprehensive and Detailed In-Depth Explanation:

To view policies attached to her token, Sara needs vault token lookup. This command displays token details, including the policies field (e.g., [default, training]), revealing what permissions she has. vault operator diagnose troubleshoots server issues, not tokens. vault policy list lists all policies in Vault, not those tied to a specific token. vault token capabilities checks capabilities on a path, not policy attachment. The token lookup command, per Vault docs, is the correct tool for inspecting token metadata like policies.

Comprehensive and Detailed In-Depth Explanation:

To revoke all secrets from the database/ engine, use vault lease revoke -prefix. The Vault documentation states:

" If you need to revoke many leases, you can use vault lease revoke -prefix < prefix > and Vault will revoke all leases associated with the specified path. For example, you can revoke all leases associated with an entire database secrets engine by using vault lease revoke -prefix database/. "

— Vault Commands: lease revoke

D : Correct. Revokes all leases under database/:

" Using the command vault lease revoke -prefix database/ will revoke all the leases that have a prefix matching the specified path database/. "

— Vault Commands: lease revoke

A : Revokes tokens, not leases.

B : Disables the engine, not existing secrets.

C : Renews a specific lease, not revokes all.

Comprehensive and Detailed In-Depth Explanation:

False. The vault operator rekey command updates unseal/recovery keys, not the master key (often confused with “root key”). The Vault documentation states:

" The operator rekey command generates a new set of unseal keys. This can optionally change the total number of key shares or the required threshold of those key shares to reconstruct the master key. This operation is zero downtime, but it requires that Vault is unsealed and a quorum of existing unseal keys are provided. "

— Vault Commands: operator rekey

B : Correct. Only unseal keys are recreated:

" When performing a rekey operation using the vault operator rekey command, new unseal/recovery keys are generated, but the root key remains the same. "

— Vault Commands: operator rekey

A : Incorrect; the master key persists.

Comprehensive and Detailed In-Depth Explanation:

The VAULT_ADDR variable specifies the target Vault server. The Vault documentation states:

" VAULT_ADDR is the environment variable that is used to specify the address of the Vault server expressed as a URL and port, for example: https://vault.bryankrausen.com:8200/. You can easily modify the value of the environment variable whenever you want to target a different Vault node/cluster. "

— Vault Environment Variables

C : Correct. Sets the production cluster address:

" Setting the VAULT_ADDR environment variable allows you to specify the address of the Vault server you want to target. "

— Vault Environment Variables

A , B , D : Incorrect; unrelated to CLI targeting.

Comprehensive and Detailed In-Depth Explanation:

Vault encrypts all data before writing it to the storage backend using an encryption key within its cryptographic barrier. This key, stored in a keyring, is itself encrypted by the master key (split into unseal keys). The recovery key (A) is for emergency recovery, not data encryption. Unseal keys (C) unlock the master key, not encrypt data directly. The root key (D) isn’t a term used in Vault’s encryption flow; the master key is the closest analog, but it protects the encryption key, not the data itself. The architecture docs clarify the encryption key’s role.

Comprehensive and Detailed In-Depth Explanation:

False. When a transit encryption key is rotated in Vault (e.g., via vault write -f transit/keys/ < key_name > /rotate), the new key version becomes the default for future encryptions, but data encrypted with previous versions remains decryptable without rewrapping or re-encryption. Vault maintains a keyring with all versions, and the ciphertext prefix (e.g., vault:v1:) indicates which version was used, allowing automatic decryption with the corresponding key. This seamless handling simplifies key management and avoids mandatory data re-encryption post-rotation. Only if you set a min_decryption_version to archive older keys would rewrapping be needed, but that’s optional, not default behavior.

Option A is incorrect per Vault’s Transit documentation, which notes that old data can still be decrypted without immediate action after rotation.

Comprehensive and Detailed In-Depth Explanation:

Integrated Storage (Raft) offers several benefits over external storage backends. The Vault documentation states:

" Introduced in Vault 1.4, Integrated Storage is a built-in solution that provides a highly available, durable storage backend without relying on any external systems. All Vault data is stored locally on each node, and replicated to all other nodes in the cluster for high availability. It also reduces complexity since all configuration is done within Vault. "

— Vault Configuration: Raft Storage

C : Correct.

" Eliminates the requirement to deploy and manage a separate platform for storing encrypted data. "

— Vault Configuration: Raft Storage

D : Correct.

" Troubleshooting is simplified when using Integrated Storage because it is a built-in solution within Vault. "

— Vault Configuration: Raft Storage

E : Correct.

" Reduces operational overhead by keeping all configuration and data storage within Vault itself. "

— Vault Configuration: Raft Storage

F : Correct.

" Integrated Storage provides immediate access to stored data since it is stored locally on disk within Vault. "

— Vault Configuration: Raft Storage

A : Incorrect; Raft requires port 8201 for replication:

" The Vault cluster nodes still need to communicate over port 8201 for replication and RPC forwarding. "

— Vault Configuration: Raft Storage

B : Incorrect; Raft uses the RAFT protocol, not SERF:

" Integrated Storage uses the same underlying consensus protocol (RAFT) as Consul to handle cluster leadership and log management. "

— Vault Configuration: Raft Storage

Comprehensive and Detailed In-Depth Explanation:

Vault policies define access control using specific capabilities. The Vault documentation lists the valid capabilities:

" When creating a policy, only the following capabilities are available in Vault:

create

read

update

delete

list

sudo

deny " — Vault Policies: Capabilities

A : list is valid:

" The list capability enables the user to view a list of available resources or entities within Vault. "

— Vault Policies: Capabilities

B : deny is valid:

" The deny capability is used to explicitly deny access to specific resources or operations within Vault. "

— Vault Policies: Capabilities

E : create is valid:

" The create capability allows the user to create new policies, roles, tokens, and other entities within Vault. "

— Vault Policies: Capabilities

F : write is a common shorthand for update in Vault’s context and is valid:

" The update capability (often referred to as write in CLI contexts) allows the user to modify or update existing resources or entities within Vault. "

— Vault Policies: Capabilities

Note: While write isn’t explicitly listed, it’s synonymous with update in practice, as confirmed by CLI usage and community convention.

C : apply is not a Vault policy capability.

D : root is not a capability; it’s a policy name for superuser access.

Comprehensive and Detailed In-Depth Explanation:

In HashiCorp Vault, when a user authenticates via multiple methods (e.g., LDAP, OIDC, userpass), each authentication method generates a distinct token with its own set of policies based on the configuration of that auth method. This can lead to inconsistent access levels depending on how the user logs in. To address this and ensure consistent policies across all authentication methods, Vault’s Identity system can be utilized. Specifically, creating an entity and mapping aliases from each authentication method to that entity allows Vault to associate a single logical identity with the user, regardless of how they authenticate.

An entity in Vault represents a single identity (e.g., a user or application) and can have multiple aliases tied to different auth methods. Each alias links the authentication method’s identifier (e.g., LDAP username, OIDC subject) to the entity. Policies can then be assigned directly to the entity, ensuring that all tokens generated for that entity—across any auth method—inherit the same set of policies. This eliminates the need for users to log out and back in to switch contexts, as their access remains consistent.

Option A (SSH secrets engine) is unrelated, as it manages SSH credentials, not policy consistency across auth methods. Option C (assigning the default policy) doesn’t guarantee consistency, as the default policy might not include all required permissions and doesn’t unify policies across methods. Option D (AppRole) is a machine-oriented auth method and doesn’t solve the multi-method human user scenario. The correct approach, as per Vault’s Identity documentation, is to leverage entities and aliases.

Comprehensive and Detailed In-Depth Explanation:

To store static credentials in Vault’s KV secrets engine via CLI, the vault kv put command is used.

A : vault kv put kv/training/certification/vault @secrets.txt writes data from a file (secrets.txt) to the path kv/training/certification/vault. The @ syntax reads key-value pairs from the file, a valid method per the KV docs.

D : vault kv put -mount=secret creds passcode=my-long-passcode specifies the mount (secret/) and stores passcode=my-long-passcode at secret/creds, a correct inline syntax.

B : vault kv write isn’t a valid command; put is the correct verb. The key=value syntax is right but needs put.

C : vault kv create isn’t a command; put is used to create or update secrets.

The KV CLI docs confirm vault kv put as the standard method, supporting both file input and inline key-value pairs.

Comprehensive and Detailed In-Depth Explanation:

The Transit secrets engine provides encryption as a service. The Vault documentation states:

" The Transit secrets engine is used to encrypt data in transit. It does NOT store the data locally. It simply encrypts the data and returns the ciphertext to the requester. A prime use case is encrypting data before being written to an external storage service like Amazon S3. "

— Vault Secrets: Transit

A : Correct. Encrypting data for S3 is a key use case:

" Encrypting data before being written to an Amazon S3 bucket ensures that sensitive data is protected both in transit and at rest. "

— Transit Tutorial

B : Incorrect; Transit doesn’t store data long-term.

C : SSH credentials are handled by the SSH engine.

D : X.509 certificates are managed by the PKI engine.

Comprehensive and Detailed in Depth Explanation:

A: Denied by secret/apps/results deny policy. Incorrect.

B: secret/apps/app01 only allows read, not create. Incorrect.

C: secret/common/results allows create with student=frank (allowed value). Correct.

D: secret/apps/api_key allows read. Correct.

Overall Explanation from Vault Docs:

“deny overrides any allow… allowed_parameters restricts values.”

Comprehensive and Detailed In-Depth Explanation:

The Transit secrets engine encrypts data without local key storage. The Vault documentation states:

" The Transit secrets engine allows you to send cleartext data to Vault to be encrypted. Vault will encrypt the data with the referenced encryption key, which is stored locally, and returns the ciphertext to the application. Although the encryption keys in the Transit secrets engine are exportable, they are generally kept in Vault. "

— Transit Tutorial

C : Correct. Meets encryption and key security needs:

" It allows applications to encrypt data before storing it in a backend database and decrypt it when needed, without storing encryption keys locally. "

— Vault Secrets: Transit

A : PKI is for certificates.

B : SSH is for SSH credentials.

D : Cubbyhole is for temporary storage.

Comprehensive and Detailed In-Depth Explanation:

For a KV v2 secrets engine, the API path to retrieve a secret’s data is /v1/ < mount > /data/ < path > . Here, the mount is secret/, and the path is cloud/azure/subscription, making the correct endpoint /v1/secret/data/cloud/azure/subscription. Authentication requires the X-Vault-Token header with a valid token. Option C matches this exactly and retrieves the latest version by default, as per KV v2 API behavior. Option A lacks the token. Option B omits the /data/ segment, invalid for KV v2. Option D adds /latest, which isn’t a valid KV v2 endpoint. The KV v2 API docs confirm this structure.

Comprehensive and Detailed in Depth Explanation:

A: Incorrect; KV v1 can be upgraded to v2.

B: Correct; vault kv enable-versioning upgrades it.

Overall Explanation from Vault Docs:

“kv enable-versioning turns on versioning for an existing KV v1 engine at its path.”

Comprehensive and Detailed in Depth Explanation:

A: Matches dev policy and num_uses=5. TTL is system default (768h). Correct.

B: Missing num_uses. Incorrect.

C: Adds default policy explicitly, not needed as it’s implicit. Incorrect.

D: Missing num_uses. Incorrect.

Overall Explanation from Vault Docs:

“vault token create with -policy and -use-limit sets specific attributes… default policy is included implicitly.”

Comprehensive and Detailed in Depth Explanation:

The Transit secrets engine in Vault is designed for encryption-as-a-service, not data storage. Let’s evaluate:

Option A: 24 hours Transit doesn’t store ciphertext, so no TTL applies. Incorrect.

Option B: 30 days No storage means no 30-day retention. Incorrect.

Option C: 32 days This aligns with token TTLs, not Transit behavior. Incorrect.

Option D: Transit does not store data Transit encrypts data and returns the ciphertext to the caller without persisting it in Vault. Correct.

Detailed Mechanics:

When you run vault write transit/encrypt/mykey plaintext= < base64-data > , Vault uses the named key (e.g., mykey) to encrypt the input and returns a response like vault:v1: < ciphertext > . This ciphertext is not stored in Vault’s storage backend (e.g., Consul, Raft); it’s the client’s responsibility to save it (e.g., in a database). This stateless design keeps Vault lightweight and secure, avoiding data retention risks.

Real-World Example:

Encrypt a credit card: vault write transit/encrypt/creditcard plaintext=$(base64 < < < " 1234-5678-9012-3456 " ). Response: ciphertext=vault:v1: < data > . You store this in your app’s database; Vault retains nothing.

Overall Explanation from Vault Docs:

“Vault does NOT store any data encrypted via the transit/encrypt endpoint… The ciphertext is returned to the caller for storage elsewhere.”

Comprehensive and Detailed in Depth Explanation:

Integrating a third-party application with Vault without modifying its source code requires a solution that handles authentication and secret retrieval externally, then delivers secrets in a way the application can consume (e.g., files or environment variables). Let’s break this down:

Option A: You cannot integrate a third-party application with Vault without being able to modify the source code This is overly restrictive and incorrect. Vault provides tools like the Vault Agent, which can authenticate and fetch secrets on behalf of an application without requiring code changes. The agent can render secrets into a format (e.g., a file) that the application reads naturally. This option ignores Vault’s flexibility for such scenarios. Incorrect.

Option B: Put in a request to the third-party application vendor While this might eventually lead to native Vault support, it’s impractical, slow, and depends on the vendor’s willingness and timeline. It doesn’t address the immediate need to integrate without source code access. This is a passive approach, not a technical solution within Vault’s capabilities. Incorrect.

Option C: Instead of the API, have the application use the Vault CLI to retrieve credentials The Vault CLI is designed for human operators or scripts, not seamless application integration. Third-party applications without source code modification can’t invoke the CLI programmatically unless they’re scripted to do so, which still requires external orchestration and isn’t a clean solution. This approach is clunky, error-prone, and not suited for real-time secret retrieval in production. Incorrect.

Option D: Use the Vault Agent to obtain secrets and provide them to the application The Vault Agent is a lightweight daemon that authenticates to Vault, retrieves secrets, and renders them into a consumable format (e.g., a file or environment variables) for the application. For example, if the application reads a config file, the agent can write secrets into that file using a template. This requires no changes to the application’s code—just configuration of the agent and the application’s environment. It’s a standard, scalable solution for such use cases. Correct.

Detailed Mechanics:

The Vault Agent operates in two modes: authentication (to obtain a token) and secret rendering (via templates). For a third-party app, you’d configure the agent with an auth method (e.g., AppRole), a template (e.g., {{ with secret " secret/data/my-secret " }}{{ .Data.data.key }}{{ end }}), and a sink (e.g., /path/to/app/config). The agent runs alongside the app (e.g., as a sidecar in Kubernetes or a daemon on a VM), polls Vault for updates, and refreshes secrets as needed. The app remains oblivious to Vault, reading secrets as if they were static configs. This decoupling is key to integrating unmodified applications.

Real-World Example:

Imagine a legacy app that reads an API key from /etc/app/key.txt. The Vault Agent authenticates with Vault, fetches the key from secret/data/api, and writes it to /etc/app/key.txt. The app starts, reads the file, and operates normally—no code changes required.

Overall Explanation from Vault Docs:

“Vault Agent… provides a simpler way for applications to integrate with Vault without requiring changes to application code… It renders templates containing secrets required by your application.” This is ideal for third-party or legacy apps where source code access is unavailable.

Comprehensive and Detailed in Depth Explanation:

Vault supports two replication types: Performance Replication and Disaster Recovery (DR) Replication , each serving distinct purposes. The scenario involves an on-premises primary cluster and a secondary cluster in another data center, with active/active applications needing Vault access. Let’s analyze:

Option A: Disaster Recovery replication DR replication mirrors the primary cluster’s state (secrets, tokens, leases) to a secondary cluster, which remains in standby mode until activated (promoted) during a failover. It’s designed for disaster scenarios where the primary is lost, not for active/active use. The secondary doesn’t serve reads or writes until promoted, which doesn’t suit applications actively running in the secondary data center. Incorrect.

Option B: Performance replication Performance replication creates an active secondary cluster that replicates data from the primary in near real-time. It supports read operations locally, reducing latency for applications in the secondary data center, and can handle writes (forwarded to the primary). This fits an active/active architecture, providing redundancy and performance. If the primary fails, the secondary can continue serving reads (though writes need reconfiguring). Correct.

Detailed Mechanics:

Performance replication uses a primary-secondary model with log shipping via Write-Ahead Logs (WALs). The secondary maintains its own storage, synced from the primary, and can serve reads independently. Writes are forwarded to the primary, ensuring consistency. In an active/active setup, applications in both data centers can query their local Vault cluster, leveraging the secondary’s read capability. DR replication, conversely, keeps the secondary dormant, requiring manual promotion, which introduces downtime unsuitable for active apps.

Real-World Example:

Primary cluster at dc1.vault.local:8200, secondary at dc2.vault.local:8200. Apps in DC2 query the secondary for secrets (e.g., GET /v1/secret/data/my-secret), avoiding cross-DC latency. If DC1 fails, DC2 continues serving cached reads until a new primary is established.

Overall Explanation from Vault Docs:

“Performance replication… allows secondary clusters to serve reads locally, ideal for active/active setups… DR replication is for failover, keeping secondaries in standby.”

Comprehensive and Detailed in Depth Explanation:

In HashiCorp Vault, authentication methods (auth methods) are mechanisms that allow users or machines to authenticate and obtain a token. When an auth method like userpass is enabled, it is mounted at a specific path in Vault’s namespace, and this path determines where operators interact with it—e.g., to log in, configure, or manage it.

The userpass auth method is enabled with the command vault auth enable -path=users userpass, meaning it’s explicitly mounted at the users/ path. However, Vault’s authentication system has a standard convention: all auth methods are accessed under the auth/ prefix, followed by the mount path. This prefix is a logical namespace separating authentication endpoints from secrets engines or system endpoints.

Option A: users/auth/ This reverses the expected order. The auth/ prefix comes first, followed by the mount path (users/), not the other way around. This path would not correspond to any valid Vault endpoint for interacting with the userpass auth method. Incorrect.

Option B: authentication/users Vault does not use authentication/ as a prefix; it uses auth/. The term “authentication” is not part of Vault’s path structure—it’s a conceptual term, not a literal endpoint. This makes the path invalid and unusable in Vault’s API or CLI. Incorrect.

Option C: auth/users This follows Vault’s standard convention: auth/ (the authentication namespace) followed by users (the custom mount path specified when enabling the auth method). For example, to log in using the userpass method mounted at users/, the command would be vault login -method=userpass -path=users username= < user > . The API endpoint would be /v1/auth/users/login. This is the correct path for operators to interact with the auth method, whether via CLI, UI, or API. Correct.

Option D: users/ While users/ is the mount path, omitting the auth/ prefix breaks Vault’s structure. Directly accessing users/ would imply it’s a secrets engine or other mount type, not an auth method. Auth methods always require the auth/ prefix for interaction. Incorrect.

Detailed Mechanics:

When an auth method is enabled, Vault creates a backend at the specified path under auth/. The userpass method, for instance, supports endpoints like /login (for authentication) and /users/ < username > (for managing users). If mounted at users/, these become auth/users/login and auth/users/users/ < username > . This structure ensures isolation and clarity in Vault’s routing system. The ability to customize the path (e.g., users/ instead of the default userpass/) allows flexibility for organizations with multiple auth instances, but the auth/ prefix remains mandatory.

Overall Explanation from Vault Docs:

“When enabled, auth methods are mounted within the Vault mount table under the auth/ prefix… For example, enabling userpass at users/ allows interaction at auth/users.” This convention ensures operators can consistently locate and manage auth methods, regardless of custom paths.

Comprehensive and Detailed in Depth Explanation:

Token renewal extends a token’s TTL. Let’s evaluate:

A: TTL - Defines expiration time, not used for renewal. Incorrect.

B: Token ID - The token’s unique identifier; can be specified to renew it (e.g., vault token renew < token-id > ). Correct.

C: Identity policy - Relates to access control, not renewal. Incorrect.

D: Token accessor - A unique identifier for operations like renewal without exposing the token (e.g., vault token renew -accessor < accessor > ). Correct.

Overall Explanation from Vault Docs:

“Tokens can be renewed with vault token renew using either the token ID or accessor… TTL is not an attribute for renewal.”

Comprehensive and Detailed in Depth Explanation:

HCP Vault Dedicated is a managed service, while self-hosted Vault (Community or Enterprise) requires user management. Let’s evaluate:

A: Simple needs favor HCP Vault’s managed simplicity. Incorrect.

B: Offloading tasks aligns with HCP Vault, not self-hosted. Incorrect.

C: Managed scalability suits HCP Vault. Incorrect.

D: Compliance, custom integrations, and plugin development need full control, only possible with self-hosted Vault. Correct.

Detailed Mechanics:

Self-hosted Vault allows custom plugins, FIPS 140-2 compliance, and specific network configs (e.g., air-gapped setups), unavailable in HCP Vault Dedicated due to its standardized, managed nature.

Overall Explanation from Vault Docs:

“Self-managed Vault supports custom requirements… HCP Vault Dedicated offloads operations but limits control.”

Comprehensive and Detailed in Depth Explanation:

Vault tokens have two key time attributes: TTL (Time-To-Live) and Max TTL (Maximum Time-To-Live), governing their lifecycle. Let’s dissect each option:

Option A: The TTL defines when the token will expire and be revoked The TTL is the current lifespan of a token before it expires. For example, a token with a TTL of 24h (vault token create -ttl=24h) expires 24 hours from creation unless renewed. Upon expiry, Vault revokes it automatically. This is a fundamental property of TTL, making this statement accurate. Correct. Vault Docs Insight: “The TTL defines when the token will expire… if it reaches its TTL, it will be revoked by Vault.” (Core definition.)

Option B: The TTL defines when another token will be generated TTL governs expiration, not token generation. New tokens are created explicitly (e.g., vault token create) or via auth methods, not automatically by TTL. This misunderstands TTL’s role—it’s about expiry, not regeneration. Incorrect. Vault Docs Insight: “TTL is the duration until expiration… New tokens are not generated by TTL.” (No generation link.)

Option C: The Max TTL defines the timeframe for which a token cannot be used This is backwards. Max TTL sets the upper limit a token can exist through renewals, not a period of inactivity or unusability. A token with a Max TTL of 72h can be renewed up to 72 hours from creation, after which it’s revoked. This option inverts the concept. Incorrect. Vault Docs Insight: “Max TTL defines the maximum timeframe for which the token can be renewed… not a usage restriction.” (Opposite meaning.)

Option D: The Max TTL defines the maximum timeframe for which a token can be renewed Max TTL caps the total lifespan of a token, including renewals. For example, a token with TTL=24h and Max TTL=72h (vault token create -ttl=24h -explicit-max-ttl=72h) can be renewed twice (24h + 24h + 24h = 72h) before hitting the limit. Beyond 72h, renewal fails, and it expires. This is the precise definition of Max TTL. Correct. Vault Docs Insight: “The Max TTL defines the maximum timeframe for which the token can be renewed… Once reached, it cannot be renewed further.” (Exact match.)

Detailed Mechanics:

TTL is dynamic, decreasing as time passes (e.g., vault token lookup shows ttl: 23h59m50s after 10 seconds). Renewal (vault token renew) resets TTL to its original value (e.g., 24h), but only up to Max TTL from creation. System defaults (768h/32 days) apply unless overridden. Periodic tokens (-period=24h) renew indefinitely within their period, ignoring Max TTL unless explicitly set.

Real-World Example:

Create: vault token create -ttl=1h -explicit-max-ttl=3h. After 1h, TTL=0, renewable. Renew at 2h total, TTL=1h again. At 3h total, Max TTL hits—revoked. Contrast with TTL-only: vault token create -ttl=1h, renewable up to system Max TTL (768h).

Overall Explanation from Vault Docs:

“The TTL defines when the token will expire… If it reaches its TTL, it will be immediately revoked by Vault. The Max TTL defines the maximum timeframe for which the token can be renewed… Once the Max TTL is reached, the token cannot be renewed any longer and will be revoked.” These attributes ensure controlled token lifecycles.

Comprehensive and Detailed in Depth Explanation:

A: The command uses encryption/encrypt/creditcard, indicating the Transit engine is mounted at encryption/. Correct.

B: The endpoint creditcard specifies the key name used for encryption. Correct.

C: The output vault:v3: shows key version 3, implying at least three versions (v1, v2, v3) after rotations. Correct.

D: The default path for Transit is transit/, not encryption/. This is a custom mount, not default. Incorrect.

Overall Explanation from Vault Docs:

“The Transit engine encrypts data at a specified key name… Key versions (e.g., v3) indicate rotations.”

Comprehensive and Detailed in Depth Explanation:

A: Insecure and manual; not a Vault feature. Incorrect.

B: Auto-auth doesn’t replicate tokens/leases. Incorrect.

C: DR replication mirrors tokens and leases; promotion enables failover. Correct.

D: Performance replication doesn’t replicate tokens fully. Incorrect.

Overall Explanation from Vault Docs:

“Disaster Recovery replication mirrors tokens and leases… Promote the secondary during an outage.”

Comprehensive and Detailed in Depth Explanation:

KV v2 supports versioning. Let’s evaluate:

A: destroy removes a specific version permanently. Correct.

B: destroy targets specified versions, not all. Incorrect.

C: delete soft-deletes the current version. Correct.

D: metadata delete removes all versions and metadata. Correct.

Overall Explanation from Vault Docs:

“kv delete soft-deletes… kv destroy permanently removes versions… kv metadata delete wipes everything.”

Comprehensive and Detailed in Depth Explanation:

C: WALs (Write-Ahead Logs) ensure data consistency in replication. Correct.

Overall Explanation from Vault Docs:

“Replication uses Write-Ahead Logs (WALs) for log shipping between clusters…”

Comprehensive and Detailed in Depth Explanation:

Token is enabled by default and cannot be disabled.

Userpass is explicitly enabled.

Total: 2 auth methods.

Overall Explanation from Vault Docs:

“Tokens are the default auth method… Additional methods like userpass increase the count.”

Comprehensive and Detailed in Depth Explanation:

The PKI secrets engine in Vault generates dynamic X.509 certificates, acting as a certificate authority (CA) to streamline certificate management. Let’s assess each option based on its documented benefits:

Option A: TTLs on Vault certs are longer to ensure certificates are valid for a longer period of time This is misleading. Vault’s PKI engine allows configurable TTLs, but the recommendation is for short TTLs (e.g., hours or days) to reduce the need for revocation and enhance security. Long TTLs increase exposure if a certificate is compromised, requiring revocation and larger Certificate Revocation Lists (CRLs). The engine’s benefit isn’t longer validity—it’s flexibility and automation, not extended lifetimes. Incorrect. Vault Docs Insight: “By keeping TTLs relatively short, revocations are less likely… helping scale to large workloads.” (Short TTLs are preferred.)

Option B: Reducing, or eliminating certificate revocations A key advantage of the PKI engine is issuing short-lived certificates. With short TTLs (e.g., 24h), certificates expire naturally before revocation is needed, minimizing CRL maintenance. For example, an app can fetch a new cert daily, reducing revocation events compared to traditional multi-year certs. This aligns with Vault’s ephemeral certificate model. Correct. Vault Docs Insight: “By keeping TTLs relatively short, revocations are less likely to be needed, keeping CRLs short…” (Direct benefit.)

Option C: Reduces time to get a certificate by eliminating the need to generate a private key and CSR Traditionally, obtaining a certificate involves generating a private key, creating a Certificate Signing Request (CSR), and submitting it to a CA—a manual, time-consuming process. The PKI engine automates this: vault write pki/issue/my-role common_name=app.example.com instantly generates a private key and signed certificate. This eliminates manual steps, speeding up issuance significantly. Correct. Vault Docs Insight: “Services can get certificates without… generating a private key and CSR, submitting to a CA, and waiting…” (Automation reduces time.)

Option D: Vault can act as an intermediate CA The PKI engine can be configured as an intermediate CA, signed by a root CA (internal or external). For example, vault write pki/intermediate/generate/internal common_name= " Intermediate CA " creates an intermediate, which can issue certificates under a trust chain. This supports hierarchical PKI setups, a major feature. Correct. Vault Docs Insight: “The PKI secrets engine can act as an intermediate CA… issuing certificates on behalf of a root CA.” (Explicit capability.)

Detailed Mechanics:

The PKI engine operates at paths like pki/ (root) or pki_int/ (intermediate). Roles (e.g., my-role) define parameters like TTL and allowed domains. Issuing a cert (vault write pki/issue/my-role…) returns a JSON payload with certificate, private_key, and issuing_ca. Short TTLs leverage Vault’s lease system, auto-revoking certs on expiry. As an intermediate CA, it signs certificates with its key, validated against a root, enhancing trust management.

Real-World Example:

An app needs a cert: vault write pki/issue/web common_name=web.example.com ttl=24h. Vault returns a cert and key instantly, valid for 24 hours. No CSR, no revocation needed—expires tomorrow. Another PKI mount at pki_int/ issues certs under a corporate root CA.

Overall Explanation from Vault Docs:

“The PKI secrets engine generates dynamic X.509 certificates… Services can get certificates without the usual manual process… By keeping TTLs short, revocations are less likely… Vault can act as an intermediate CA, issuing certificates efficiently.” These benefits—automation, reduced revocation, and CA flexibility—define its value.

Comprehensive and Detailed in Depth Explanation:

Vault can generate time-based one-time passwords (TOTP) for multi-factor authentication (MFA), mimicking apps like Google Authenticator. Let’s evaluate:

Option A: Cubbyhole Cubbyhole is a per-token secret store, not a TOTP generator. It’s for temporary secret storage, not MFA code generation. Incorrect. Vault Docs Insight: “Cubbyhole stores secrets tied to a token… no TOTP functionality.” (Different purpose.)

Option B: The random byte generator Vault’s /sys/tools/random endpoint generates random bytes, not time-based codes synced with a clock (TOTP requirement). It’s for generic randomness, not MFA. Incorrect. Vault Docs Insight: “Random bytes are not time-based… unsuitable for TOTP.” (Unrelated feature.)

Option C: TOTP secrets engine The TOTP engine generates and validates TOTP codes (e.g., 6-digit codes every 30s) using a shared secret, just like Google Authenticator. You create a key (vault write totp/keys/my-key) and fetch codes (vault read totp/code/my-key). Perfect for programmatic MFA. Correct. Vault Docs Insight: “The TOTP secrets engine can act as a TOTP code generator… replacing traditional generators like Google Authenticator.” (Exact match.)

Option D: The identity secrets engine The Identity engine manages user/entity identities and policies, not TOTP codes. It’s for identity management, not MFA generation. Incorrect. Vault Docs Insight: “Identity engine handles identity data… no TOTP generation.” (Different scope.)

Detailed Mechanics:

Enable: vault secrets enable totp. Create key: vault write totp/keys/my-key issuer=Vault. Get code: vault read totp/code/my-key returns { " data " :{ " code " : " 123456 " }}. Codes sync with time (RFC 6238), usable in APIs or apps.

Overall Explanation from Vault Docs:

“The TOTP secrets engine can act as a TOTP code generator… It provides an added layer of security since the ability to generate codes is guarded by policies and audited.”

Comprehensive and Detailed in Depth Explanation:

A: Vault’s default max TTL is 768 hours (32 days). Correct.

B, C, D: Incorrect values per Vault’s defaults.

Overall Explanation from Vault Docs:

“The system max TTL is 768 hours (32 days) unless overridden…”

Dynamic secrets are generated on-demand by Vault and have a limited time-to-live (TTL). They do not ensure that administrators can see every password used, as they are often encrypted and ephemeral. The benefits of dynamic secrets are:

They support systems that do not natively provide a method of expiring credentials, such as databases, cloud providers, SSH, etc. Vault can revoke the credentials when they are no longer needed or when the lease expires.

They minimize the damage of credentials leaking, as they are short-lived and can be easily rotated or revoked. If a credential is compromised, the attacker has a limited window of opportunity to use it before it becomes invalid.

They replace cumbersome password rotation tools and practices, as Vault can handle the generation and revocation of credentials automatically and securely. This reduces the operational overhead and complexity of managing secrets.

Comprehensive and Detailed in Depth Explanation:

Leases manage dynamic secrets’ lifecycles. Let’s check:

A: UI allows lease revocation. Valid.

B: TTL expiration auto-revokes leases. Valid.

C: API endpoint revokes leases. Valid.

D: vault token manages tokens, not leases directly. Invalid.

Overall Explanation from Vault Docs:

“Leases can be revoked via API, UI, CLI (vault lease revoke), or TTL expiry… vault token is for tokens.”

Comprehensive and Detailed in Depth Explanation:

The initialization page means Vault is new or reset. Let’s evaluate:

A: Storage issues don’t trigger this screen; they’d cause errors post-init. Incorrect.

B: Vault requires initialization (vault operator init) to set up keys and enable login. Correct.

C: Policies apply post-login, not pre-init. Incorrect.

D: Config errors would prevent Vault from starting, not show this screen. Incorrect.

Overall Explanation from Vault Docs:

“Before Vault can be used, it must be initialized and unsealed… This screen indicates Vault has not been initialized yet.”

The root token is the initial token created when initializing Vault. It has unlimited privileges and can perform any operation in Vault. As a best practice, the root token should be revoked and never stored after initial setup. This is because the root token is a single point of failure and a potential security risk if it is compromised or leaked. Instead of using the root token, Vault operators should create other tokens with appropriate policies and roles that allow them to perform their tasks. If a new root token is needed in an emergency, the vault operator generate-root command can be used to create one on-the-fly with the consent of a quorum of unseal key holders. References:  Tokens | Vault | HashiCorp Developer ,  Generate root tokens using unseal keys | Vault | HashiCorp Developer

The Google Cloud Secrets Engine is the best option for the DevOps team to provision VMs in GCP via a CICD pipeline and integrate Vault to protect the credentials used by the tool. The Google Cloud Secrets Engine can dynamically generate GCP service account keys or OAuth tokens based on IAM policies, which can be used to authenticate and authorize the CICD tool to access GCP resources. The credentials are automatically revoked when they are no longer used or when the lease expires, ensuring that the credentials are short-lived and secure. The DevOps team can configure rolesets or static accounts in Vault to define the scope and permissions of the credentials, and use the Vault API or CLI to request credentials on demand.  The Google Cloud Secrets Engine also supports generating access tokens for impersonated service accounts, which can be useful for delegating access to other service accounts without storing or managing their keys 1 .

The Identity Secrets Engine is not a good option for this use case, because it does not generate GCP credentials, but rather generates identity tokens that can be used to access other Vault secrets engines or namespaces 2 .  The Key/Value Secrets Engine version 2 is also not a good option, because it does not generate dynamic credentials, but rather stores and manages static secrets that the user provides 3 .  The SSH Secrets Engine is not a good option either, because it does not generate GCP credentials, but rather generates SSH keys or OTPs that can be used to access remote hosts via SSH 4 .

The Vault UI hides or denies access to sections that the current token cannot use. ACL policy management is controlled by Vault policies, usually through access to policy-related system paths. If the authenticated token does not have the required permissions to list, read, create, or update policies, the UI will not expose the ACL Policies menu as expected. There is no separate “policy engine” that must be enabled; policies are a core Vault authorization mechanism. Option C is also incorrect because the issue is not solved by moving to a “policy namespace” unless the token has the required permissions in that namespace. The exhibit behavior is a permissions problem. HashiCorp documents that Vault access is controlled by policies and that unauthorized paths evaluate to deny.

================

Batch tokens are the best strategy when many short-lived workloads need to authenticate or interact with Vault at high volume. Unlike service tokens, batch tokens are lightweight encrypted blobs that do not require Vault to persist token state to disk. This reduces storage backend I/O during large-scale startup events, such as 1000+ containers requesting Vault access at the same time. Kubernetes auth and AppRole are authentication methods, but they do not by themselves eliminate token storage overhead. Short-TTL service tokens still require storage writes, and single-use tokens do not solve the backend I/O problem at scale. HashiCorp’s token documentation describes batch tokens as lightweight, scalable, and requiring no storage on disk to track them.

================

The listener is bound to IP address 10.0.0.50 on port 8200, so the client must target that address, not localhost. The configuration also sets tls_disable = true, which means the listener is using plain HTTP rather than HTTPS. Therefore, the correct VAULT_ADDR value is http://10.0.0.50:8200. Option A uses the correct IP and port but the wrong protocol because TLS is disabled. Options B and C target 127.0.0.1, which would only work for a Vault listener bound locally on the client machine. Vault assumes TLS by default unless explicitly disabled, so when TLS is disabled, the scheme must be http://.

================

The statement is false. HCP Vault Dedicated supports cross-region disaster recovery, but it is not automatically enabled by default for every cluster. It must be enabled and configured as part of the HCP Vault Dedicated cluster architecture. HashiCorp documentation describes a setup process for enabling cross-region DR, including creating a cross-region HVN and enabling DR for new or existing clusters. That wording matters: a supported feature is not the same as an automatically enabled feature. Disaster recovery replication is an Enterprise/HCP capability used to protect against catastrophic failure and maintain continuity, but operators must deliberately configure it. Therefore, the correct answer is False. HashiCorp’s HCP cluster management documentation explicitly refers to enabling cross-region DR rather than it being automatic.

================

The role output shows secret_id_num_uses 10, which means a particular SecretID can be used only ten times to fetch a token from that AppRole. After that use count is exhausted, Vault will reject further login attempts using that SecretID, commonly resulting in a failed authentication request. The SecretID TTL is not the issue because the output shows secret_id_ttl 0s, which indicates no expiration by TTL. A wrong RoleID would not be concluded from the role configuration shown, and an incorrect attached policy would affect authorization after authentication, not the ability to use the SecretID itself. HashiCorp’s AppRole API documentation confirms that secret_id_num_uses controls how many times a SecretID can be used before it expires.

================

The namespace can be defined in the “Mount path” field in the “Advanced options” section of the login screen. The mount path is the path where the auth method is enabled, and it can include a namespace prefix. For example, if the LDAP auth method is enabled at the path ns1/auth/ldap, where ns1 is the namespace, then the mount path field should be set to ns1/auth/ldap. This way, the Vault UI will log in to the correct namespace and auth method. Alternatively, the namespace can also be specified in the URL of the Vault UI, such as https://vault.example.com/ui/vault/auth/ns1/auth/ldap/login.

Vault’s default API listener port is 8200. This is the port used by Vault clients, the Vault CLI through VAULT_ADDR, and direct API calls when the listener is configured on the default address. Port 8201 is normally associated with Vault cluster communication, not the public client REST API. Port 443 is a standard HTTPS port, but it is not Vault’s default listener port unless an operator places Vault behind a proxy or custom listener configuration. Port 8500 is commonly associated with Consul’s HTTP API, not Vault. HashiCorp’s TCP listener documentation shows Vault listening at 127.0.0.1:8200, and the dev server documentation also confirms TCP port 8200 as the default listener port.

================

The Vault seal configuration can be set in two ways: through the Vault configuration file or through environment variables. The Vault configuration file is a text file that contains the settings and options for Vault, such as the storage backend, the listener, the telemetry, and the seal. The seal stanza in the configuration file specifies the seal type and the parameters to use for additional data protection, such as using HSM or Cloud KMS solutions to encrypt and decrypt the root key. The seal configuration can also be set through environment variables, which will take precedence over the values in the configuration file. The environment variables are prefixed with VAULT_SEAL_ and followed by the seal type and the parameter name. For example, VAULT_SEAL_AWSKMS_REGION sets the region for the AWS KMS seal. References:  Seals - Configuration | Vault | HashiCorp Developer ,  Environment Variables | Vault | HashiCorp Developer

The vault kv put command writes the data to the given path in the K/V secrets engine. The command requires the mount path of the K/V secrets engine, the secret path, and the key-value pair to store. The mount path can be specified with the -mount flag or as part of the secret path. The key-value pair can be given as an argument or read from a file or stdin. The correct syntax for the command is:

vault kv put -mount=secret my-secrets/my-password 53cr3t

or

vault kv put secret/my-secrets my-password=53cr3t

The other options are incorrect because they use the deprecated vault kv write command, or they have the wrong order or format of the arguments.  References : https://developer.hashicorp.com/vault/docs/commands/kv/put 3 , https://developer.hashicorp.com/vault/docs/commands/kv 4

Not all storage backends support high availability mode for Vault. Only the storage backends that support locking can enable Vault to run in a multi-server mode where one server is active and the others are standby. Some examples of storage backends that support high availability mode are Consul, Integrated Storage, and ZooKeeper.  Some examples of storage backends that do not support high availability mode are Filesystem, MySQL, and PostgreSQL.  References: https://developer.hashicorp.com/vault/docs/concepts/ha 1 , https://developer.hashicorp.com/vault/docs/configuration/storage 2

Vault secrets engines are not limited to simple static secret storage. HashiCorp defines secrets engines as components that can store, generate, or encrypt data. The KV secrets engine stores arbitrary static secrets, the Transit secrets engine performs cryptographic operations such as encryption and decryption, and the Identity secrets engine manages Vault entities, aliases, and identity-based policy associations. Therefore, all listed functions are valid examples of what Vault secrets engines can do. Option A is supported by Transit. Option B is supported by KV and Cubbyhole. Option C is supported by the Identity secrets engine, which internally maintains Vault client identities. Because the question asks broadly about secrets engines, the only complete answer is “All of the above.”

================

The vault lease renew command increments the lease time from the current time, not the end of the lease. This means that the user can request a specific amount of time they want remaining on the lease, termed the increment. This is not an increment at the end of the current TTL; it is an increment from the current time. For example, vault lease renew -increment=3600 my-lease-id would request that the TTL of the lease be adjusted to 1 hour (3600 seconds) from now. Having the increment be rooted at the current time instead of the end of the lease makes it easy for users to reduce the length of leases if they don’t actually need credentials for the full possible lease period, allowing those credentials to expire sooner and resources to be cleaned up earlier. The requested increment is completely advisory.  The backend in charge of the secret can choose to completely ignore it 1 .  References :

Lease, Renew, and Revoke | Vault | HashiCorp Developer