Question 1

As a best practice, the root token should be stored in which of the following ways?

• A. Should be revoked and never stored after initial setup
• B. Should be stored in configuration automation tooling
• C. Should be stored in another password safe
• D. Should be stored in Vault

Question 2

Which Vault secret engine may be used to build your own internal certificate authority?

• A. Transit
• B. PKI
• C. PostgreSQL
• D. Generic

Question 3

Which statement describes the results of this command: $ vault secrets enable transit?

• A. Enables the transit secrets engine at transit path
• B. Requires a root token to execute the command successfully
• C. Enables the transit secrets engine at secret path
• D. Fails due to missing -path parameter
• E. Fails because the transit secrets engine is enabled by default

Question 4

How would you describe the value of using the Vault transit secrets engine?

• A. Vault has an API that can be programmatically consumed by applications
• B. The transit secrets engine ensures encryption in-transit and at-rest is enforced enterprise wide
• C. Encryption for application data is best handled by a storage system or database engine, while storing encryption keys in Vault
• D. The transit secrets engine relieves the burden of proper encryption/decryption from application developers and pushes the burden onto the operators of Vault

Question 5

Security requirements demand that no secrets appear in the shell history. Which command does not meet this requirement?

• A. generate-password | vault kv put secret/password value=-
• B. vault kv put secret/password value=itsasecret
• C. vault kv put secret/password [emailprotected]
• D. vault kv put secret/password value=$SECRET_VALUE

Question 6

Which of the following statements describe the CLI command below?
$ vault login -method=ldap username=mitchellh

• A. Generates a token which is response wrapped
• B. You will be prompted to enter the password
• C. By default, the generated token is valid for 24 hours
• D. Fails because the password is not provided

Question 7

You have a 2GB Base64 binary large object (blob) that needs to be encrypted. Which of the following best describes the transit secrets engine?

• A. A data key encrypts the blob locally, and the same key decrypts the blob locally.
• B. To process such a large blob. Vault will temporarily store it in the storage backend.
• C. Vault will store the blob permanently. Be sure to run Vault on a compute optimized machine.
• D. The transit engine is not a good solution for binaries of this size.

Question 8

What is a benefit of response wrapping?

• A. Log every use of a secret
• B. Load balance secret generation across a Vault cluster
• C. Provide error recovery to a secret so it is not corrupted in transit
• D. Ensure that only a single party can ever unwrap the token and see whats inside

Question 9

Which of the following vault lease operations uses a lease_id as an argument? (Choose two.)

• A. renew
• B. revoke -prefix
• C. create
• D. describe
• E. revoke

Question 10

HOTSPOT Where do you define the Namespace to log into using the Vault UI?

To answer this question Use your mouse to click on the screenshot in the location described above. An arrow indicator will mark where you have clicked. Click the Answer button once you have positioned the arrow to answer the question. You may need to scroll down to see the entire screenshot.