ExamGecko
Search Search Login
Home Home / HashiCorp / Vault Associate 002
Question list
Search
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A developer mistakenly committed code that contained AWS S3 credentials into a public repository. You have been tasked with revoking the AWS S3 credential that was in the code. This credential was created using Vault's AWS secrets engine and the developer received the following output when requesting a credential from Vault. Which Vault command will revoke the lease and remove the credential from AWS?
What can be used to limit the scope of a credential breach?
What does the following policy do?
When looking at Vault token details, which key helps you find the paths the token is able to access?
Which statement describes the results of this command: $ vault secrets enable transit
Use this screenshot to answer the question below: Where on this page would you click to view a secret located at secret/my-secret?
The Vault encryption key is stored in Vault's backend storage.
An authentication method should be selected for a use case based on:
Where can you set the Vault seal configuration? Choose two correct answers.
When unsealing Vault, each Shamir unseal key should be entered:

Question 14 - Vault Associate 002 discussion

Report
Export

You have a 2GB Base64 binary large object (blob) that needs to be encrypted. Which of the following best describes the transit secrets engine?

A.
A data key encrypts the blob locally, and the same key decrypts the blob locally.
Answers
A.
A data key encrypts the blob locally, and the same key decrypts the blob locally.
B.
To process such a large blob. Vault will temporarily store it in the storage backend.
Answers
B.
To process such a large blob. Vault will temporarily store it in the storage backend.
C.
Vault will store the blob permanently. Be sure to run Vault on a compute optimized machine
Answers
C.
Vault will store the blob permanently. Be sure to run Vault on a compute optimized machine
D.
The transit engine is not a good solution for binaries of this size.
Answers
D.
The transit engine is not a good solution for binaries of this size.
Suggested answer: D

Explanation:

The transit secrets engine is not a good solution for binaries of this size, because it is designed to handle cryptographic functions on data in-transit, not data at-rest. The transit secrets engine does not store any data sent to it, so it would require sending the entire 2GB blob to Vault for encryption or decryption, which would be inefficient and impractical. A better solution would be to use the transit secrets engine to generate a data key, which is a high-entropy key that can be used to encrypt or decrypt data locally. The data key can be returned in plaintext or wrapped by another key, depending on the use case. This way, the transit secrets engine only handles the encryption or decryption of the data key, not the data itself, and the data can be stored in any primary data store.Reference:Transit - Secrets Engines | Vault | HashiCorp Developer,Encryption as a service: transit secrets engine | Vault | HashiCorp Developer

Show Answer
asked 18/09/2024
Robert McConnell
32 questions
PreviousPreviousNextNext
User
Your answer:
0 comments
Sorted by

Leave a comment first

ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms