Vault Associate 002 Exam

Exam Vault Associate 002 All QuestionsBrowse all questions from this exam

Question 46

A web application uses Vault’s transit secrets engine to encrypt data in-transit. If an attacker intercepts the data in transit, which of the following statements are true? (Choose two.)

You can rotate the encryption key so that the attacker won't be able to decrypt the data

The keys can be rotated and min_decryption_version moved forward to ensure this data cannot be decrypted

B. The Vault administrator would need to seal the Vault server immediately

Even if the attacker was able to access the raw data, they would only have encrypted bits (TLS in transit)

Correct Answer: B, C

Using Vault's transit secrets engine, the correct approach includes rotating the encryption keys and moving the min_decryption_version forward to ensure intercepted data cannot be decrypted by an attacker with access to old keys. Additionally, if an attacker intercepts the data in transit, they would only capture encrypted bits, assuming TLS is used, preventing them from interpreting the data.

Discussion

Mark1000Options: BC

B(first) and C B(first): https://developer.hashicorp.com/vault/docs/secrets/transit C: https://developer.hashicorp.com/vault/tutorials/encryption-as-a-service/eaas-transit

aguedaOptions: BC

B (first) and C A > if you just rotate the encryption key, the attacker could use previous version of the key to decrypt (if he had access to the keyring) B (second) > Sealing the Vault doesn't make sense. I f the attacker has the decryption key also, sealing the Vault wouldn't make a difference. The right approach is to rotate the key and move foward the min_decryption_version

nginx_aws

B and D

3fac4efOptions: BC

B and C https://developer.hashicorp.com/vault/api-docs/secret/transit#min_decryption_version