Hashicorp Vault Associate COPY Flashcards

Question 1

Q

_________is responsible for durable storage of encrypted data. Backends are not trusted by Vault and are only expected to provide durability. The _______ is configured when starting the Vault server.

Answer

A

storage backend

Question 2

Q

_____is cryptographic steel and concrete around the Vault. All data that flows between Vault and the storage backend passes through the barrier. The barrier ensures that only encrypted data is written out, and that data is verified and decrypted on the way in. Much like a bank vault, the barrier must be “unsealed” before anything inside can be accessed.

Question 3

Q

_____is responsible for managing secrets. Simple secrets engines like the “kv” ________ simply return the same secret when queried. Some _______ support using policies to dynamically generate a secret each time they are queried. This allows for unique secrets to be used which allows Vault to do fine-grained revocation and policy updates. As an example, a MySQL _______ could be configured with a “web” policy. When the “web” secret is read, a new MySQL user/password pair will be generated with a limited set of privileges for the web server.

Answer

A

secrets engine

Question 4

Q

_____is responsible for managing audit logs. Every request to Vault and response from Vault goes through the configured ______. This provides a simple way to integrate Vault with multiple audit logging destinations of different types.

Answer

A

audit device

Question 5

Q

______is used to authenticate users or applications which are connecting to Vault. Once authenticated, the _______returns the list of applicable policies which should be applied. Vault takes an authenticated user and returns a client token that can be used for future requests. As an example, the userpass _______ uses a username and password to authenticate the user. Alternatively, the github ______allows users to authenticate via GitHub.

Answer

A

auth method

Question 6

Q

______is conceptually similar to a session cookie on a web site. Once a user authenticates, Vault returns a ______ which is used for future requests. The token is used by Vault to verify the identity of the client and to enforce the applicable ACL policies. This token is passed via HTTP headers.

Answer

A

client token

Question 7

Q

_____is the term for anything returned by Vault which contains confidential or cryptographic material. Not everything returned by Vault is a ___, for example system configuration, status information, or policies are not considered _____. _____always have an associated lease. This means clients cannot assume that the _____ contents can be used indefinitely. Vault will revoke a _____ at the end of the lease, and an operator may intervene to revoke the _____ before the lease is over. This contract between Vault and its clients is critical, as it allows for changes in keys and policies without manual intervention.

Question 8

Q

Vault depends on a long-running instance which operates as a _____. The Vault _____ provides an API which clients interact with and manages the interaction between all the secrets engines, ACL enforcement, and secret lease revocation. Having a _____ based architecture decouples clients from the security keys and policies, enables centralized audit logging and simplifies administration for operators.

Question 9

Q

Vault Telemetries

[c] = _____

[g] = _____

[s] = _____

Answer

A

counter

guage

summary

Question 10

Q

How do you start a vault server in dev mode?

Answer

A

vault server -dev

Question 11

Q

dev mode stores data in memory

T or F

Question 12

Q

Do you need to unseal a dev server?

Answer

A

No, it is unsealed automatically

Question 13

Q

What port does vault dev server use?

Question 14

Q

_____is the process of constructing the master key necessary to read the decryption key to decrypt the data, allowing access to the Vault.

Answer

A

unsealing

Question 15

Q

What is the CLI command to unseal vault?

Answer

A

vault operator unseal

Question 16

Q

True or False

Once a Vault is unsealed, it remains unsealed until one of two things happens:

It is resealed via the API (see below).

Vault automatically seals every patch Tuesday.

Answer

A

False it seals when it is restarted.

Question 17

Q

When using the CLI, what does using the -target=recovery flag to vault operator rekey do?

Answer

A

rekeys recovery keys to change the number of shares or thresholds

Question 18

Q

What happens when a lease is expired?

Answer

A

Vault automatically revokes the lease. When a token is revoked, Vault will revoke all leases that were created using that token.

Question 19

Q

WHy are Lease IDs structured in a way that their prefix is always the path where the secret was requested from.

Answer

A

if there is an intrusion within a specific system: all secrets of a specific backend or a certain configured backend can be revoked quickly and easily.

Question 20

Q

To determine what variables are needed for an auth method, supply the ______ flag without any additional arguments and help will be shown.

Question 21

Q

As of Vault 1.0, there are two types of tokens: ____ tokens and _____ tokens.

Answer

A

service and batch

Question 22

Q

True or False

Root tokens can do anything

Question 23

Q

The system max TTL, which is__ days but can be changed in Vault’s configuration file.

Question 24

Q

When a periodic token is created via a token store role, the ____ value of the role’s period setting will be used at renewal time

Question 25

Q

A token with both a period and an explicit max TTL will act like a periodic token but will be revoked when the explicit max TTL is reached

T or F

Question 26

Q

If a root token has an expiration, it also is not affected by CIDR-binding.

T or F

Answer

A

False. Only root tokens with TTL of 0 are not affected by CIDR-binding

Question 27

Q

___ tokens are encrypted blobs that carry enough information for them to be used for Vault actions, but they require no storage on disk to track them. As a result they are extremely lightweight and scalable, but lack most of the flexibility and features of service tokens.

Question 28

Q

______ tokens are what users will generally think of as “normal” Vault tokens. They support all features, such as renewal, revocation, creating child tokens, and more. They are correspondingly heavyweight to create and track.

Question 29

Q

T or F

Policies are allow by default, so an empty policy grants permission in the system.

Answer

A

False, Policies are deny by default

Question 30

Q

When using LDAP auth method, does vault store a copy fo the ldap database?

Question 31

Q

T or F

When providing list capability, it is important to note that since listing always operates on a prefix, policies must operate on a prefix because Vault will sanitize request paths to be prefixes. In other words, policy paths targeting list capability should end with a trailing slash:

Question 32

Q

Vault has two built-in policies:____and ____. This section describes the two builtin policies.

Answer

A

default and root

Question 33

Q

The _____ policy is a built-in Vault policy that cannot be removed. By default, it is attached to all tokens, but may be explicitly excluded at token creation time by supporting authentication methods.

Question 34

Q

This enviromment var holds the contents of the token

Answer

A

VAULT_TOKEN

Question 35

Q

This env var holds Address of the Vault server expressed as a URL and port,

Answer

A

VAULT_ADDR

Question 36

Q

This env var holds the Path to a PEM-encoded CA certificate file on the local disk. This file is used to verify the Vault server’s SSL certificate.

Answer

A

VAULT_CACERT

Question 37

Q

This env var sets the Path to a directory of PEM-encoded CA certificate files on the local disk. These certificates are used to verify the Vault server’s SSL certificate.

Answer

A

VAULT_CAPATH

Question 38

Q

This commands sets the vault namespace as an env var

Answer

A

VAULT_NAMESPACE

Question 39

Q

The ____ command tunes the configuration options for the auth method at the given PATH

Answer

A

auth tune

Question 40

Q

What does cas stand for?

-cas If not set the write will be allowed. If set to 0 a write will only be allowed if the key doesn’t exist. If the index is non-zero the write will only be allowed if the key’s current version matches the version specified in the cas parameter. The default is -1.

Answer

A

check and set

Question 41

Q

Once a Vault node is unsealed, it remains unsealed until one of these things happens:

It is resealed via the API.

The server is restarted.

Vault’s storage layer encounters an unrecoverable error.

T or F

Question 42

Q

_____ is the process of constructing the master key necessary to read the decryption key to decrypt the data, allowing access to the Vault.

Answer

A

unsealing

Question 43

Q

By default, Vault uses _____ Secret Sharing algorithm to split the master key into shards.

Answer

A

shamir’s

Question 44

Q

By enabling ____ wrap, Vault wraps your secrets with an extra layer of encryption leveraging the HSM encryption and decryption.

Question 45

Q

A Vault _____ is a set of Vault processes that together run a Vault service. These Vault processes could be running on physical or virtual servers, or in containers.

Question 46

Q

The path can have a wildcard (“*”) at the end to allow for any string in its place.

T or F

Question 47

Q

How would you add a wildcard for a single directory

Answer

A

use “+”

Question 48

Q

Map the capability to the associaated http verb

create delete

read post/put

update get

delete list

list post/put

Answer

A

create = post/put

read = get

update = post/put

delete = delete

list = list

Question 49

Q

The ____ capability takes precedence above all other capabilities. It also does not map to any HTTP verbs.

Question 50

Q

_____is a type of user empowered with managing a Vault infrastructure for a team or organizations.

Question 51

Q

Vault clients can be mapped as ____ and their corresponding accounts with authentication providers can be mapped as ____

Answer

A

entities

aliases

Question 52

Q

External groups can have ___ alias.

Question 53

Q

If you don’t explicitly specify, token’s default TTL is ___ days.

Question 54

Q

T or F

Nearly all requests to Vault must be accompanied by an authentication token. This includes all API requests, as well as via the Vault CLI and other libraries.

Question 55

Q

Vault Agent will manage the lifecycle of cached tokens and leases automatically so that the clients do not need to implement a logic to renew the tokens and leases.

T or F

Question 56

Q

A Vault ____ is a set of Vault processes that together run a Vault service. These Vault processes could be running on physical or virtual servers, or in containers.

Question 57

Q

The ____secrets engine enables security teams to fortify data during transit and at rest. So even if an intrusion occurs, your data is encrypted with AES-GCM with a 256-bit AES key or other supported key types. Even if an attacker were able to access the raw data, they would only have encrypted bits. This means attackers would need to compromise multiple systems before exfiltrating data.

Question 58

Q

By default, the secrets engine will mount at the name of the engine. If you wish to enable it at a different path, use the____ argument.

Question 59

Q

When you send data to Vault for encryption, it must be in the form of ____ plaintext for a safe transport.

Answer

A

base64-encoded

Question 60

Q

The kv secrets engine handles cryptographic functions on data-in-transit, and often referred to as Encryption as a Service (EaaS).

t or f

Answer

A

false, transit

Question 61

Q

T or F

key shards can automatically unseal vault upon the start of the vault service

Question 62

Q

Vault start vault service on port ____

Cluster to cluster communication is done over ____

____ is used for Consul Server RPC

____ is used for the Consul interface,

____ is used for Consul DNS

____ is used for its LAN gossip protocol

8300, 8500, 8200, 8301, 8600, 8201

Answer

A

By default, Vault starts the Vault service on port 8200. Cluster to cluster communication is done over 8201, 8300 is used for Consul Server RPC, 8500 is used for the Consul interface, 8600 is used for Consul DNS, and 8301 is used for its LAN gossip protocol

Question 63

Q

Can vault integrate with your code repo to pull secretes when deploying your apps?

Question 64

Q

_____can be used to do a ‘vault renew’ or a ‘vault revoke’ command to manage the lease of a secret

Answer 34

A

vault token renew

Answer 35

A

create, read, update, delete, list, deny, and sudo

Answer 36

A

vault write -f transit/keys/orders

Answer 37

A

vault secrets enable -path=encryption transit

Answer 38

A

vault write transit/encrypt/orders

Answer 39

A

it will encrypt a plaintext secret and save the resulting ciphertext in a file named cipher.txt

Answer 40

A

false. To rewrap the data, you don’t need to decrypt it. You can simply pass the ciphertext to the Vault. Vault will decrypt the value using the appropriate key in the keyring and then encrypted the resulting plaintext with the newest key in the keyring. Therefore, this operation does not reveal the plaintext data.

Answer 41

A

vault read sys/internal/counters/tokens

Note:

The sys/internal/counters/tokens API endpoint is introduced in Vault 1.3. To leverage this endpoint, you need Vault 1.3 or later

Answer 42

A

False

The service tokens are persisted; therefore, they can be renewed or revoked before reaching its time-to-live (TTL). On the other hand, batch tokens are not persisted. They are encrypted binary large objects (blobs) that carry enough information for them to be used for Vault actions. Therefore, batch tokens are extremely lightweight and scalable; however, they lack most of the flexibility and features of service tokens.

Answer 43

A

help - prints usage for an auth method

list - lists enabled auth methods

tune - tunes an auth method configuration

disaable - disables an auth method

enable - enables an auth method

Answer 44

A

compress (bool: true) - Toggles whether to compress output package The default is true.
duration (int or time string: “2m”) - Duration to run the command. The default is 2m0s.
interval (int or time string: “30s”) - The polling interval at which to collect profiling data and server state. The default is 30s.
metrics-interval (int or time string: “10s”) - The polling interval at which to collect metrics data. The default is 10s.
output (string) - Specifies the output path for the debug package. Defaults to an time-based generated file name.
target (string: all targets) - Target to capture, defaulting to all if none specified. This can be specified multiple times to capture multiple targets. Available targets are: config, host, metrics, pprof, replication-status, server-status.

Answer 45

A

Subcommands: delete Deletes versions in the KV store

destroy Permanently removes one or more versions in the KV store

enable-versioning Turns on versioning for a KV store

get Retrieves data from the KV store

list List data or secrets

metadata Interact with Vault’s Key-Value storage

patch Sets or updates data in the KV store without overwriting

put Sets or updates data in the KV store

rollback Rolls back to a previous version of data

undelete Undeletes versions in the KV store

Answer 46

A

Subcommands:

renew Renews the lease of a secret

revoke Revokes leases and secrets

Answer 47

A

Subcommands: generate-root Generates a new root token

init Initializes a server

key-status Provides information about the active encryption key

rekey Generates new unseal keys

rotate Rotates the underlying encryption key

seal Seals the Vault server

step-down Forces Vault to resign active duty

unseal Unseals the Vault server

Answer 48

A

capabilities Print capabilities of a token on a path

create Create a new token

lookup Display information about a token

renew Renew a token lease

revoke Revoke a token and its children

Answer 49

A

audit-hash

Answer 50

A

capabilities

Answer 51

A

capabilities-accessor

Answer 52

A

capabilities-self

Answer 53

A

control-group

Answer 54

A

control-group

Answer 55

A

generate-root

Answer 56

A

host-info

Answer 57

A

specs/openapi

Answer 58

A

ui/mounts

Answer 59

A

key-status

Answer 60

A

namespaces

Answer 61

A

reload/backend

Answer 62

A

rekey-recovery-key

Answer 63

A

seal-status

Answer 64

A

sealwrap/rewrap

Answer 65

A

step-down

Answer 66

A

seal-unseal

Answer 67

A

Look up a token’s properties (not including the actual token ID)

Look up a token’s capabilities on a path

Renew the token

Revoke the token

Answer 68

A

auth/token/accessors

Answer 69

A

False

To avoid split-brain scenarios, Vault secondary clusters must be manually promoted to a primary

Answer 70

A

open source__enterprise

dynamic secrets - disaster recovery

acl templates. - namespaces

init & unseal workflow. - replication

vault agent. - read replicas

key rolling. - HSM auto-unseal

access control policies. - mfa

encryption as service. - sentinel

aws,azure, and gcp auto unseal. - fips I40-2&seal wraap

Answer 71

A

storaage backend

listener ports

tls cert

seal type

cluster name

log level

ui

cluster ip and port

Answer 72

A

none of them are configured in config file

Answer 73

A

It does not replicate tokens

Answer 74

A

By typing vault token orpahn into the cli

Answer 75

A

auth/token/accessors

Answer 76

A

True

path “secret/foo/” { capabilities = [“list”] }

Answer 77

A

lists all registered policies in vault

Brainscape's Knowledge GenomeTM

Hashicorp Vault Associate COPY Flashcards

Brainscape's Knowledge Genome^TM