Get HashiCorp HCVA0-003 Exam Practice Questions - Real and Updated

Answer : B

Comprehensive and Detailed in Depth

The statement is False. Setting the minimum decryption version does not remove older key versions. The HashiCorp Vault documentation states: 'Key versions that are earlier than a key's specified min_decryption_version get archived, and the rest of the key versions belong to the working set. In an emergency, the min_decryption_version can be moved back to allow for legitimate decryption.' Older versions remain available for decryption if needed.

The docs add: 'Archiving a key version does not delete it; it simply marks it as outside the active working set, but Vault retains it for potential use.' Thus, older versions are not removed, making B correct.

HashiCorp Vault Documentation - Transit Secrets Engine: Working Set Management

Answer : B

Comprehensive and Detailed In-Depth

The Vault Transit secrets engine returns decrypted data in base64-encoded format:

B . The output is base64 encoded: 'All plaintext data must be base64-encoded before being encrypted by Vault. As a result, decrypted data is always base64 encoded.' Users must decode it (e.g., using base64 -d) to see cleartext.

Incorrect Options:

A . Permission Issue: Permissions would cause an error, not encoded output. 'Not because the user lacks permission.'

C . Wrapped Token: The output is plaintext, not a token. 'Not a response wrapped token.'

D . Original Encryption: Irrelevant; the issue is encoding, not encryption state.

This encoding ensures safe transmission of binary data.

Answer : D

Comprehensive and Detailed in Depth

The Database secrets engine generates dynamic credentials for database access. The endpoint database/creds/<role> (e.g., read_only_role) provides these credentials via a read operation. Let's analyze:

Option A: capabilities = ['generate']

There's no generate capability in Vault policies. Capabilities are create, read, update, delete, list, etc. This is invalid. Incorrect.

Option B: capabilities = ['update']

update (PUT) modifies existing data, not generates credentials. The creds endpoint uses GET. Incorrect.

Option C: capabilities = ['list']

list retrieves metadata or paths, not credential data. Incorrect.

Option D: capabilities = ['read']

Generating dynamic credentials involves a GET request to database/creds/<role>, mapped to the read capability. This policy allows it. Correct.

Detailed Mechanics:

For a role read_only_role defined with vault write database/roles/read_only_role db_name=my-db creation_statements='CREATE USER...', a user with read on database/creds/read_only_role can run vault read database/creds/read_only_role to get temporary credentials. Vault's policy system aligns HTTP verbs to capabilities: GET = read, PUT = update. This counterintuitive mapping (GET for creation) is specific to dynamic secrets.

Overall Explanation from Vault Docs:

''Generating database credentials requires read capability on database/creds/<role>... Despite creating credentials, the HTTP request is a GET.''

Answer : A

The statement is true. When an auth method is disabled, all users authenticated via that method lose access. This is because the tokens issued by the auth method are automatically revoked when the auth method is disabled. This prevents the users from performing any operation in Vault using the revoked tokens. To regain access, the users have to authenticate again using a different auth method that is enabled and has the appropriate policies attached.Reference:Auth Methods | Vault | HashiCorp Developer,auth disable - Command | Vault | HashiCorp Developer

Answer : C

Comprehensive and Detailed in Depth

The Transit secrets engine focuses on cryptographic operations, not storage. The HashiCorp Vault documentation states: 'The transit secrets engine handles cryptographic functions on data in-transit. Vault doesn't store the data sent to the secrets engine. It can also be viewed as 'cryptography as a service' or 'encryption as a service'. The transit secrets engine can also sign and verify data; generate hashes and HMACs of data; and act as a source of random bytes.'

It emphasizes: 'Vault does not store the data sent to the secrets engine,' making store the encrypted data (C) incorrect. Generate hashes/HMACs (A), sign/verify (B), and random bytes (D) are all supported functions. Thus, C is correct.

HashiCorp Vault Documentation - Transit Secrets Engine