Hashicorp Vault Associate Flashcards
_________is responsible for durable storage of encrypted data. Backends are not trusted by Vault and are only expected to provide durability. The _______ is configured when starting the Vault server.
storage backend
_____is cryptographic steel and concrete around the Vault. All data that flows between Vault and the storage backend passes through the barrier. The barrier ensures that only encrypted data is written out, and that data is verified and decrypted on the way in. Much like a bank vault, the barrier must be “unsealed” before anything inside can be accessed.
barrier
_____is responsible for managing secrets. Simple secrets engines like the “kv” ________ simply return the same secret when queried. Some _______ support using policies to dynamically generate a secret each time they are queried. This allows for unique secrets to be used which allows Vault to do fine-grained revocation and policy updates. As an example, a MySQL _______ could be configured with a “web” policy. When the “web” secret is read, a new MySQL user/password pair will be generated with a limited set of privileges for the web server.
secrets engine
_____is responsible for managing audit logs. Every request to Vault and response from Vault goes through the configured ______. This provides a simple way to integrate Vault with multiple audit logging destinations of different types.
audit device
______is used to authenticate users or applications which are connecting to Vault. Once authenticated, the _______returns the list of applicable policies which should be applied. Vault takes an authenticated user and returns a client token that can be used for future requests. As an example, the userpass _______ uses a username and password to authenticate the user. Alternatively, the github ______allows users to authenticate via GitHub.
auth method
______is conceptually similar to a session cookie on a web site. Once a user authenticates, Vault returns a ______ which is used for future requests. The token is used by Vault to verify the identity of the client and to enforce the applicable ACL policies. This token is passed via HTTP headers.
client token
_____is the term for anything returned by Vault which contains confidential or cryptographic material. Not everything returned by Vault is a ___, for example system configuration, status information, or policies are not considered _____. _____always have an associated lease. This means clients cannot assume that the _____ contents can be used indefinitely. Vault will revoke a _____ at the end of the lease, and an operator may intervene to revoke the _____ before the lease is over. This contract between Vault and its clients is critical, as it allows for changes in keys and policies without manual intervention.
secret
Vault depends on a long-running instance which operates as a _____. The Vault _____ provides an API which clients interact with and manages the interaction between all the secrets engines, ACL enforcement, and secret lease revocation. Having a _____ based architecture decouples clients from the security keys and policies, enables centralized audit logging and simplifies administration for operators.
SERVER
Vault Telemetries
[c] = _____
[g] = _____
[s] = _____
counter
guage
summary
How do you start a vault server in dev mode?
vault server -dev
dev mode stores data in memory
T or F
True
Do you need to unseal a dev server?
No, it is unsealed automatically
What port does vault dev server use?
8200
_____is the process of constructing the master key necessary to read the decryption key to decrypt the data, allowing access to the Vault.
unsealing
What is the CLI command to unseal vault?
vault operator unseal
True or False
Once a Vault is unsealed, it remains unsealed until one of two things happens:
It is resealed via the API (see below).
Vault automatically seals every patch Tuesday.
False it seals when it is restarted.
When using the CLI, what does using the -target=recovery flag to vault operator rekey do?
rekeys recovery keys to change the number of shares or thresholds
What happens when a lease is expired?
Vault automatically revokes the lease. When a token is revoked, Vault will revoke all leases that were created using that token.
WHy are Lease IDs structured in a way that their prefix is always the path where the secret was requested from.
if there is an intrusion within a specific system: all secrets of a specific backend or a certain configured backend can be revoked quickly and easily.
To determine what variables are needed for an auth method, supply the ______ flag without any additional arguments and help will be shown.
-method
As of Vault 1.0, there are two types of tokens: ____ tokens and _____ tokens.
service and batch
True or False
Root tokens can do anything
True
The system max TTL, which is__ days but can be changed in Vault’s configuration file.
32
When a periodic token is created via a token store role, the ____ value of the role’s period setting will be used at renewal time
current
A token with both a period and an explicit max TTL will act like a periodic token but will be revoked when the explicit max TTL is reached
T or F
T
If a root token has an expiration, it also is not affected by CIDR-binding.
T or F
False. Only root tokens with TTL of 0 are not affected by CIDR-binding
___ tokens are encrypted blobs that carry enough information for them to be used for Vault actions, but they require no storage on disk to track them. As a result they are extremely lightweight and scalable, but lack most of the flexibility and features of service tokens.
batch
______ tokens are what users will generally think of as “normal” Vault tokens. They support all features, such as renewal, revocation, creating child tokens, and more. They are correspondingly heavyweight to create and track.
Service
T or F
Policies are allow by default, so an empty policy grants permission in the system.
False, Policies are deny by default
When using LDAP auth method, does vault store a copy fo the ldap database?
Nope
T or F
When providing list capability, it is important to note that since listing always operates on a prefix, policies must operate on a prefix because Vault will sanitize request paths to be prefixes. In other words, policy paths targeting list capability should end with a trailing slash:
T
Vault has two built-in policies:____and ____. This section describes the two builtin policies.
default and root
The _____ policy is a built-in Vault policy that cannot be removed. By default, it is attached to all tokens, but may be explicitly excluded at token creation time by supporting authentication methods.
default
This enviromment var holds the contents of the token
VAULT_TOKEN
This env var holds Address of the Vault server expressed as a URL and port,
VAULT_ADDR
This env var holds the Path to a PEM-encoded CA certificate file on the local disk. This file is used to verify the Vault server’s SSL certificate.
VAULT_CACERT
This env var sets the Path to a directory of PEM-encoded CA certificate files on the local disk. These certificates are used to verify the Vault server’s SSL certificate.
VAULT_CAPATH
This commands sets the vault namespace as an env var
VAULT_NAMESPACE
The ____ command tunes the configuration options for the auth method at the given PATH
auth tune
What does cas stand for?
-cas If not set the write will be allowed. If set to 0 a write will only be allowed if the key doesn’t exist. If the index is non-zero the write will only be allowed if the key’s current version matches the version specified in the cas parameter. The default is -1.
check and set
Once a Vault node is unsealed, it remains unsealed until one of these things happens:
It is resealed via the API.
The server is restarted.
Vault’s storage layer encounters an unrecoverable error.
T or F
T
_____ is the process of constructing the master key necessary to read the decryption key to decrypt the data, allowing access to the Vault.
unsealing
By default, Vault uses _____ Secret Sharing algorithm to split the master key into shards.
shamir’s
By enabling ____ wrap, Vault wraps your secrets with an extra layer of encryption leveraging the HSM encryption and decryption.
seal
A Vault _____ is a set of Vault processes that together run a Vault service. These Vault processes could be running on physical or virtual servers, or in containers.
cluster
The path can have a wildcard (“*”) at the end to allow for any string in its place.
T or F
True
How would you add a wildcard for a single directory
use “+”
Map the capability to the associaated http verb
create delete
read post/put
update get
delete list
list post/put
create = post/put
read = get
update = post/put
delete = delete
list = list
The ____ capability takes precedence above all other capabilities. It also does not map to any HTTP verbs.
deny
_____is a type of user empowered with managing a Vault infrastructure for a team or organizations.
admin
Vault clients can be mapped as ____ and their corresponding accounts with authentication providers can be mapped as ____
entities
aliases
External groups can have ___ alias.
one
If you don’t explicitly specify, token’s default TTL is ___ days.
32
T or F
Nearly all requests to Vault must be accompanied by an authentication token. This includes all API requests, as well as via the Vault CLI and other libraries.
True
Vault Agent will manage the lifecycle of cached tokens and leases automatically so that the clients do not need to implement a logic to renew the tokens and leases.
T or F
true
A Vault ____ is a set of Vault processes that together run a Vault service. These Vault processes could be running on physical or virtual servers, or in containers.
cluster
The ____secrets engine enables security teams to fortify data during transit and at rest. So even if an intrusion occurs, your data is encrypted with AES-GCM with a 256-bit AES key or other supported key types. Even if an attacker were able to access the raw data, they would only have encrypted bits. This means attackers would need to compromise multiple systems before exfiltrating data.
transit
By default, the secrets engine will mount at the name of the engine. If you wish to enable it at a different path, use the____ argument.
-path
When you send data to Vault for encryption, it must be in the form of ____ plaintext for a safe transport.
base64-encoded
The kv secrets engine handles cryptographic functions on data-in-transit, and often referred to as Encryption as a Service (EaaS).
t or f
false, transit
T or F
key shards can automatically unseal vault upon the start of the vault service
False
Vault start vault service on port ____
Cluster to cluster communication is done over ____
____ is used for Consul Server RPC
____ is used for the Consul interface,
____ is used for Consul DNS
____ is used for its LAN gossip protocol
8300, 8500, 8200, 8301, 8600, 8201
By default, Vault starts the Vault service on port 8200. Cluster to cluster communication is done over 8201, 8300 is used for Consul Server RPC, 8500 is used for the Consul interface, 8600 is used for Consul DNS, and 8301 is used for its LAN gossip protocol
Can vault integrate with your code repo to pull secretes when deploying your apps?
Nope
_____can be used to do a ‘vault renew’ or a ‘vault revoke’ command to manage the lease of a secret
lease_id
what command renews a vaut token?
vault token renew
name all of the permissions that can be applied to a path in vault
create, read, update, delete, list, deny, and sudo
T or F
To avoid split-brain scenarios, Vault secondary clusters must be manually promoted to a primary
true
what CLi command would you use to create an encryption key ring named “orders”
vault write -f transit/keys/orders
By default, the secrets engine will mount at the name of the engine. If you wish to enable it at a different path, use the -path argument.
give an example of this command using the path: encryption
vault secrets enable -path=encryption transit
Once the transit secrets engine has been configured, any client with valid token with proper permission can send data to encrypt.
To encrypt your secret, use the transit/encrypt endpoint. use “orders” as the key name.
give an example of the command
vault write transit/encrypt/orders
vault write -format=json transit/encrypt/orders \ plaintext=$(base64 <<< “credit-card-number”) \ | jq -r “.data.ciphertext” > cipher.txt
What is the above command doing?
it will encrypt a plaintext secret and save the resulting ciphertext in a file named cipher.txt
You can upgrade already-encrypted data with a new key by invoking transit/____endpoint.
rewrap
To rewrap the data, you do need to decrypt it
false. To rewrap the data, you don’t need to decrypt it. You can simply pass the ciphertext to the Vault. Vault will decrypt the value using the appropriate key in the keyring and then encrypted the resulting plaintext with the newest key in the keyring. Therefore, this operation does not reveal the plaintext data.
what command would you use to find out how many service tokens exist on the Vault server or cluster?
vault read sys/internal/counters/tokens
Note:
The sys/internal/counters/tokens API endpoint is introduced in Vault 1.3. To leverage this endpoint, you need Vault 1.3 or later
The batch tokens are persisted; therefore, they can be renewed or revoked before reaching its time-to-live (TTL). On the other hand, service tokens are not persisted. They are encrypted binary large objects (blobs) that carry enough information for them to be used for Vault actions. Therefore, service tokens are extremely lightweight and scalable; however, they lack most of the flexibility and features of batch tokens.
T or F
False
The service tokens are persisted; therefore, they can be renewed or revoked before reaching its time-to-live (TTL). On the other hand, batch tokens are not persisted. They are encrypted binary large objects (blobs) that carry enough information for them to be used for Vault actions. Therefore, batch tokens are extremely lightweight and scalable; however, they lack most of the flexibility and features of service tokens.
match the vault auth subcommands with their description:
disable
enable
help
list
tune
prints usage for an auth method
lists enabled auth methods
tunes an auth method configuration
disables an auth method
enables an auth method
help - prints usage for an auth method
list - lists enabled auth methods
tune - tunes an auth method configuration
disaable - disables an auth method
enable - enables an auth method
match the debug subcommands and descriptions
compress, target, output, duration, interval, metrics-interval
- (bool: true) - Toggles whether to compress output package The default is true.
(int or time string: “2m”) - Duration to run the command. The default is 2m0s.
(int or time string: “30s”) - The polling interval at which to collect profiling data and server state. The default is 30s.
- (int or time string: “10s”) - The polling interval at which to collect metrics data. The default is 10s.
(string) - Specifies the output path for the debug package. Defaults to an time-based generated file name.
(string: all targets) - Target to capture, defaulting to all if none specified. This can be specified multiple times to capture multiple targets. Available targets are: config, host, metrics, pprof, replication-status, server-status.
- compress (bool: true) - Toggles whether to compress output package The default is true.
- duration (int or time string: “2m”) - Duration to run the command. The default is 2m0s.
- interval (int or time string: “30s”) - The polling interval at which to collect profiling data and server state. The default is 30s.
- metrics-interval (int or time string: “10s”) - The polling interval at which to collect metrics data. The default is 10s.
- output (string) - Specifies the output path for the debug package. Defaults to an time-based generated file name.
- target (string: all targets) - Target to capture, defaulting to all if none specified. This can be specified multiple times to capture multiple targets. Available targets are: config, host, metrics, pprof, replication-status, server-status.
match the KV Subcommands to their descriptions:
put, metadata, get, delete, destory, undelete, rollback, list, enable-versioning, patch
Deletes versions in the KV store
Permanently removes one or more versions in the KV store
Turns on versioning for a KV store
Retrieves data from the KV store
List data or secrets
Interact with Vault’s Key-Value storage
Sets or updates data in the KV store without overwriting
Sets or updates data in the KV store
Rolls back to a previous version of data
Undeletes versions in the KV store
Subcommands: delete Deletes versions in the KV store
destroy Permanently removes one or more versions in the KV store
enable-versioning Turns on versioning for a KV store
get Retrieves data from the KV store
list List data or secrets
metadata Interact with Vault’s Key-Value storage
patch Sets or updates data in the KV store without overwriting
put Sets or updates data in the KV store
rollback Rolls back to a previous version of data
undelete Undeletes versions in the KV store
match the lease Subcommands:
renew, revoke
Renews the lease of a secret
Revokes leases and secrets
Subcommands:
renew Renews the lease of a secret
revoke Revokes leases and secrets
match the vault operator Subcommands:
step-down, rekey, init, generate-root, key-status, unseal, seal, rotate
Generates a new root token
Initializes a server
Provides information about the active encryption key
Generates new unseal keys
Rotates the underlying encryption key
Seals the Vault server
Forces Vault to resign active duty
Unseals the Vault server
Subcommands: generate-root Generates a new root token
init Initializes a server
key-status Provides information about the active encryption key
rekey Generates new unseal keys
rotate Rotates the underlying encryption key
seal Seals the Vault server
step-down Forces Vault to resign active duty
unseal Unseals the Vault server
match the vault token Subcommands:
lookup , renew, create, capabilities, revoke
Print capabilities of a token on a path
Create a new token
Display information about a token
Renew a token lease
Revoke a token and its children
capabilities Print capabilities of a token on a path
create Create a new token
lookup Display information about a token
renew Renew a token lease
revoke Revoke a token and its children
T or F
The API is expected to be accessed over a TLS connection at all times, with a valid certificate that is verified by a well-behaved client. It is possible to disable TLS verification for listeners, however, so API clients should expect to have to do both depending on user settings.
True
The sys/____ endpoint is used to list, enable, and disable audit devices.
audit
The /sys/____ endpoint is used to calculate the hash of the data used by an audit device’s hash function and salt. This can be used to search audit logs for a hashed value when the original value is known.
audit-hash
The /sys/___endpoint is used to list, create, update, and delete auth methods. Auth methods convert user or machine-supplied information into a token which can be used for all future requests.
auth
The /sys/_____ endpoint is used to fetch the capabilities of a token on the given paths. The capabilities returned will be derived from the policies that are on the token, and from the policies to which the token is entitled to through the entity and entity’s group memberships.
capabilities
The /sys/______ endpoint is used to fetch the capabilities of the token associated with the given accessor. The capabilities returned will be derived from the policies that are on the token, and from the policies to which the token is entitled to through the entity and entity’s group memberships.
capabilities-accessor
The /sys/_______ endpoint is used to fetch the capabilities of the token used to make the API call, on the given paths. The capabilities returned will be derived from the policies that are on the token, and from the policies to which the token is entitled to through the entity and entity’s group memberships.
capabilities-self
The /sys/config/____ endpoint is used to configure auditing settings.
auditing
The /sys/config/_____ endpoint is used to configure Control Group settings.
control-group
The /sys/config/____ endpoint is used to configure CORS settings.
cors
The endpoints under sys/config/____ return Vault’s configuration state. Currently, it only supports returning a sanitized version of the configuration.
state
The /sys/config/__ endpoint is used to configure UI settings.
ui
This endpoint authorizes a control group request.
/sys/____
control-group
The /sys/_____ endpoint is used to create a new root key for Vault.
generate-root
The /sys/____ endpoint is used to check the health status of Vault.
health
The /sys/_____ endpoint is used retrieve information about the host instance that the Vault server is running on.
host-info
The /sys/____ endpoint is used to initialize a new Vault.
init
The /sys/internal/_____ endpoints are used to return data about the number of Http Requests, Tokens, and Entities in Vault.
counters
The /sys/internal/____/____ endpoint is used to generate an OpenAPI document of the mounted backends. The response conforms to the OpenAPI V3 specification, with path names matching the mount names used by the Vault server (i.e. customizations with -path will be reflected). The set of included paths is based on the permissions of the request token.
specs/openapi
The /sys/internal/___/____ endpoint is used to manage mount listing visibility. The response generated by this endpoint is based on the listing_visibility value on the mount, which can be set during mount time or via mount tuning. This is currently only being used internally for the UI and is an unauthenticated endpoint.
ui/mounts
The /sys/____endpoint is used to query info about the current encryption key of Vault.
key-status
The /sys/____endpoint is used to check the high availability status and current leader of Vault.
leader
The /sys/____ endpoints are used to view and manage leases in Vault.
leases
The /sys/____ endpoint is used to view and update the license used in Vault.
license
The /sys/____ endpoint is used to get telemetry metrics for Vault.
metrics
The /sys/____ endpoint is used manage secrets engines in Vault.
mounts
The /sys/____ endpoint is used manage namespaces in Vault.
namespaces
The /sys/plugins/___/____ endpoint is used to reload mounted plugin backends. Either the plugin name (plugin) or the desired plugin backend mounts (mounts) must be provided, but not both. In the case that the plugin name is provided, all mounted paths that use that plugin backend will be reloaded.
reload/backend
The /sys/plugins/____ endpoint is used to read, register, update, and remove plugins in Vault’s catalog. Plugins must be registered before use, and once registered backends can use the plugin by querying the catalog.
catalog
The /sys/____ endpoint is used to manage ACL policies in Vault.
policy
The /sys/____ endpoints are used to manage ACL, RGP, and EGP policies in Vault.
policies
The /sys/____ endpoint is used to query. The response returned by these endpoints are equivalent to those returned by the http/pprof package.
pprof
The /sys/___ endpoint is used to access the raw underlying store in Vault.
raw
The /sys/___ endpoints are used to rekey the unseal keys for Vault.
rekey
The /sys/____ endpoints are used to rekey the recovery keys for Vault.
rekey-recovery-key
The /sys/____ endpoint is used remount a mounted backend to a new endpoint.
remount
The /sys/____ endpoint is used to rotate the encryption key.
rotate
The /sys/___endpoint seals the Vault.
seal
The /sys/____ endpoint is used to check the seal status of a Vault.
seal-status
The /sys/____/____ endpoint is used to rewrap all seal wrapped entries. This is useful when you want to upgrade seal wrapped entries to use the latest key, for example, after a seal migration or after rotating the remote keyring.
sealwrap/rewrap
The /sys/____ endpoint causes the node to give up active status.
step-down
The /sys/____ endpoints are a general set of tools.
tools
The /sys/____ endpoint is used to unseal the Vault.
seal-unseal
The /sys/wrapping/____ endpoint returns wrapping token properties.
lookup
The /sys/wrapping/____ endpoint can be used to rotate a wrapping token and refresh its TTL.
rewrap
The /sys/wrapping/____ endpoint unwraps a wrapped response.
unwrap
The /sys/wrapping/____ endpoint wraps the given values in a response-wrapped token.
wrap
A token accessor can do:
choose 4
Look up a token’s properties (not including the actual token ID)
Look up a token’s capabilities on a path
Create new tokens
Delete tokens
Renew the token
Revoke the token
Look up a token’s properties (not including the actual token ID)
Look up a token’s capabilities on a path
Renew the token
Revoke the token
a service that creates tokens on behalf of another service (such as the Nomad scheduler) can store the _____correlated with a particular job ID. When the job is complete, the _____ can be used to instantly revoke the token given to the job and all of its leased credentials, limiting the chance that a bad actor will discover and use them.
accessor
What command allows you to list tokens?
auth/token/accessors
When a periodic token is created via a token store role, the ____ value of the role’s period setting will be used at renewal time
current
A token with both a period and an explicit max TTL will act like a ____token but will be revoked when the explicit max TTL is reached
periodic
When a primary Vault cluster fails, Vault will automatically promote a secondary cluster to ensure maximum uptime.
T or F
False
To avoid split-brain scenarios, Vault secondary clusters must be manually promoted to a primary
match open source vs enterprise
disaster recovery
dynamic secrets
acl templates
init & unseal workflow
vault agent
namespaces
replication
read replicas
key rolling
hsm auto-unseal
mfa
access control policies
sentinel
encryptiono as service
aaws,aazure, aand gcp autoo unseal
fips 140-2 & seal wrap
open source__enterprise
dynamic secrets - disaster recovery
acl templates. - namespaces
init & unseal workflow. - replication
vault agent. - read replicas
key rolling. - HSM auto-unseal
access control policies. - mfa
encryption as service. - sentinel
aws,azure, and gcp auto unseal. - fips I40-2&seal wraap
T or F
on Audit devices, sensitive information is hashed before logging
True
what flag is used to specify the configuration file?
-config
name 4 things confingured in config file
storaage backend
listener ports
tls cert
seal type
cluster name
log level
ui
cluster ip and port
which of these are not configured in config file?
secrets engines
auth methods
audit devices
policies
entities and groups
none of them are configured in config file
Performance replication replicates all but one:
k/v store
policies
tokens
It does not replicate tokens
Sealing only requires a single operator with root privileges.
T or F
T
One of these steps is a lie regarding creating an orphaned token:
- Via write access to the auth/token/create-orphan endpoint
- By having sudo or root access to the auth/token/create and setting the no_parent parameter to true
- Via token store roles
- By typing vault token orpahn into the cli
- By logging in with any other (non-token) auth method
By typing vault token orpahn into the cli
What is the only command that can list all tokens?
auth/token/accessors
T or F
policy paths targeting list capability should end with a trailing slash
True
path “secret/foo/” { capabilities = [“list”] }
What does this command do?
vault read sys/policy
lists all registered policies in vault
