Hashicorp Vault Associate COPY Flashcards
_________is responsible for durable storage of encrypted data. Backends are not trusted by Vault and are only expected to provide durability. The _______ is configured when starting the Vault server.
storage backend
_____is cryptographic steel and concrete around the Vault. All data that flows between Vault and the storage backend passes through the barrier. The barrier ensures that only encrypted data is written out, and that data is verified and decrypted on the way in. Much like a bank vault, the barrier must be “unsealed” before anything inside can be accessed.
barrier
_____is responsible for managing secrets. Simple secrets engines like the “kv” ________ simply return the same secret when queried. Some _______ support using policies to dynamically generate a secret each time they are queried. This allows for unique secrets to be used which allows Vault to do fine-grained revocation and policy updates. As an example, a MySQL _______ could be configured with a “web” policy. When the “web” secret is read, a new MySQL user/password pair will be generated with a limited set of privileges for the web server.
secrets engine
_____is responsible for managing audit logs. Every request to Vault and response from Vault goes through the configured ______. This provides a simple way to integrate Vault with multiple audit logging destinations of different types.
audit device
______is used to authenticate users or applications which are connecting to Vault. Once authenticated, the _______returns the list of applicable policies which should be applied. Vault takes an authenticated user and returns a client token that can be used for future requests. As an example, the userpass _______ uses a username and password to authenticate the user. Alternatively, the github ______allows users to authenticate via GitHub.
auth method
______is conceptually similar to a session cookie on a web site. Once a user authenticates, Vault returns a ______ which is used for future requests. The token is used by Vault to verify the identity of the client and to enforce the applicable ACL policies. This token is passed via HTTP headers.
client token
_____is the term for anything returned by Vault which contains confidential or cryptographic material. Not everything returned by Vault is a ___, for example system configuration, status information, or policies are not considered _____. _____always have an associated lease. This means clients cannot assume that the _____ contents can be used indefinitely. Vault will revoke a _____ at the end of the lease, and an operator may intervene to revoke the _____ before the lease is over. This contract between Vault and its clients is critical, as it allows for changes in keys and policies without manual intervention.
secret
Vault depends on a long-running instance which operates as a _____. The Vault _____ provides an API which clients interact with and manages the interaction between all the secrets engines, ACL enforcement, and secret lease revocation. Having a _____ based architecture decouples clients from the security keys and policies, enables centralized audit logging and simplifies administration for operators.
SERVER
Vault Telemetries
[c] = _____
[g] = _____
[s] = _____
counter
guage
summary
How do you start a vault server in dev mode?
vault server -dev
dev mode stores data in memory
T or F
True
Do you need to unseal a dev server?
No, it is unsealed automatically
What port does vault dev server use?
8200
_____is the process of constructing the master key necessary to read the decryption key to decrypt the data, allowing access to the Vault.
unsealing
What is the CLI command to unseal vault?
vault operator unseal
True or False
Once a Vault is unsealed, it remains unsealed until one of two things happens:
It is resealed via the API (see below).
Vault automatically seals every patch Tuesday.
False it seals when it is restarted.
When using the CLI, what does using the -target=recovery flag to vault operator rekey do?
rekeys recovery keys to change the number of shares or thresholds
What happens when a lease is expired?
Vault automatically revokes the lease. When a token is revoked, Vault will revoke all leases that were created using that token.
WHy are Lease IDs structured in a way that their prefix is always the path where the secret was requested from.
if there is an intrusion within a specific system: all secrets of a specific backend or a certain configured backend can be revoked quickly and easily.
To determine what variables are needed for an auth method, supply the ______ flag without any additional arguments and help will be shown.
-method
As of Vault 1.0, there are two types of tokens: ____ tokens and _____ tokens.
service and batch
True or False
Root tokens can do anything
True
The system max TTL, which is__ days but can be changed in Vault’s configuration file.
32
When a periodic token is created via a token store role, the ____ value of the role’s period setting will be used at renewal time
current