Hashicorp Vault Associate COPY Flashcards by Robert Koomson

_________is responsible for durable storage of encrypted data. Backends are not trusted by Vault and are only expected to provide durability. The _______ is configured when starting the Vault server.

storage backend

How well did you know this?

Not at all

Perfectly

_____is cryptographic steel and concrete around the Vault. All data that flows between Vault and the storage backend passes through the barrier. The barrier ensures that only encrypted data is written out, and that data is verified and decrypted on the way in. Much like a bank vault, the barrier must be “unsealed” before anything inside can be accessed.

barrier

How well did you know this?

Not at all

Perfectly

_____is responsible for managing secrets. Simple secrets engines like the “kv” ________ simply return the same secret when queried. Some _______ support using policies to dynamically generate a secret each time they are queried. This allows for unique secrets to be used which allows Vault to do fine-grained revocation and policy updates. As an example, a MySQL _______ could be configured with a “web” policy. When the “web” secret is read, a new MySQL user/password pair will be generated with a limited set of privileges for the web server.

secrets engine

How well did you know this?

Not at all

Perfectly

_____is responsible for managing audit logs. Every request to Vault and response from Vault goes through the configured ______. This provides a simple way to integrate Vault with multiple audit logging destinations of different types.

audit device

How well did you know this?

Not at all

Perfectly

______is used to authenticate users or applications which are connecting to Vault. Once authenticated, the _______returns the list of applicable policies which should be applied. Vault takes an authenticated user and returns a client token that can be used for future requests. As an example, the userpass _______ uses a username and password to authenticate the user. Alternatively, the github ______allows users to authenticate via GitHub.

auth method

How well did you know this?

Not at all

Perfectly

______is conceptually similar to a session cookie on a web site. Once a user authenticates, Vault returns a ______ which is used for future requests. The token is used by Vault to verify the identity of the client and to enforce the applicable ACL policies. This token is passed via HTTP headers.

client token

How well did you know this?

Not at all

Perfectly

_____is the term for anything returned by Vault which contains confidential or cryptographic material. Not everything returned by Vault is a ___, for example system configuration, status information, or policies are not considered _____. _____always have an associated lease. This means clients cannot assume that the _____ contents can be used indefinitely. Vault will revoke a _____ at the end of the lease, and an operator may intervene to revoke the _____ before the lease is over. This contract between Vault and its clients is critical, as it allows for changes in keys and policies without manual intervention.

secret

How well did you know this?

Not at all

Perfectly

Vault depends on a long-running instance which operates as a _____. The Vault _____ provides an API which clients interact with and manages the interaction between all the secrets engines, ACL enforcement, and secret lease revocation. Having a _____ based architecture decouples clients from the security keys and policies, enables centralized audit logging and simplifies administration for operators.

SERVER

How well did you know this?

Not at all

Perfectly

Vault Telemetries

[c] = _____

[g] = _____

[s] = _____

counter

guage

summary

How well did you know this?

Not at all

Perfectly

How do you start a vault server in dev mode?

vault server -dev

How well did you know this?

Not at all

Perfectly

dev mode stores data in memory

T or F

True

How well did you know this?

Not at all

Perfectly

Do you need to unseal a dev server?

No, it is unsealed automatically

How well did you know this?

Not at all

Perfectly

What port does vault dev server use?

8200

How well did you know this?

Not at all

Perfectly

_____is the process of constructing the master key necessary to read the decryption key to decrypt the data, allowing access to the Vault.

unsealing

How well did you know this?

Not at all

Perfectly

What is the CLI command to unseal vault?

vault operator unseal

How well did you know this?

Not at all

Perfectly

True or False

Once a Vault is unsealed, it remains unsealed until one of two things happens:

It is resealed via the API (see below).

Vault automatically seals every patch Tuesday.

False it seals when it is restarted.

How well did you know this?

Not at all

Perfectly

When using the CLI, what does using the -target=recovery flag to vault operator rekey do?

rekeys recovery keys to change the number of shares or thresholds

How well did you know this?

Not at all

Perfectly

What happens when a lease is expired?

Vault automatically revokes the lease. When a token is revoked, Vault will revoke all leases that were created using that token.

How well did you know this?

Not at all

Perfectly

WHy are Lease IDs structured in a way that their prefix is always the path where the secret was requested from.

if there is an intrusion within a specific system: all secrets of a specific backend or a certain configured backend can be revoked quickly and easily.

How well did you know this?

Not at all

Perfectly

To determine what variables are needed for an auth method, supply the ______ flag without any additional arguments and help will be shown.

-method

How well did you know this?

Not at all

Perfectly

As of Vault 1.0, there are two types of tokens: ____ tokens and _____ tokens.

service and batch

How well did you know this?

Not at all

Perfectly

True or False

Root tokens can do anything

True

How well did you know this?

Not at all

Perfectly

The system max TTL, which is__ days but can be changed in Vault’s configuration file.

How well did you know this?

Not at all

Perfectly

When a periodic token is created via a token store role, the ____ value of the role’s period setting will be used at renewal time

current

How well did you know this?

Not at all

Perfectly

A token with both a period and an explicit max TTL will act like a periodic token but will be revoked when the explicit max TTL is reached T or F

If a root token has an expiration, it also is not affected by CIDR-binding. T or F

False. Only root tokens with TTL of 0 are not affected by CIDR-binding

\_\_\_ tokens are encrypted blobs that carry enough information for them to be used for Vault actions, but they require no storage on disk to track them. As a result they are extremely lightweight and scalable, but lack most of the flexibility and features of service tokens.

batch

\_\_\_\_\_\_ tokens are what users will generally think of as "normal" Vault tokens. They support all features, such as renewal, revocation, creating child tokens, and more. They are correspondingly heavyweight to create and track.

Service

T or F Policies are allow by default, so an empty policy grants permission in the system.

False, Policies are deny by default

When using LDAP auth method, does vault store a copy fo the ldap database?

Nope

T or F When providing list capability, it is important to note that since listing always operates on a prefix, policies must operate on a prefix because Vault will sanitize request paths to be prefixes. In other words, policy paths targeting list capability should end with a trailing slash:

Vault has two built-in policies:\_\_\_\_and \_\_\_\_. This section describes the two builtin policies.

default and root

The _____ policy is a built-in Vault policy that cannot be removed. By default, it is attached to all tokens, but may be explicitly excluded at token creation time by supporting authentication methods.

default

This enviromment var holds the contents of the token

VAULT\_TOKEN

This env var holds Address of the Vault server expressed as a URL and port,

VAULT\_ADDR

This env var holds the Path to a PEM-encoded CA certificate file on the local disk. This file is used to verify the Vault server's SSL certificate.

VAULT\_CACERT

This env var sets the Path to a directory of PEM-encoded CA certificate files on the local disk. These certificates are used to verify the Vault server's SSL certificate.

VAULT\_CAPATH

This commands sets the vault namespace as an env var

VAULT\_NAMESPACE

The ____ command tunes the configuration options for the auth method at the given PATH

auth tune

What does cas stand for? -cas If not set the write will be allowed. If set to 0 a write will only be allowed if the key doesn’t exist. If the index is non-zero the write will only be allowed if the key’s current version matches the version specified in the cas parameter. The default is -1.

check and set

Once a Vault node is unsealed, it remains unsealed until one of these things happens: It is resealed via the API. The server is restarted. Vault's storage layer encounters an unrecoverable error. T or F

\_\_\_\_\_ is the process of constructing the master key necessary to read the decryption key to decrypt the data, allowing access to the Vault.

unsealing

By default, Vault uses _____ Secret Sharing algorithm to split the master key into shards.

shamir's

By enabling ____ wrap, Vault wraps your secrets with an extra layer of encryption leveraging the HSM encryption and decryption.

seal

A Vault _____ is a set of Vault processes that together run a Vault service. These Vault processes could be running on physical or virtual servers, or in containers.

cluster

The path can have a wildcard ("\*") at the end to allow for any string in its place. T or F

True

How would you add a wildcard for a single directory

use "+"

Map the capability to the associaated http verb create delete read post/put update get delete list list post/put

create = post/put read = get update = post/put delete = delete list = list

The ____ capability takes precedence above all other capabilities. It also does not map to any HTTP verbs.

deny

\_\_\_\_\_is a type of user empowered with managing a Vault infrastructure for a team or organizations.

admin

Vault clients can be mapped as ____ and their corresponding accounts with authentication providers can be mapped as \_\_\_\_

entities aliases

External groups can have ___ alias.

one

If you don't explicitly specify, token's default TTL is ___ days.

T or F Nearly all requests to Vault must be accompanied by an authentication token. This includes all API requests, as well as via the Vault CLI and other libraries.

True

Vault Agent will manage the lifecycle of cached tokens and leases automatically so that the clients do not need to implement a logic to renew the tokens and leases. T or F

true

A Vault ____ is a set of Vault processes that together run a Vault service. These Vault processes could be running on physical or virtual servers, or in containers.

cluster

The \_\_\_\_secrets engine enables security teams to fortify data during transit and at rest. So even if an intrusion occurs, your data is encrypted with AES-GCM with a 256-bit AES key or other supported key types. Even if an attacker were able to access the raw data, they would only have encrypted bits. This means attackers would need to compromise multiple systems before exfiltrating data.

transit

By default, the secrets engine will mount at the name of the engine. If you wish to enable it at a different path, use the\_\_\_\_ argument.

-path

When you send data to Vault for encryption, it must be in the form of ____ plaintext for a safe transport.

base64-encoded

The kv secrets engine handles cryptographic functions on data-in-transit, and often referred to as Encryption as a Service (EaaS). t or f

false, transit

T or F key shards can automatically unseal vault upon the start of the vault service

False

Vault start vault service on port \_\_\_\_ Cluster to cluster communication is done over \_\_\_\_ \_\_\_\_ is used for Consul Server RPC \_\_\_\_ is used for the Consul interface, \_\_\_\_ is used for Consul DNS \_\_\_\_ is used for its LAN gossip protocol 8300, 8500, 8200, 8301, 8600, 8201

By default, Vault starts the Vault service on port 8200. Cluster to cluster communication is done over 8201, 8300 is used for Consul Server RPC, 8500 is used for the Consul interface, 8600 is used for Consul DNS, and 8301 is used for its LAN gossip protocol

Can vault integrate with your code repo to pull secretes when deploying your apps?

Nope

\_\_\_\_\_can be used to do a 'vault renew' or a 'vault revoke' command to manage the lease of a secret

lease\_id

what command renews a vaut token?

vault token renew

name all of the permissions that can be applied to a path in vault

create, read, update, delete, list, deny, and sudo

T or F To avoid split-brain scenarios, Vault secondary clusters must be manually promoted to a primary

true

what CLi command would you use to create an encryption key ring named "orders"

vault write -f transit/keys/orders

By default, the secrets engine will mount at the name of the engine. If you wish to enable it at a different path, use the -path argument. give an example of this command using the path: encryption

vault secrets enable -path=encryption transit

Once the transit secrets engine has been configured, any client with valid token with proper permission can send data to encrypt. To encrypt your secret, use the transit/encrypt endpoint. use "orders" as the key name. give an example of the command

vault write transit/encrypt/orders

vault write -format=json transit/encrypt/orders \ plaintext=$(base64 \<\<\< "credit-card-number") \ | jq -r ".data.ciphertext" \> cipher.txt What is the above command doing?

it will encrypt a plaintext secret and save the resulting ciphertext in a file named cipher.txt

You can upgrade already-encrypted data with a new key by invoking transit/\_\_\_\_endpoint.

rewrap

To rewrap the data, you do need to decrypt it

false. To rewrap the data, you don't need to decrypt it. You can simply pass the ciphertext to the Vault. Vault will decrypt the value using the appropriate key in the keyring and then encrypted the resulting plaintext with the newest key in the keyring. Therefore, this operation does not reveal the plaintext data.

what command would you use to find out how many service tokens exist on the Vault server or cluster?

vault read sys/internal/counters/tokens Note: The sys/internal/counters/tokens API endpoint is introduced in Vault 1.3. To leverage this endpoint, you need Vault 1.3 or later

The batch tokens are persisted; therefore, they can be renewed or revoked before reaching its time-to-live (TTL). On the other hand, service tokens are not persisted. They are encrypted binary large objects (blobs) that carry enough information for them to be used for Vault actions. Therefore, service tokens are extremely lightweight and scalable; however, they lack most of the flexibility and features of batch tokens. T or F

False The service tokens are persisted; therefore, they can be renewed or revoked before reaching its time-to-live (TTL). On the other hand, batch tokens are not persisted. They are encrypted binary large objects (blobs) that carry enough information for them to be used for Vault actions. Therefore, batch tokens are extremely lightweight and scalable; however, they lack most of the flexibility and features of service tokens.

match the vault auth subcommands with their description: disable enable help list tune prints usage for an auth method lists enabled auth methods tunes an auth method configuration disables an auth method enables an auth method

help - prints usage for an auth method list - lists enabled auth methods tune - tunes an auth method configuration disaable - disables an auth method enable - enables an auth method

match the debug subcommands and descriptions compress, target, output, duration, interval, metrics-interval - (bool: true) - Toggles whether to compress output package The default is true. (int or time string: "2m") - Duration to run the command. The default is 2m0s. (int or time string: "30s") - The polling interval at which to collect profiling data and server state. The default is 30s. - (int or time string: "10s") - The polling interval at which to collect metrics data. The default is 10s. (string) - Specifies the output path for the debug package. Defaults to an time-based generated file name. (string: all targets) - Target to capture, defaulting to all if none specified. This can be specified multiple times to capture multiple targets. Available targets are: config, host, metrics, pprof, replication-status, server-status.

- compress (bool: true) - Toggles whether to compress output package The default is true. - duration (int or time string: "2m") - Duration to run the command. The default is 2m0s. - interval (int or time string: "30s") - The polling interval at which to collect profiling data and server state. The default is 30s. - metrics-interval (int or time string: "10s") - The polling interval at which to collect metrics data. The default is 10s. - output (string) - Specifies the output path for the debug package. Defaults to an time-based generated file name. - target (string: all targets) - Target to capture, defaulting to all if none specified. This can be specified multiple times to capture multiple targets. Available targets are: config, host, metrics, pprof, replication-status, server-status.

match the KV Subcommands to their descriptions: put, metadata, get, delete, destory, undelete, rollback, list, enable-versioning, patch Deletes versions in the KV store Permanently removes one or more versions in the KV store Turns on versioning for a KV store Retrieves data from the KV store List data or secrets Interact with Vault's Key-Value storage Sets or updates data in the KV store without overwriting Sets or updates data in the KV store Rolls back to a previous version of data Undeletes versions in the KV store

Subcommands: delete Deletes versions in the KV store destroy Permanently removes one or more versions in the KV store enable-versioning Turns on versioning for a KV store get Retrieves data from the KV store list List data or secrets metadata Interact with Vault's Key-Value storage patch Sets or updates data in the KV store without overwriting put Sets or updates data in the KV store rollback Rolls back to a previous version of data undelete Undeletes versions in the KV store

match the lease Subcommands: renew, revoke Renews the lease of a secret Revokes leases and secrets

Subcommands: renew Renews the lease of a secret revoke Revokes leases and secrets

match the vault operator Subcommands: step-down, rekey, init, generate-root, key-status, unseal, seal, rotate Generates a new root token Initializes a server Provides information about the active encryption key Generates new unseal keys Rotates the underlying encryption key Seals the Vault server Forces Vault to resign active duty Unseals the Vault server

Subcommands: generate-root Generates a new root token init Initializes a server key-status Provides information about the active encryption key rekey Generates new unseal keys rotate Rotates the underlying encryption key seal Seals the Vault server step-down Forces Vault to resign active duty unseal Unseals the Vault server

match the vault token Subcommands: lookup , renew, create, capabilities, revoke Print capabilities of a token on a path Create a new token Display information about a token Renew a token lease Revoke a token and its children

capabilities Print capabilities of a token on a path create Create a new token lookup Display information about a token renew Renew a token lease revoke Revoke a token and its children

T or F The API is expected to be accessed over a TLS connection at all times, with a valid certificate that is verified by a well-behaved client. It is possible to disable TLS verification for listeners, however, so API clients should expect to have to do both depending on user settings.

True

The sys/\_\_\_\_ endpoint is used to list, enable, and disable audit devices.

audit

The /sys/\_\_\_\_ endpoint is used to calculate the hash of the data used by an audit device's hash function and salt. This can be used to search audit logs for a hashed value when the original value is known.

audit-hash

The /sys/\_\_\_endpoint is used to list, create, update, and delete auth methods. Auth methods convert user or machine-supplied information into a token which can be used for all future requests.

auth

The /sys/\_\_\_\_\_ endpoint is used to fetch the capabilities of a token on the given paths. The capabilities returned will be derived from the policies that are on the token, and from the policies to which the token is entitled to through the entity and entity's group memberships.

capabilities

The /sys/\_\_\_\_\_\_ endpoint is used to fetch the capabilities of the token associated with the given accessor. The capabilities returned will be derived from the policies that are on the token, and from the policies to which the token is entitled to through the entity and entity's group memberships.

capabilities-accessor

The /sys/\_\_\_\_\_\_\_ endpoint is used to fetch the capabilities of the token used to make the API call, on the given paths. The capabilities returned will be derived from the policies that are on the token, and from the policies to which the token is entitled to through the entity and entity's group memberships.

capabilities-self

The /sys/config/\_\_\_\_ endpoint is used to configure auditing settings.

auditing

The /sys/config/\_\_\_\_\_ endpoint is used to configure Control Group settings.

control-group

The /sys/config/\_\_\_\_ endpoint is used to configure CORS settings.

cors

The endpoints under sys/config/\_\_\_\_ return Vault's configuration state. Currently, it only supports returning a sanitized version of the configuration.

state

The /sys/config/\_\_ endpoint is used to configure UI settings.

This endpoint authorizes a control group request. /sys/\_\_\_\_

control-group

The /sys/\_\_\_\_\_ endpoint is used to create a new root key for Vault.

generate-root

The /sys/\_\_\_\_ endpoint is used to check the health status of Vault.

health

The /sys/\_\_\_\_\_ endpoint is used retrieve information about the host instance that the Vault server is running on.

host-info

The /sys/\_\_\_\_ endpoint is used to initialize a new Vault.

init

The /sys/internal/\_\_\_\_\_ endpoints are used to return data about the number of Http Requests, Tokens, and Entities in Vault.

counters

The /sys/internal/\_\_\_\_/\_\_\_\_ endpoint is used to generate an OpenAPI document of the mounted backends. The response conforms to the OpenAPI V3 specification, with path names matching the mount names used by the Vault server (i.e. customizations with -path will be reflected). The set of included paths is based on the permissions of the request token.

specs/openapi

The /sys/internal/\_\_\_/\_\_\_\_ endpoint is used to manage mount listing visibility. The response generated by this endpoint is based on the listing\_visibility value on the mount, which can be set during mount time or via mount tuning. This is currently only being used internally for the UI and is an unauthenticated endpoint.

ui/mounts

The /sys/\_\_\_\_endpoint is used to query info about the current encryption key of Vault.

key-status

The /sys/\_\_\_\_endpoint is used to check the high availability status and current leader of Vault.

leader

The /sys/\_\_\_\_ endpoints are used to view and manage leases in Vault.

leases

The /sys/\_\_\_\_ endpoint is used to view and update the license used in Vault.

license

The /sys/\_\_\_\_ endpoint is used to get telemetry metrics for Vault.

metrics

The /sys/\_\_\_\_ endpoint is used manage secrets engines in Vault.

mounts

The /sys/\_\_\_\_ endpoint is used manage namespaces in Vault.

namespaces

The /sys/plugins/\_\_\_/\_\_\_\_ endpoint is used to reload mounted plugin backends. Either the plugin name (plugin) or the desired plugin backend mounts (mounts) must be provided, but not both. In the case that the plugin name is provided, all mounted paths that use that plugin backend will be reloaded.

reload/backend

The /sys/plugins/\_\_\_\_ endpoint is used to read, register, update, and remove plugins in Vault's catalog. Plugins must be registered before use, and once registered backends can use the plugin by querying the catalog.

catalog

The /sys/\_\_\_\_ endpoint is used to manage ACL policies in Vault.

policy

The /sys/\_\_\_\_ endpoints are used to manage ACL, RGP, and EGP policies in Vault.

policies

The /sys/\_\_\_\_ endpoint is used to query. The response returned by these endpoints are equivalent to those returned by the http/pprof package.

pprof

The /sys/\_\_\_ endpoint is used to access the raw underlying store in Vault.

raw

The /sys/\_\_\_ endpoints are used to rekey the unseal keys for Vault.

rekey

The /sys/\_\_\_\_ endpoints are used to rekey the recovery keys for Vault.

rekey-recovery-key

The /sys/\_\_\_\_ endpoint is used remount a mounted backend to a new endpoint.

remount

The /sys/\_\_\_\_ endpoint is used to rotate the encryption key.

rotate

The /sys/\_\_\_endpoint seals the Vault.

seal

The /sys/\_\_\_\_ endpoint is used to check the seal status of a Vault.

seal-status

The /sys/\_\_\_\_/\_\_\_\_ endpoint is used to rewrap all seal wrapped entries. This is useful when you want to upgrade seal wrapped entries to use the latest key, for example, after a seal migration or after rotating the remote keyring.

sealwrap/rewrap

The /sys/\_\_\_\_ endpoint causes the node to give up active status.

step-down

The /sys/\_\_\_\_ endpoints are a general set of tools.

tools

The /sys/\_\_\_\_ endpoint is used to unseal the Vault.

seal-unseal

The /sys/wrapping/\_\_\_\_ endpoint returns wrapping token properties.

lookup

The /sys/wrapping/\_\_\_\_ endpoint can be used to rotate a wrapping token and refresh its TTL.

rewrap

The /sys/wrapping/\_\_\_\_ endpoint unwraps a wrapped response.

unwrap

The /sys/wrapping/\_\_\_\_ endpoint wraps the given values in a response-wrapped token.

wrap

A token accessor can do: choose 4 Look up a token's properties (not including the actual token ID) Look up a token's capabilities on a path Create new tokens Delete tokens Renew the token Revoke the token

Look up a token's properties (not including the actual token ID) Look up a token's capabilities on a path Renew the token Revoke the token

a service that creates tokens on behalf of another service (such as the Nomad scheduler) can store the \_\_\_\_\_correlated with a particular job ID. When the job is complete, the _____ can be used to instantly revoke the token given to the job and all of its leased credentials, limiting the chance that a bad actor will discover and use them.

accessor

What command allows you to list tokens?

auth/token/accessors

When a periodic token is created via a token store role, the ____ value of the role's period setting will be used at renewal time

current

A token with both a period and an explicit max TTL will act like a \_\_\_\_token but will be revoked when the explicit max TTL is reached

periodic

When a primary Vault cluster fails, Vault will automatically promote a secondary cluster to ensure maximum uptime. T or F

False To avoid split-brain scenarios, Vault secondary clusters must be manually promoted to a primary

match open source vs enterprise disaster recovery dynamic secrets acl templates init & unseal workflow vault agent namespaces replication read replicas key rolling hsm auto-unseal mfa access control policies sentinel encryptiono as service aaws,aazure, aand gcp autoo unseal fips 140-2 & seal wrap

_open source__enterprise_ dynamic secrets - disaster recovery acl templates. - namespaces init & unseal workflow. - replication vault agent. - read replicas key rolling. - HSM auto-unseal access control policies. - mfa encryption as service. - sentinel aws,azure, and gcp auto unseal. - fips I40-2&seal wraap

T or F on Audit devices, sensitive information is hashed before logging

True

what flag is used to specify the configuration file?

-config

name 4 things confingured in config file

storaage backend listener ports tls cert seal type cluster name log level ui cluster ip and port

which of these are not configured in config file? secrets engines auth methods audit devices policies entities and groups

none of them are configured in config file

Performance replication replicates all but one: k/v store policies tokens

It does not replicate tokens

Sealing only requires a single operator with root privileges. T or F

One of these steps is a lie regarding creating an orphaned token: 1. Via write access to the auth/token/create-orphan endpoint 2. By having sudo or root access to the auth/token/create and setting the no\_parent parameter to true 3. Via token store roles 4. By typing vault token orpahn into the cli 5. By logging in with any other (non-token) auth method

By typing vault token orpahn into the cli

What is the only command that can list all tokens?

auth/token/accessors

T or F policy paths targeting list capability should end with a trailing slash

True path "secret/foo/" { capabilities = ["list"] }

What does this command do? vault read sys/policy

lists all registered policies in vault