Hashicorp Vault Associate COPY Flashcards

1
Q

_________is responsible for durable storage of encrypted data. Backends are not trusted by Vault and are only expected to provide durability. The _______ is configured when starting the Vault server.

A

storage backend

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

_____is cryptographic steel and concrete around the Vault. All data that flows between Vault and the storage backend passes through the barrier. The barrier ensures that only encrypted data is written out, and that data is verified and decrypted on the way in. Much like a bank vault, the barrier must be “unsealed” before anything inside can be accessed.

A

barrier

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

_____is responsible for managing secrets. Simple secrets engines like the “kv” ________ simply return the same secret when queried. Some _______ support using policies to dynamically generate a secret each time they are queried. This allows for unique secrets to be used which allows Vault to do fine-grained revocation and policy updates. As an example, a MySQL _______ could be configured with a “web” policy. When the “web” secret is read, a new MySQL user/password pair will be generated with a limited set of privileges for the web server.

A

secrets engine

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

_____is responsible for managing audit logs. Every request to Vault and response from Vault goes through the configured ______. This provides a simple way to integrate Vault with multiple audit logging destinations of different types.

A

audit device

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

______is used to authenticate users or applications which are connecting to Vault. Once authenticated, the _______returns the list of applicable policies which should be applied. Vault takes an authenticated user and returns a client token that can be used for future requests. As an example, the userpass _______ uses a username and password to authenticate the user. Alternatively, the github ______allows users to authenticate via GitHub.

A

auth method

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

______is conceptually similar to a session cookie on a web site. Once a user authenticates, Vault returns a ______ which is used for future requests. The token is used by Vault to verify the identity of the client and to enforce the applicable ACL policies. This token is passed via HTTP headers.

A

client token

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

_____is the term for anything returned by Vault which contains confidential or cryptographic material. Not everything returned by Vault is a ___, for example system configuration, status information, or policies are not considered _____. _____always have an associated lease. This means clients cannot assume that the _____ contents can be used indefinitely. Vault will revoke a _____ at the end of the lease, and an operator may intervene to revoke the _____ before the lease is over. This contract between Vault and its clients is critical, as it allows for changes in keys and policies without manual intervention.

A

secret

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Vault depends on a long-running instance which operates as a _____. The Vault _____ provides an API which clients interact with and manages the interaction between all the secrets engines, ACL enforcement, and secret lease revocation. Having a _____ based architecture decouples clients from the security keys and policies, enables centralized audit logging and simplifies administration for operators.

A

SERVER

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Vault Telemetries

[c] = _____

[g] = _____

[s] = _____

A

counter

guage

summary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How do you start a vault server in dev mode?

A

vault server -dev

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

dev mode stores data in memory

T or F

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Do you need to unseal a dev server?

A

No, it is unsealed automatically

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What port does vault dev server use?

A

8200

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

_____is the process of constructing the master key necessary to read the decryption key to decrypt the data, allowing access to the Vault.

A

unsealing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the CLI command to unseal vault?

A

vault operator unseal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

True or False

Once a Vault is unsealed, it remains unsealed until one of two things happens:

It is resealed via the API (see below).

Vault automatically seals every patch Tuesday.

A

False it seals when it is restarted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

When using the CLI, what does using the -target=recovery flag to vault operator rekey do?

A

rekeys recovery keys to change the number of shares or thresholds

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What happens when a lease is expired?

A

Vault automatically revokes the lease. When a token is revoked, Vault will revoke all leases that were created using that token.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

WHy are Lease IDs structured in a way that their prefix is always the path where the secret was requested from.

A

if there is an intrusion within a specific system: all secrets of a specific backend or a certain configured backend can be revoked quickly and easily.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

To determine what variables are needed for an auth method, supply the ______ flag without any additional arguments and help will be shown.

A

-method

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

As of Vault 1.0, there are two types of tokens: ____ tokens and _____ tokens.

A

service and batch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

True or False

Root tokens can do anything

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

The system max TTL, which is__ days but can be changed in Vault’s configuration file.

A

32

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

When a periodic token is created via a token store role, the ____ value of the role’s period setting will be used at renewal time

A

current

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
A token with both a period and an explicit max TTL will act like a periodic token but will be revoked when the explicit max TTL is reached T or F
T
26
If a root token has an expiration, it also is not affected by CIDR-binding. T or F
False. Only root tokens with TTL of 0 are not affected by CIDR-binding
27
\_\_\_ tokens are encrypted blobs that carry enough information for them to be used for Vault actions, but they require no storage on disk to track them. As a result they are extremely lightweight and scalable, but lack most of the flexibility and features of service tokens.
batch
28
\_\_\_\_\_\_ tokens are what users will generally think of as "normal" Vault tokens. They support all features, such as renewal, revocation, creating child tokens, and more. They are correspondingly heavyweight to create and track.
Service
29
T or F Policies are allow by default, so an empty policy grants permission in the system.
False, Policies are deny by default
30
When using LDAP auth method, does vault store a copy fo the ldap database?
Nope
31
T or F When providing list capability, it is important to note that since listing always operates on a prefix, policies must operate on a prefix because Vault will sanitize request paths to be prefixes. In other words, policy paths targeting list capability should end with a trailing slash:
T
32
Vault has two built-in policies:\_\_\_\_and \_\_\_\_. This section describes the two builtin policies.
default and root
33
The _____ policy is a built-in Vault policy that cannot be removed. By default, it is attached to all tokens, but may be explicitly excluded at token creation time by supporting authentication methods.
default
34
This enviromment var holds the contents of the token
VAULT\_TOKEN
35
This env var holds Address of the Vault server expressed as a URL and port,
VAULT\_ADDR
36
This env var holds the Path to a PEM-encoded CA certificate file on the local disk. This file is used to verify the Vault server's SSL certificate.
VAULT\_CACERT
37
This env var sets the Path to a directory of PEM-encoded CA certificate files on the local disk. These certificates are used to verify the Vault server's SSL certificate.
VAULT\_CAPATH
38
This commands sets the vault namespace as an env var
VAULT\_NAMESPACE
39
The ____ command tunes the configuration options for the auth method at the given PATH
auth tune
40
What does cas stand for? -cas If not set the write will be allowed. If set to 0 a write will only be allowed if the key doesn’t exist. If the index is non-zero the write will only be allowed if the key’s current version matches the version specified in the cas parameter. The default is -1.
check and set
41
Once a Vault node is unsealed, it remains unsealed until one of these things happens: It is resealed via the API. The server is restarted. Vault's storage layer encounters an unrecoverable error. T or F
T
42
\_\_\_\_\_ is the process of constructing the master key necessary to read the decryption key to decrypt the data, allowing access to the Vault.
unsealing
43
By default, Vault uses _____ Secret Sharing algorithm to split the master key into shards.
shamir's
44
By enabling ____ wrap, Vault wraps your secrets with an extra layer of encryption leveraging the HSM encryption and decryption.
seal
45
A Vault _____ is a set of Vault processes that together run a Vault service. These Vault processes could be running on physical or virtual servers, or in containers.
cluster
46
The path can have a wildcard ("\*") at the end to allow for any string in its place. T or F
True
47
How would you add a wildcard for a single directory
use "+"
48
Map the capability to the associaated http verb create delete read post/put update get delete list list post/put
create = post/put read = get update = post/put delete = delete list = list
49
The ____ capability takes precedence above all other capabilities. It also does not map to any HTTP verbs.
deny
50
\_\_\_\_\_is a type of user empowered with managing a Vault infrastructure for a team or organizations.
admin
51
Vault clients can be mapped as ____ and their corresponding accounts with authentication providers can be mapped as \_\_\_\_
entities aliases
52
External groups can have ___ alias.
one
53
If you don't explicitly specify, token's default TTL is ___ days.
32
54
T or F Nearly all requests to Vault must be accompanied by an authentication token. This includes all API requests, as well as via the Vault CLI and other libraries.
True
55
Vault Agent will manage the lifecycle of cached tokens and leases automatically so that the clients do not need to implement a logic to renew the tokens and leases. T or F
true
56
A Vault ____ is a set of Vault processes that together run a Vault service. These Vault processes could be running on physical or virtual servers, or in containers.
cluster
57
The \_\_\_\_secrets engine enables security teams to fortify data during transit and at rest. So even if an intrusion occurs, your data is encrypted with AES-GCM with a 256-bit AES key or other supported key types. Even if an attacker were able to access the raw data, they would only have encrypted bits. This means attackers would need to compromise multiple systems before exfiltrating data.
transit
58
By default, the secrets engine will mount at the name of the engine. If you wish to enable it at a different path, use the\_\_\_\_ argument.
-path
59
When you send data to Vault for encryption, it must be in the form of ____ plaintext for a safe transport.
base64-encoded
60
The kv secrets engine handles cryptographic functions on data-in-transit, and often referred to as Encryption as a Service (EaaS). t or f
false, transit
61
T or F key shards can automatically unseal vault upon the start of the vault service
False
62
Vault start vault service on port \_\_\_\_ Cluster to cluster communication is done over \_\_\_\_ \_\_\_\_ is used for Consul Server RPC \_\_\_\_ is used for the Consul interface, \_\_\_\_ is used for Consul DNS \_\_\_\_ is used for its LAN gossip protocol 8300, 8500, 8200, 8301, 8600, 8201
By default, Vault starts the Vault service on port 8200. Cluster to cluster communication is done over 8201, 8300 is used for Consul Server RPC, 8500 is used for the Consul interface, 8600 is used for Consul DNS, and 8301 is used for its LAN gossip protocol
63
Can vault integrate with your code repo to pull secretes when deploying your apps?
Nope
64
\_\_\_\_\_can be used to do a 'vault renew' or a 'vault revoke' command to manage the lease of a secret
lease\_id
65
what command renews a vaut token?
vault token renew
66
name all of the permissions that can be applied to a path in vault
create, read, update, delete, list, deny, and sudo
67
T or F To avoid split-brain scenarios, Vault secondary clusters must be manually promoted to a primary
true
68
what CLi command would you use to create an encryption key ring named "orders"
vault write -f transit/keys/orders
69
By default, the secrets engine will mount at the name of the engine. If you wish to enable it at a different path, use the -path argument. give an example of this command using the path: encryption
vault secrets enable -path=encryption transit
70
Once the transit secrets engine has been configured, any client with valid token with proper permission can send data to encrypt. To encrypt your secret, use the transit/encrypt endpoint. use "orders" as the key name. give an example of the command
vault write transit/encrypt/orders
71
vault write -format=json transit/encrypt/orders \ plaintext=$(base64 \<\<\< "credit-card-number") \ | jq -r ".data.ciphertext" \> cipher.txt What is the above command doing?
it will encrypt a plaintext secret and save the resulting ciphertext in a file named cipher.txt
72
You can upgrade already-encrypted data with a new key by invoking transit/\_\_\_\_endpoint.
rewrap
73
To rewrap the data, you do need to decrypt it
false. To rewrap the data, you don't need to decrypt it. You can simply pass the ciphertext to the Vault. Vault will decrypt the value using the appropriate key in the keyring and then encrypted the resulting plaintext with the newest key in the keyring. Therefore, this operation does not reveal the plaintext data.
74
what command would you use to find out how many service tokens exist on the Vault server or cluster?
vault read sys/internal/counters/tokens Note: The sys/internal/counters/tokens API endpoint is introduced in Vault 1.3. To leverage this endpoint, you need Vault 1.3 or later
75
The batch tokens are persisted; therefore, they can be renewed or revoked before reaching its time-to-live (TTL). On the other hand, service tokens are not persisted. They are encrypted binary large objects (blobs) that carry enough information for them to be used for Vault actions. Therefore, service tokens are extremely lightweight and scalable; however, they lack most of the flexibility and features of batch tokens. T or F
False The service tokens are persisted; therefore, they can be renewed or revoked before reaching its time-to-live (TTL). On the other hand, batch tokens are not persisted. They are encrypted binary large objects (blobs) that carry enough information for them to be used for Vault actions. Therefore, batch tokens are extremely lightweight and scalable; however, they lack most of the flexibility and features of service tokens.
76
match the vault auth subcommands with their description: disable enable help list tune prints usage for an auth method lists enabled auth methods tunes an auth method configuration disables an auth method enables an auth method
help - prints usage for an auth method list - lists enabled auth methods tune - tunes an auth method configuration disaable - disables an auth method enable - enables an auth method
77
match the debug subcommands and descriptions compress, target, output, duration, interval, metrics-interval - (bool: true) - Toggles whether to compress output package The default is true. (int or time string: "2m") - Duration to run the command. The default is 2m0s. (int or time string: "30s") - The polling interval at which to collect profiling data and server state. The default is 30s. - (int or time string: "10s") - The polling interval at which to collect metrics data. The default is 10s. (string) - Specifies the output path for the debug package. Defaults to an time-based generated file name. (string: all targets) - Target to capture, defaulting to all if none specified. This can be specified multiple times to capture multiple targets. Available targets are: config, host, metrics, pprof, replication-status, server-status.
- compress (bool: true) - Toggles whether to compress output package The default is true. - duration (int or time string: "2m") - Duration to run the command. The default is 2m0s. - interval (int or time string: "30s") - The polling interval at which to collect profiling data and server state. The default is 30s. - metrics-interval (int or time string: "10s") - The polling interval at which to collect metrics data. The default is 10s. - output (string) - Specifies the output path for the debug package. Defaults to an time-based generated file name. - target (string: all targets) - Target to capture, defaulting to all if none specified. This can be specified multiple times to capture multiple targets. Available targets are: config, host, metrics, pprof, replication-status, server-status.
78
match the KV Subcommands to their descriptions: put, metadata, get, delete, destory, undelete, rollback, list, enable-versioning, patch Deletes versions in the KV store Permanently removes one or more versions in the KV store Turns on versioning for a KV store Retrieves data from the KV store List data or secrets Interact with Vault's Key-Value storage Sets or updates data in the KV store without overwriting Sets or updates data in the KV store Rolls back to a previous version of data Undeletes versions in the KV store
Subcommands: delete Deletes versions in the KV store destroy Permanently removes one or more versions in the KV store enable-versioning Turns on versioning for a KV store get Retrieves data from the KV store list List data or secrets metadata Interact with Vault's Key-Value storage patch Sets or updates data in the KV store without overwriting put Sets or updates data in the KV store rollback Rolls back to a previous version of data undelete Undeletes versions in the KV store
79
match the lease Subcommands: renew, revoke Renews the lease of a secret Revokes leases and secrets
Subcommands: renew Renews the lease of a secret revoke Revokes leases and secrets
80
match the vault operator Subcommands: step-down, rekey, init, generate-root, key-status, unseal, seal, rotate Generates a new root token Initializes a server Provides information about the active encryption key Generates new unseal keys Rotates the underlying encryption key Seals the Vault server Forces Vault to resign active duty Unseals the Vault server
Subcommands: generate-root Generates a new root token init Initializes a server key-status Provides information about the active encryption key rekey Generates new unseal keys rotate Rotates the underlying encryption key seal Seals the Vault server step-down Forces Vault to resign active duty unseal Unseals the Vault server
81
match the vault token Subcommands: lookup , renew, create, capabilities, revoke Print capabilities of a token on a path Create a new token Display information about a token Renew a token lease Revoke a token and its children
capabilities Print capabilities of a token on a path create Create a new token lookup Display information about a token renew Renew a token lease revoke Revoke a token and its children
82
T or F The API is expected to be accessed over a TLS connection at all times, with a valid certificate that is verified by a well-behaved client. It is possible to disable TLS verification for listeners, however, so API clients should expect to have to do both depending on user settings.
True
83
The sys/\_\_\_\_ endpoint is used to list, enable, and disable audit devices.
audit
84
The /sys/\_\_\_\_ endpoint is used to calculate the hash of the data used by an audit device's hash function and salt. This can be used to search audit logs for a hashed value when the original value is known.
audit-hash
85
The /sys/\_\_\_endpoint is used to list, create, update, and delete auth methods. Auth methods convert user or machine-supplied information into a token which can be used for all future requests.
auth
86
The /sys/\_\_\_\_\_ endpoint is used to fetch the capabilities of a token on the given paths. The capabilities returned will be derived from the policies that are on the token, and from the policies to which the token is entitled to through the entity and entity's group memberships.
capabilities
87
The /sys/\_\_\_\_\_\_ endpoint is used to fetch the capabilities of the token associated with the given accessor. The capabilities returned will be derived from the policies that are on the token, and from the policies to which the token is entitled to through the entity and entity's group memberships.
capabilities-accessor
88
The /sys/\_\_\_\_\_\_\_ endpoint is used to fetch the capabilities of the token used to make the API call, on the given paths. The capabilities returned will be derived from the policies that are on the token, and from the policies to which the token is entitled to through the entity and entity's group memberships.
capabilities-self
89
The /sys/config/\_\_\_\_ endpoint is used to configure auditing settings.
auditing
90
The /sys/config/\_\_\_\_\_ endpoint is used to configure Control Group settings.
control-group
91
The /sys/config/\_\_\_\_ endpoint is used to configure CORS settings.
cors
92
The endpoints under sys/config/\_\_\_\_ return Vault's configuration state. Currently, it only supports returning a sanitized version of the configuration.
state
93
The /sys/config/\_\_ endpoint is used to configure UI settings.
ui
94
This endpoint authorizes a control group request. /sys/\_\_\_\_
control-group
95
The /sys/\_\_\_\_\_ endpoint is used to create a new root key for Vault.
generate-root
96
The /sys/\_\_\_\_ endpoint is used to check the health status of Vault.
health
97
The /sys/\_\_\_\_\_ endpoint is used retrieve information about the host instance that the Vault server is running on.
host-info
98
The /sys/\_\_\_\_ endpoint is used to initialize a new Vault.
init
99
The /sys/internal/\_\_\_\_\_ endpoints are used to return data about the number of Http Requests, Tokens, and Entities in Vault.
counters
100
The /sys/internal/\_\_\_\_/\_\_\_\_ endpoint is used to generate an OpenAPI document of the mounted backends. The response conforms to the OpenAPI V3 specification, with path names matching the mount names used by the Vault server (i.e. customizations with -path will be reflected). The set of included paths is based on the permissions of the request token.
specs/openapi
101
The /sys/internal/\_\_\_/\_\_\_\_ endpoint is used to manage mount listing visibility. The response generated by this endpoint is based on the listing\_visibility value on the mount, which can be set during mount time or via mount tuning. This is currently only being used internally for the UI and is an unauthenticated endpoint.
ui/mounts
102
The /sys/\_\_\_\_endpoint is used to query info about the current encryption key of Vault.
key-status
103
The /sys/\_\_\_\_endpoint is used to check the high availability status and current leader of Vault.
leader
104
The /sys/\_\_\_\_ endpoints are used to view and manage leases in Vault.
leases
105
The /sys/\_\_\_\_ endpoint is used to view and update the license used in Vault.
license
106
The /sys/\_\_\_\_ endpoint is used to get telemetry metrics for Vault.
metrics
107
The /sys/\_\_\_\_ endpoint is used manage secrets engines in Vault.
mounts
108
The /sys/\_\_\_\_ endpoint is used manage namespaces in Vault.
namespaces
109
The /sys/plugins/\_\_\_/\_\_\_\_ endpoint is used to reload mounted plugin backends. Either the plugin name (plugin) or the desired plugin backend mounts (mounts) must be provided, but not both. In the case that the plugin name is provided, all mounted paths that use that plugin backend will be reloaded.
reload/backend
110
The /sys/plugins/\_\_\_\_ endpoint is used to read, register, update, and remove plugins in Vault's catalog. Plugins must be registered before use, and once registered backends can use the plugin by querying the catalog.
catalog
111
The /sys/\_\_\_\_ endpoint is used to manage ACL policies in Vault.
policy
112
The /sys/\_\_\_\_ endpoints are used to manage ACL, RGP, and EGP policies in Vault.
policies
113
The /sys/\_\_\_\_ endpoint is used to query. The response returned by these endpoints are equivalent to those returned by the http/pprof package.
pprof
114
The /sys/\_\_\_ endpoint is used to access the raw underlying store in Vault.
raw
115
The /sys/\_\_\_ endpoints are used to rekey the unseal keys for Vault.
rekey
116
The /sys/\_\_\_\_ endpoints are used to rekey the recovery keys for Vault.
rekey-recovery-key
117
The /sys/\_\_\_\_ endpoint is used remount a mounted backend to a new endpoint.
remount
118
The /sys/\_\_\_\_ endpoint is used to rotate the encryption key.
rotate
119
The /sys/\_\_\_endpoint seals the Vault.
seal
120
The /sys/\_\_\_\_ endpoint is used to check the seal status of a Vault.
seal-status
121
The /sys/\_\_\_\_/\_\_\_\_ endpoint is used to rewrap all seal wrapped entries. This is useful when you want to upgrade seal wrapped entries to use the latest key, for example, after a seal migration or after rotating the remote keyring.
sealwrap/rewrap
122
The /sys/\_\_\_\_ endpoint causes the node to give up active status.
step-down
123
The /sys/\_\_\_\_ endpoints are a general set of tools.
tools
124
The /sys/\_\_\_\_ endpoint is used to unseal the Vault.
seal-unseal
125
The /sys/wrapping/\_\_\_\_ endpoint returns wrapping token properties.
lookup
126
The /sys/wrapping/\_\_\_\_ endpoint can be used to rotate a wrapping token and refresh its TTL.
rewrap
127
The /sys/wrapping/\_\_\_\_ endpoint unwraps a wrapped response.
unwrap
128
The /sys/wrapping/\_\_\_\_ endpoint wraps the given values in a response-wrapped token.
wrap
129
A token accessor can do: choose 4 Look up a token's properties (not including the actual token ID) Look up a token's capabilities on a path Create new tokens Delete tokens Renew the token Revoke the token
Look up a token's properties (not including the actual token ID) Look up a token's capabilities on a path Renew the token Revoke the token
130
a service that creates tokens on behalf of another service (such as the Nomad scheduler) can store the \_\_\_\_\_correlated with a particular job ID. When the job is complete, the _____ can be used to instantly revoke the token given to the job and all of its leased credentials, limiting the chance that a bad actor will discover and use them.
accessor
131
What command allows you to list tokens?
auth/token/accessors
132
When a periodic token is created via a token store role, the ____ value of the role's period setting will be used at renewal time
current
133
A token with both a period and an explicit max TTL will act like a \_\_\_\_token but will be revoked when the explicit max TTL is reached
periodic
134
When a primary Vault cluster fails, Vault will automatically promote a secondary cluster to ensure maximum uptime. T or F
False To avoid split-brain scenarios, Vault secondary clusters must be manually promoted to a primary
135
match open source vs enterprise disaster recovery dynamic secrets acl templates init & unseal workflow vault agent namespaces replication read replicas key rolling hsm auto-unseal mfa access control policies sentinel encryptiono as service aaws,aazure, aand gcp autoo unseal fips 140-2 & seal wrap
_open source__enterprise_ dynamic secrets - disaster recovery acl templates. - namespaces init & unseal workflow. - replication vault agent. - read replicas key rolling. - HSM auto-unseal access control policies. - mfa encryption as service. - sentinel aws,azure, and gcp auto unseal. - fips I40-2&seal wraap
136
T or F on Audit devices, sensitive information is hashed before logging
True
137
what flag is used to specify the configuration file?
-config
138
name 4 things confingured in config file
storaage backend listener ports tls cert seal type cluster name log level ui cluster ip and port
139
which of these are not configured in config file? secrets engines auth methods audit devices policies entities and groups
none of them are configured in config file
140
Performance replication replicates all but one: k/v store policies tokens
It does not replicate tokens
141
Sealing only requires a single operator with root privileges. T or F
T
142
One of these steps is a lie regarding creating an orphaned token: 1. Via write access to the auth/token/create-orphan endpoint 2. By having sudo or root access to the auth/token/create and setting the no\_parent parameter to true 3. Via token store roles 4. By typing vault token orpahn into the cli 5. By logging in with any other (non-token) auth method
By typing vault token orpahn into the cli
143
What is the only command that can list all tokens?
auth/token/accessors
144
T or F policy paths targeting list capability should end with a trailing slash
True path "secret/foo/" { capabilities = ["list"] }
145
What does this command do? vault read sys/policy
lists all registered policies in vault