Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

HashiCorp Exam Vault-Associate Topic 7 Question 15 Discussion

Actual exam question for HashiCorp's Vault-Associate exam
Question #: 15
Topic #: 7
[All Vault-Associate Questions]

Your organization has an initiative to reduce and ultimately remove the use of long lived X.509 certificates. Which secrets engine will best support this use case?

Show Suggested Answer Hide Answer
Suggested Answer: A

The command vault secrets enable transit enables the transit secrets engine at the transit path. The transit secrets engine is a secrets engine that handles cryptographic functions on data in-transit, such as encryption, decryption, signing, verification, hashing, and random bytes generation. The transit secrets engine does not store the data sent to it, but only performs the requested operations and returns the results. The transit secrets engine can also be viewed as ''cryptography as a service'' or ''encryption as a service''. The command vault secrets enable transit uses the default path of transit for the secrets engine, but this can be changed by using the -path option. For example, vault secrets enable -path=my-transit transit would enable the transit secrets engine at the my-transit path.Reference:Transit - Secrets Engines | Vault | HashiCorp Developer,vault secrets enable - Command | Vault | HashiCorp Developer


by Ciara at Apr 28, 2024, 11:05 AM

Limited Time Offer

25%

Off

Get Premium Vault-Associate Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Lemuel
2 months ago
Ugh, certificates and their expiration dates. I'd rather just use B) and let Vault handle the hassle for me. Less paperwork, more coding!
upvoted 0 times
Eva
20 days ago
I think using option B) is the best choice for reducing the use of long lived X.509 certificates.
upvoted 0 times
...
Willard
24 days ago
Yeah, Vault can handle the expiration dates for us, so we can focus on coding instead of dealing with certificates.
upvoted 0 times
...
Maryann
1 months ago
I agree, using the Key/Value secrets engine version 2 with TTL defined would definitely make things easier.
upvoted 0 times
...
...
Rashida
2 months ago
This is a tricky one, but B) is the way to go. I'm glad I don't have to worry about long-lived certificates - that sounds like a real headache!
upvoted 0 times
James
13 days ago
Transit might be a good option too, but B) seems to be the most appropriate choice for this specific initiative.
upvoted 0 times
...
Lindsey
21 days ago
PKI might be a common choice, but in this case, B) is more suitable for reducing and removing long-lived X.509 certificates.
upvoted 0 times
...
Chaya
22 days ago
Long-lived certificates can definitely be a headache, but with the right secrets engine, it can be managed effectively.
upvoted 0 times
...
Daryl
2 months ago
I agree, B) Key/Value secrets engine version 2 with TTL defined is the best option for this use case.
upvoted 0 times
...
...
Paris
2 months ago
Hmm, I was leaning towards C) Cloud KMS, but the key requirement is to use a secrets engine, not a cloud service. B) it is!
upvoted 0 times
...
Kristal
2 months ago
That's a good point, Maira. Option B could provide better control over the lifecycle of the certificates.
upvoted 0 times
...
Maira
2 months ago
I disagree, I believe option B) Key/Value secrets engine version 2 with TTL defined would be more flexible and easier to manage in the long run.
upvoted 0 times
...
Kristal
3 months ago
I think the best option is A) PKI because it is specifically designed for managing X.509 certificates.
upvoted 0 times
...
Royce
3 months ago
I see your point, but I think D) Transit would be the most secure option for removing long lived X.509 certificates.
upvoted 0 times
...
Bong
3 months ago
I disagree, I believe B) Key/Value secrets engine version 2 with TTL defined is the best choice as it allows for expiration of certificates.
upvoted 0 times
...
Bethanie
3 months ago
I think the best option is A) PKI because it deals with certificates.
upvoted 0 times
...
Blair
3 months ago
I was initially drawn to A) PKI, but the question specifically asks for the secrets engine that best supports the use case. B) is the clear winner here.
upvoted 0 times
Silvana
1 months ago
Great, let's go with B) Key/Value secrets engine version 2.
upvoted 0 times
...
Margot
1 months ago
I see your point, B) it is then.
upvoted 0 times
...
Dusti
2 months ago
I agree, B) is definitely the most suitable option for this use case.
upvoted 0 times
...
Marsha
2 months ago
I think B) Key/Value secrets engine version 2, with TTL defined is the best choice.
upvoted 0 times
...
Jesus
2 months ago
I agree, but B) Key/Value secrets engine version 2 with TTL defined is the best choice.
upvoted 0 times
...
Orville
2 months ago
I think A) PKI is a good option.
upvoted 0 times
...
...
Ora
3 months ago
B) Key/Value secrets engine version 2, with TTL defined seems like the best option to support the initiative to reduce long-lived X.509 certificates. The ability to set a TTL aligns with the goal of removing long-lived certificates.
upvoted 0 times
...

Save Cancel