Comprehensive and Detailed in Depth
The statement is False. Setting the minimum decryption version does not remove older key versions.
The HashiCorp Vault documentation states: "Key versions that are earlier than a key’s specified
min_decryption_version get archived, and the rest of the key versions belong to the working set. In
an emergency, the min_decryption_version can be moved back to allow for legitimate decryption."
Older versions remain available for decryption if needed.
The docs add: "Archiving a key version does not delete it; it simply marks it as outside the active
working set, but Vault retains it for potential use." Thus, older versions are not removed, making B
correct.
Reference:
HashiCorp Vault Documentation - Transit Secrets Engine: Working Set Management
