Question 14 - HashiCorp Vault-Associate Real Exam Questions [Jan 2026 Update]

Q: 14

A web application uses Vault's transit secrets engine to encrypt data in-transit. If an attacker intercepts the data in transit which of the following statements are true? Choose two correct answers.

Options

Correct Answer:

Explanation

A web application that uses Vault’s transit secrets engine to encrypt data in-transit can benefit from

the following security features:

Even if the attacker was able to access the raw data, they would only have encrypted bits (TLS in

transit). This means that the attacker would need to obtain the encryption key from Vault in order to

decrypt the data, which is protected by Vault’s authentication and authorization mechanisms. The

transit secrets engine does not store the data sent to it, so the attacker cannot access the data from

Vault either.

The keys can be rotated and min_decryption_version moved forward to ensure this data cannot be

decrypted. This means that the web application can periodically change the encryption key used to

encrypt the data, and set a minimum decryption version for the key, which prevents older versions of

the key from being used to decrypt the data. This way, even if the attacker somehow obtained an old

version of the key, they would not be able to decrypt the data that was encrypted with a newer

version of the key.

The other statements are not true, because:

You cannot rotate the encryption key so that the attacker won’t be able to decrypt the data. Rotating

the key alone does not prevent the attacker from decrypting the data, as they may still have access to

the old version of the key that was used to encrypt the data. You need to also move the

min_decryption_version forward to invalidate the old version of the key.

The Vault administrator would not need to seal the Vault server immediately. Sealing the Vault server

would make it inaccessible to both the attacker and the legitimate users, and would require

unsealing it with the unseal keys or the recovery keys. Sealing the Vault server is a last resort option

in case of a severe compromise or emergency, and is not necessary in this scenario, as the attacker

does not have access to the encryption key or the data in Vault. Reference: Transit - Secrets Engines |

Vault | HashiCorp Developer, Encryption as a service: transit secrets engine | Vault | HashiCorp

Developer

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE