The exam mainly consists of multiple choice and true/false questions. In addition, there are UI area selection questions. Some of the multiple choice questions are scenario-based questions to test your understanding of Vault usages.
Below are some examples so you can familiarize yourself with the exam format.
ยปTrue/false questions
ยปQ1: When Vault is sealed, it can access the physical storage but cannot read the data because it does not know how to decrypt them.
๐ True
๐ False
โ
Correct: True
โ Incorrect: False
ยปQ2: Batch tokens can be renewed indefinitely.
๐ True
๐ False
โ Incorrect: True
โ
Correct: False
ยปQ3: To seal a Vault, the client token must have the sudo capability on the sys/seal
path.
๐ True
๐ False
โ
Correct: True
โ Incorrect: False
ยปMultiple choice questions
When there is more than one correct answer, the question explicitly states so. For example, "Choose TWO correct answers."
ยปQ4: Which statement is true about an orphan token?
๐ It does not expire when its parent does
๐ It is not persisted
๐ It does not have a max time-to-live (TTL)
๐ It has a use limit
โ
Correct: It does not expire when its parent does
โ Incorrect: It is not persisted
โ Incorrect: It does not have a max time-to-live (TTL)
โ Incorrect: It has a use limit
ยปQ5: Which path will this policy allow?
๐ kv/team_edu
๐ kv/us-west/team
๐ kv/us-west/team_edu
๐ kv/us-west/ca/team_edu
โ Incorrect: kv/team_edu
โ Incorrect: kv/us-west/team
โ
Correct: kv/us-west/team_edu
โ Incorrect: kv/us-west/ca/team_edu
ยปQ6: What is true of Vault tokens? Choose TWO correct answers.
- Vault tokens are generated by every authentication method login
- Vault tokens are also known as unseal keys
- Vault tokens are required for every Vault call
- Vault token IDs always begin with "s."
such as s.E7rOurS2n7m2Dt5409jWxR87
- Vault tokens are the core method for authentication in Vault
โ
Correct: Vault tokens are generated by every authentication method login
โ Incorrect: Vault tokens are also known as unseal keys
โ Incorrect: Vault tokens are required for every Vault call
โ Incorrect: Vault token IDs always begin with "s." such as s.E7rOurS2n7m2Dt5409jWxR87
โ
Correct: Vault tokens are the core method for authentication in Vault
ยปQ7: Which statements correctly describe the command below. Choose TWO correct answers.
- Returns an error due to missing encryption key name
- Returns base64-encoded plaintext
- Decrypts the ciphertext if the token permits
- Returns the ciphertext
- Requires
sudo
capability on thetransit/decrypt/password
path
โ Incorrect: Returns an error due to missing encryption key name
โ
Correct: Returns base64-encoded plaintext
โ
Correct: Decrypts the ciphertext if the token permits
โ Incorrect: Returns the ciphertext
โ Incorrect: Requires sudo
capability on the transit/decrypt/password
path
ยปQ8: An organization needs to protect sensitive application data currently stored in a database as plaintext. Which secrets engine provides a solution?
๐ Key/Value v2 secrets engine
๐ Cubbyhole secrets engine
๐ Transit secrets engine
๐ Database secrets engine
โ Incorrect: Key/Value v2 secrets engine
โ Incorrect: Cubbyhole secrets engine
โ
Correct: Transit secrets engine
โ Incorrect: Database secrets engine
ยปQ9: Which of the following statements explains the benefit of response wrapping? Choose TWO correct answers.
- Limits the time of secret exposure by having a short-lived wrapping token
- Allow versioning of the secrets
- It protects Vault's root key (previously known as master key)
- Only the reference to the secrets is transmitted over the public network
- Limits the size of secrets to be transmitted over the network
โ
Correct: Limits the time of secret exposure by having a short-lived wrapping token
โ Incorrect: Allow versioning of the secrets
โ Incorrect: It protects Vault's root key (previously known as master key)
โ
Correct: Only the reference to the secrets is transmitted over the public network
โ Incorrect: Limits the size of secrets to be transmitted over the network
ยปVault UI questions
ยปQ10: You need to edit a policy, but the UI appears as shown. What is the problem?
๐ This is an UI error. Contact support.
๐ You don't have a permission to manage policies.
๐ Vault UI does not support policy creation and management.
๐ Use the command shell in UI to manage policies.
โ Incorrect: This is an UI error. Contact support.
โ
Correct: You don't have a permission to manage policies.
โ Incorrect: Vault UI does not support policy creation and management.
โ Incorrect: Use the command shell in UI to manage policies.
ยปQ11: Where on the page would you click to display the list of available Vault-created encryption keys.
To answer this question: Use your mouse to click on the screenshot in the location described above. An arrow indicator will mark where you have clicked. Click the "Answer" button once you have positioned the arrow to answer the question. You may need to scroll down to see the entire screenshot.
ยปNext steps
The Review Guide lists a table of exam objectives with its corresponding documentation and the learn tutorial link. Use the table as your check-list to prepare for the exam.