The environment variable VAULT_ADDR overrides the CLI’s default Vault server address. The VAULT_ADDR environment variable specifies the address of the Vault server that is used to communicate with Vault from other applications or processes. By setting this variable, you can avoid hard-coding the Vault server address in your code or configuration files, and you can also use different addresses for different environments or scenarios. For example, you can use a local development server for testing purposes, and a production server for deploying your application. References: Commands (CLI) | Vault | HashiCorp Developer, Vault Agent - secrets as environment variables | Vault | HashiCorp Developer
Question 2
The following three policies exist in Vault. What do these policies allow an organization to do?
Options:
A.
Separates permissions allowed on actions associated with the transit secret engine
B.
Nothing, as the minimum permissions to perform useful tasks are not present
C.
Encrypt, decrypt, and rewrap data using the transit engine all in one policy
D.
Create a transit encryption key for encrypting, decrypting, and rewrapping encrypted data
Answer:
C
Explanation:
Explanation:
The three policies that exist in Vault are:
admins: This policy grants full access to all secrets and operations in Vault. It can be used by administrators or operators who need to manage all aspects of Vault.
default: This policy grants access to all secrets and operations in Vault except for those that require specific policies. It can be used as a fallback policy when no other policy matches.
transit: This policy grants access only to the transit secrets engine, which handles cryptographic functions on data in-transit. It can be used by applications or services that need to encrypt or decrypt data using Vault.
These policies allow an organization to perform useful tasks such as:
Encrypting, decrypting, and rewrapping data using the transit engine all in one policy: This policy grants access to both the transit secrets engine and the default policy, which allows performing any operation on any secret in Vault.
Creating a transit encryption key for encrypting, decrypting, and rewrapping encrypted data: This policy grants access only to the transit secrets engine and its associated keys, which are used for encrypting and decrypting data in transit using AES-GCM with a 256-bit AES key or other supported key types.
Separating permissions allowed on actions associated with the transit secret engine: This policy grants access only to specific actions related to the transit secrets engine, such as creating keys or wrapping requests. It does not grant access to other operations or secrets in Vault.
Question 3
Which statement describes the results of this command: $ vault secrets enable transit
Options:
A.
Enables the transit secrets engine at transit path
B.
Requires a root token to execute the command successfully
C.
Enables the transit secrets engine at secret path
D.
Fails due to missing -path parameter
E.
Fails because the transit secrets engine is enabled by default
Answer:
A
Explanation:
Explanation:
The command vault secrets enable transit enables the transit secrets engine at the transit path. The transit secrets engine is a secrets engine that handles cryptographic functions on data in-transit, such as encryption, decryption, signing, verification, hashing, and random bytes generation. The transit secrets engine does not store the data sent to it, but only performs the requested operations and returns the results. The transit secrets engine can also be viewed as “cryptography as a service” or “encryption as a service”. The command vault secrets enable transit uses the default path of transit for the secrets engine, but this can be changed by using the -path option. For example, vault secrets enable -path=my-transit transit would enable thetransit secrets engine at the my-transit path. References: Transit - Secrets Engines | Vault | HashiCorp Developer, vault secrets enable - Command | Vault | HashiCorp Developer