Back to the course
Test yourself

Advanced secrets management

Final exam · 60 questions · answers explained as you pick
Architecture & threat model
12 questions
01The "secret-zero" problem is best described as…
Incorrect — it is not about ordering — it is about bootstrapping trust.
Correct — something must bootstrap trust; the strong answers use platform-native identity so no long-lived credential is shipped in the image.
Incorrect — TTL is unrelated to the bootstrap-trust problem.
Incorrect — the root token is one bad answer to secret-zero, not its definition.
02Why is "standing privilege" the thing dynamic secrets are meant to kill?
Incorrect — convenience is not the concern; exposure time is.
Incorrect — storage cost is irrelevant to the threat.
Correct — dynamic, short-lived, per-consumer credentials shrink the window in which a stolen secret is worth anything.
Incorrect — they can be encrypted; the problem is their lifetime, not their storage.
03A single Vault holds every team’s secrets. What is the "blast radius" argument for namespaces or per-team mounts?
Correct — isolation caps how far one breach or one fat-fingered policy can reach.
Incorrect — startup time is not the point of tenant isolation.
Incorrect — isolation does not reduce auditing — you want more, per tenant.
Incorrect — transport security is orthogonal to tenant isolation.
04What does Vault’s seal/unseal barrier actually protect?
Incorrect — that is TLS; the barrier is about data at rest.
Correct — unsealing reconstructs the key that decrypts the barrier, so a stolen storage volume alone is useless.
Incorrect — audit devices are separate from the storage barrier.
Incorrect — token limits are unrelated to the seal barrier.
05With Shamir unseal and a threshold of 3 of 5, what is true?
Incorrect — that would defeat the split; you need the threshold.
Incorrect — the threshold is 3, not 5 — that is the point of k-of-n.
Incorrect — no single share reveals the key; you need a quorum to reconstruct it.
Correct — k-of-n means a quorum unseals, so losing up to two shares is survivable and no single person can act alone.
06Auto-unseal backed by a cloud KMS changes the trust model how?
Incorrect — auto-unseal has nothing to do with transport security.
Incorrect — Vault still has durable storage; only the unseal step is automated.
Correct — you trade the operational pain of manual unseal for a dependency on the KMS key’s access control.
Incorrect — audit encryption is a separate concern from the seal mechanism.
07Raft integrated storage in Vault replaces what?
Correct — integrated storage keeps the data on the Vault nodes with built-in Raft consensus, removing the separate storage cluster.
Incorrect — Raft is about storage/consensus, not the listener.
Incorrect — auditing is unchanged by the storage choice.
Incorrect — ACL evaluation is independent of where state is stored.
08In an HA Vault cluster, how does a standby node handle a client request?
Incorrect — only one node is active; standbys do not serve reads/writes independently in open-source HA.
Correct — standbys are hot spares; the active node holds the write lock and handles traffic until failover.
Incorrect — requests are not rejected; they are forwarded/redirected.
Incorrect — active/standby is not active/active; there is no split.
09Disaster-recovery (DR) replication differs from performance replication because DR…
Incorrect — that describes performance replication, not DR.
Incorrect — DR replicates everything, including tokens and leases, so it can take over.
Correct — DR is for failover; performance replication is for scaling reads across regions with local secondaries.
Incorrect — they solve different problems — failover vs read scaling.
10In AppRole, which value is the "secret" half of the credential pair?
Incorrect — the role-id is like a username — not sensitive on its own.
Correct — role-id (public-ish) plus secret-id (sensitive, delivered out-of-band) is the split that makes AppRole safer than a single token.
Incorrect — the path is not a credential.
Incorrect — policy names are not secrets.
11Response wrapping helps deliver secret-id (or any secret) because…
Correct — single delivery is provable: a used wrapping token is a tamper signal.
Incorrect — wrapping is about controlled delivery, not compression.
Incorrect — the wrapping token is transient, not durable storage.
Incorrect — the intended party can and does unwrap it; the control is single-use delivery.
12The strongest answer to secret-zero for a pod on Kubernetes is…
Incorrect — the image is copied, cached, and forked — a durable secret in it is a standing liability.
Incorrect — ConfigMaps are unencrypted and visible; worse than a Secret.
Incorrect — manual out-of-band delivery does not scale and is not auditable.
Correct — the Kubernetes auth method trades the SA JWT for a Vault token at runtime — no pre-shared secret in the image.
12 questions · explanations appear as you answer
Dynamic secrets & crypto engines
12 questions
01Dynamic database credentials limit blast radius mainly because they are…
Incorrect — entropy helps a little, but lifetime is the real lever.
Correct — revoking the lease kills the credential everywhere, and an already-expired stolen cred is a non-event.
Incorrect — static secrets can be encrypted too; that is not what caps the damage.
Incorrect — yearly rotation is the opposite of short-lived.
02Revoking a parent lease in Vault does what to the dynamic secrets issued under it?
Correct — lease trees let you kill an entire branch (e.g. all creds a token issued) in one action during an incident.
Incorrect — leases form a hierarchy; parents revoke children.
Incorrect — revocation shortens, never extends.
Incorrect — there is no such conversion.
03What is the role of max_ttl versus ttl on a dynamic secret?
Incorrect — they are distinct ceilings.
Incorrect — it is the other way around.
Correct — a consumer can renew up to max_ttl, then must obtain a fresh credential — bounding total exposure.
Incorrect — max_ttl governs dynamic lease renewal.
04With the Transit engine, where does the plaintext data live?
Incorrect — Transit does not store your data.
Incorrect — Transit never persists your plaintext.
Incorrect — audit logs HMAC sensitive fields; they are not a data store.
Correct — "encryption as a service" means Vault does the crypto and guards the key, while your database holds the ciphertext.
05Convergent encryption in Transit means…
Incorrect — that is the normal, non-convergent mode.
Correct — convergent mode trades some confidentiality (you can tell two ciphertexts share a plaintext) for the ability to dedupe or search.
Incorrect — keys do not decay; this is about deterministic output.
Incorrect — convergence is about determinism, not compression.
06After you rotate a Transit key, previously-encrypted ciphertext…
Correct — rotation adds a new version; old versions remain until you retire them, so nothing breaks on rotation day.
Incorrect — that would make rotation catastrophic; versions preserve decryptability.
Incorrect — no — it can be rewrapped at leisure.
Incorrect — you choose when to rewrap; it is not automatic across your datastore.
07What does min_decryption_version let you do?
Incorrect — unrelated to transport.
Incorrect — that is a lease setting, not a key-version control.
Correct — raising the floor invalidates old versions, which (after rewrapping good data) shrinks what a leaked old key can open.
Incorrect — it manages versions, not key size.
08The security case for 24-hour PKI leaf certificates over 1-year certs plus a CRL is…
Incorrect — cost is not the argument.
Correct — CRLs and OCSP are famously unreliable to enforce; expiry is a revocation mechanism that always works.
Incorrect — internal PKI is not bound by browser policy here.
Incorrect — they exist; they are just weakly enforced in practice.
09Why sign leaf certificates with an intermediate CA rather than the root directly?
Correct — the root is the crown jewel — keep it cold, delegate day-to-day issuance to an intermediate that is replaceable.
Incorrect — roots can sign; you choose not to for blast-radius reasons.
Incorrect — chain length is a side effect, not the goal.
Incorrect — TLS does not mandate an intermediate; this is operational hygiene.
10cert-manager pointed at a Vault PKI issuer gives you…
Incorrect — the whole point is to remove the manual step.
Incorrect — it enables shorter ones by automating renewal.
Incorrect — keys stay in the cluster; nothing goes to Git.
Correct — controllers renew ahead of expiry so 24-hour certs are operable without humans in the loop.
11A Transit datakey (envelope) operation returns…
Incorrect — Transit does not handle your bulk data.
Correct — envelope encryption: encrypt large data locally with the plaintext DEK, discard it, and keep the wrapped DEK for later unwrap.
Incorrect — datakeys are for envelope encryption, not tokens.
Incorrect — that is the PKI engine, not Transit datakeys.
12Transit tokenization differs from Transit encryption in that tokenization…
Incorrect — it is not encryption of the value at all.
Incorrect — it does not; the mapping is protected.
Correct — unlike ciphertext (which is a transform of the plaintext), a token is a reference; compromising the algorithm alone does not reverse it.
Incorrect — tokens are references, not a reversible transform of the input.
12 questions · explanations appear as you answer
Identity, policy & multi-tenancy
12 questions
01In Vault’s identity system, an entity and its aliases represent…
Correct — a human who logs in via OIDC and also holds an AppRole is one entity with two aliases — policies and metadata attach once.
Incorrect — the alias links a login back to a single entity.
Incorrect — that is lease/token mechanics, not identity.
Incorrect — policies are separate from entities.
02A templated ACL policy such as secret/data/{{identity.entity.id}}/* matters because it…
Incorrect — performance is not the point.
Correct — one templated policy replaces thousands and can never accidentally grant cross-tenant access.
Incorrect — unrelated to root.
Incorrect — templating substitutes identity values; it does not encrypt.
03If one policy grants read on a path and another denies it for the same token, Vault…
Incorrect — specificity does not override an explicit deny.
Incorrect — it resolves deterministically, it does not error.
Correct — deny precedence is a safety property: a mistaken broad allow cannot override a deliberate deny.
Incorrect — evaluation is deterministic, never random.
04Group-based policies in Vault identity are useful because…
Correct — attach a policy to a group (often mapped from an external directory) and membership drives entitlement.
Incorrect — groups grant policies; they do not bypass evaluation.
Incorrect — entities can be apps too; groups apply broadly.
Incorrect — groups carry policy, not secret data.
05A Sentinel Endpoint-Governing Policy (EGP) versus a Role-Governing Policy (RGP): the EGP…
Incorrect — that is closer to how RGPs attach to identities/tokens.
Correct — EGPs guard endpoints regardless of token; RGPs govern what a given token/role can do.
Incorrect — Sentinel is HashiCorp’s own language, not Rego.
Incorrect — Sentinel can hard-enforce, not just advise.
06A control group requires that…
Incorrect — it is about approval, not waiting on a timer.
Incorrect — not a batching mechanism.
Incorrect — not an encryption feature.
Correct — control groups add human approval to access, so no single person can read the most sensitive material alone.
07Vault Enterprise namespaces provide hard multi-tenancy by…
Correct — a namespace is effectively a Vault-within-Vault, so tenants cannot see or reach each other’s mounts.
Incorrect — that would be the opposite of isolation.
Incorrect — isolation does not reduce auditing.
Incorrect — merging removes isolation.
08A SPIFFE SVID is…
Incorrect — SPIFFE explicitly avoids shared secrets.
Incorrect — it is an identity document, not a network rule.
Correct — spiffe://trust-domain/workload — the SVID lets a service prove identity without any pre-shared secret.
Incorrect — unrelated to k8s namespaces directly.
09How does SPIRE hand a workload its identity without a bootstrap secret?
Incorrect — no secret is shipped; that would recreate secret-zero.
Correct — attestation replaces the pre-shared secret: the platform vouches for the workload, then SPIRE mints a short-lived SVID.
Incorrect — there is no guessing; attestation is deterministic.
Incorrect — nothing is read from source control.
10SPIFFE federation lets workloads in different trust domains authenticate by…
Correct — bundle exchange establishes cross-domain trust without a shared secret or a central authority.
Incorrect — sharing keys is exactly what SPIFFE avoids.
Incorrect — network reachability is not identity trust.
Incorrect — federation is at the SPIFFE layer, not Vault entity copy.
11Why is identity-based authorization stronger than authorizing by network location (IP/subnet)?
Incorrect — in cloud/k8s they are ephemeral, which is part of the problem.
Incorrect — it can be logged; it is just a weak authorizer.
Incorrect — speed is irrelevant to the security argument.
Correct — "who you are" beats "where you are" once addresses are ephemeral and the perimeter is porous.
12After initial setup, the Vault root token should be…
Incorrect — a durable root token is a standing catastrophe if leaked.
Correct — no standing super-user: recreate a root on demand from recovery keys, use it, revoke it.
Incorrect — automation should use scoped, short-lived tokens, never root.
Incorrect — that turns the crown-jewel token into a widely-copied secret.
12 questions · explanations appear as you answer
Platform integration
12 questions
01The Vault Agent Injector delivers a secret into a pod by…
Incorrect — env vars leak via /proc, crash dumps, and child processes; the injector avoids that.
Incorrect — ConfigMaps are unencrypted and not for secrets.
Correct — the shared memory volume keeps the secret off disk and out of the environment, refreshed as it renews.
Incorrect — that is a durable secret in the image — the anti-pattern.
02The Secrets Store CSI driver differs from the Agent Injector in that it…
Correct — CSI presents secrets as files through the kubelet’s volume machinery instead of running an injected agent alongside your app.
Incorrect — it still authenticates to the provider; it just delivers differently.
Incorrect — neither approach uses Git.
Incorrect — it delivers secrets, not ConfigMaps.
03The External Secrets Operator (ESO) keeps a Kubernetes Secret correct by…
Incorrect — a one-shot copy drifts; ESO reconciles continuously.
Correct — ESO watches an ExternalSecret CR and refreshes the native Secret so apps consume secrets the normal k8s way, kept in sync with the source of truth.
Incorrect — ESO syncs values; it does not manage etcd encryption.
Incorrect — that is cert-manager’s job.
04A trade-off of any approach that syncs into a native Kubernetes Secret (ESO, CSI sync) is that…
Incorrect — the point is that it does not — it reads a normal Secret.
Incorrect — they can; the operator refreshes them.
Incorrect — it is cluster-wide, not node-bound.
Correct — convenience (native Secret) reintroduces the etcd-at-rest exposure the external manager was partly meant to avoid — so encrypt etcd and lock down get/list.
05Envelope encryption uses a DEK wrapped by a KEK primarily so that…
Correct — rotate the wrapping key and re-wrap the tiny DEKs; the bulk ciphertext stays put.
Incorrect — the hierarchy is about manageability, not relative strength.
Incorrect — there are still keys — two layers of them.
Incorrect — decryption still requires unwrapping the DEK with the KEK.
06When you call a cloud KMS to protect data, what typically never leaves the KMS/HSM boundary?
Incorrect — ciphertext lives in your storage, outside KMS.
Correct — the whole value proposition is that the key never exports; only wrap/unwrap operations cross the boundary.
Incorrect — policy is configuration, not key material.
Incorrect — logs are emitted outward; the key is what stays in.
07Vault "seal wrap" adds what, and why does it matter for compliance?
Incorrect — seal wrap is about cryptographic protection, not size.
Incorrect — it does the opposite of weakening controls.
Correct — seal wrap routes critical values through the HSM/KMS seal, which auditors credit toward FIPS requirements.
Incorrect — unrelated and never desirable.
08PKCS#11 is…
Correct — it is the common interface Vault (and others) use to offload key operations to an HSM.
Incorrect — not related to k8s admission.
Incorrect — it is a crypto-token API, not a cipher.
Incorrect — no — that is gitleaks/trufflehog territory.
09The security value of BYOK/CMK (customer-managed keys) is that…
Incorrect — that is provider-managed, not customer-managed.
Correct — pull the key and the encrypted data becomes unreadable — a powerful offboarding and containment control.
Incorrect — it strengthens control, it does not remove encryption.
Incorrect — keys never go to source control.
10AWS Secrets Manager rotation via a Lambda follows a four-step contract. Which ordering is correct?
Incorrect — you must create and set before you test or finish.
Incorrect — creation comes before setting the new value on the service.
Correct — the staged-then-promoted flow means a failed rotation never leaves the app without a working credential.
Incorrect — that is the sequence reversed.
11When is a managed cloud secret manager "enough" versus standing up Vault?
Incorrect — Vault adds dynamic secrets, PKI, transit, and cross-cloud identity that managers lack.
Incorrect — they are perfectly secure for their scope.
Incorrect — their scope is broader than certs.
Correct — match the tool to the requirement instead of defaulting to the heaviest option.
12A key ceremony with split knowledge and dual control exists to…
Correct — high-assurance key generation (often FIPS-driven) deliberately removes any single point of trust or failure.
Incorrect — ceremonies add rigor, not speed.
Incorrect — ceremonies usually happen with an HSM, not instead of one.
Incorrect — the key is never exposed; the process is what auditors review.
12 questions · explanations appear as you answer
Operations, detection & response
12 questions
01The dual-secret (two-slot) rotation pattern avoids downtime by…
Incorrect — frequency is not what prevents the outage.
Correct — the overlap means no instant in which every consumer is holding an invalid credential.
Incorrect — stale-forever caching is the bug, not the fix.
Incorrect — roots must rotate too; the pattern is how you do it safely.
02How long must the rotation overlap window be to be safe?
Incorrect — arbitrary fixed values ignore how long consumers cache.
Incorrect — too short and some consumer still holds the old value when it dies.
Correct — you can only retire the old credential once you are certain nothing still relies on it.
Incorrect — an instant cutover is exactly the outage you are trying to avoid.
03The safe ordering for zero-downtime credential rotation is…
Correct — new-before-retire guarantees an always-valid credential throughout.
Incorrect — that leaves a gap where nothing works.
Incorrect — distributed consumers do not update atomically.
Incorrect — guaranteed outage.
04On confirming a secret has leaked (e.g. pushed to a public repo), the first action is to…
Incorrect — a valid leaked credential is an open door; do not leave it open to study the lock.
Correct — assume it is already harvested; kill its power first, forensics second.
Incorrect — history rewrite does not un-leak — copies and forks exist; you must rotate.
Incorrect — a policy conversation is not incident response.
05A honeytoken (canary credential) is valuable because…
Incorrect — it grants nothing; it is bait.
Incorrect — it is a detection tool, not a rotation tool.
Incorrect — unrelated to logging crypto.
Correct — plant it where an intruder would find it; the first touch is an alarm with almost no false positives.
06Why is "we rewrote the Git history, so we are fine" the wrong conclusion after a committed secret?
Correct — once pushed, treat it as public forever; scrubbing the branch does not recall the copies.
Incorrect — it is possible; it is just insufficient.
Incorrect — Git is history; that is not the issue.
Incorrect — nonsensical — exposure does not strengthen it.
07A pre-commit / pre-receive secret-scanning hook helps by…
Incorrect — it detects secrets, it does not encrypt.
Correct — stopping the leak at the boundary is far cheaper than rotating after the fact.
Incorrect — rotation is a separate control.
Incorrect — that is commit signing, a different control.
08A Vault audit device HMACs sensitive fields so that…
Incorrect — HMAC is about protection, not speed.
Incorrect — the opposite — values are hashed, not clear.
Correct — you can correlate access (same value hashes alike) without the log leaking the secrets it records.
Incorrect — failures are logged too; HMAC only protects field contents.
09By default, if Vault cannot write to its (only) audit device, it…
Correct — auditability is treated as mandatory; run redundant audit devices so a single sink outage does not halt Vault.
Incorrect — that would create an unauditable gap — exactly what fail-closed prevents.
Incorrect — it does not destroy data on audit failure.
Incorrect — it does not weaken protection; it blocks.
10Break-glass access to a sealed Vault typically relies on…
Incorrect — a single durable credential is the very risk break-glass procedures avoid.
Correct — no one person can invoke it; the k-of-n ceremony plus alerting makes emergency access rare, controlled, and visible.
Incorrect — break-glass must be the most-logged action, not the least.
Incorrect — that defeats the entire model.
11Regenerating a root token for a genuine emergency is done by…
Incorrect — no durable root exists to read; that is the point.
Incorrect — root generation requires a quorum, not one person.
Correct — ephemeral root on demand: create with the quorum, do the task, revoke immediately.
Incorrect — a restart does not create a root token.
12Why run a scheduled DR drill instead of trusting that replication "should" work?
Incorrect — the goal is confidence, not speed.
Incorrect — unrelated to secret count.
Incorrect — DR applies everywhere; the reason to drill is different.
Correct — you find the missing recovery key or the wrong DNS TTL in a drill, not at 3am during the real thing.
12 questions · explanations appear as you answer