A web application uses Vault’s transit secrets engine to encrypt data in-transit. If an attacker intercepts the data in transit, which of the following statements are true? (Choose two.)
A.
You can rotate the encryption key so that the attacker won't be able to decrypt the data
B.
The keys can be rotated and min_decryption_version moved forward to ensure this data cannot be decrypted B. The Vault administrator would need to seal the Vault server immediately
C.
Even if the attacker was able to access the raw data, they would only have encrypted bits (TLS in transit)
B (first) and C
A > if you just rotate the encryption key, the attacker could use previous version of the key to decrypt (if he had access to the keyring)
B (second) > Sealing the Vault doesn't make sense. I f the attacker has the decryption key also, sealing the Vault wouldn't make a difference. The right approach is to rotate the key and move foward the min_decryption_version
B(first) and C
B(first): https://developer.hashicorp.com/vault/docs/secrets/transit
C: https://developer.hashicorp.com/vault/tutorials/encryption-as-a-service/eaas-transit
upvoted 2 times
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
agueda
5 months, 2 weeks agonginx_aws
7 months, 2 weeks ago3fac4ef
8 months, 3 weeks agoMark1000
9 months, 4 weeks ago