HashiCorp Certified: Vault Associate (002) — Question 34

You are using Vault’s Transit secrets engine to encrypt your data. You want to reduce the amount of content encrypted with a single key in case the key gets compromised. How would you do this?

Answer options

• A. Use 4096-bit RSA key to encrypt the data
• B. Upgrade to Vault Enterprise and integrate with HSM
• C. Periodically re-key the Vault's unseal keys
• D. Periodically rotate the encryption key

Correct answer: D

Explanation

The correct answer is D, as periodically rotating the encryption key minimizes the amount of data that can be compromised if a key is stolen. Options A and B do not address the issue of key compromise; they focus on key strength and integration respectively. Option C is related to unseal keys, which are not directly tied to data encryption in this context.