HashiCorp Certified: Vault Associate (002) — Question 80

One of the benefits of using the Vault transit secrets engine is its ability to easily rotate encryption keys. Which of these is true regarding key rotation?

Answer options

• A. Vault automatically rotates the encryption key based on a set period
• B. Vault can rotate encryption keys, but cannot enforce restrictions about the minimum encryption key version
• C. Vault does not maintain the versioned keyring
• D. Encryption keys can be rotated manually by a user, or by an automated process which invokes the key rotation API

Correct answer: D

Explanation

The correct answer is D because Vault allows for both manual and automated key rotation through its API, providing flexibility in key management. Option A is incorrect as Vault does not automatically rotate keys based on a time schedule. Option B is misleading because while Vault can rotate keys, it can actually maintain versioning. Option C is wrong since Vault does maintain a versioned keyring to support key rotation.