HashiCorp Certified: Vault Associate (002) — Question 89

A web application uses Vault’s transit secrets engine to encrypt data in-transit. If an attacker intercepts the data in transit, which of the following statements are true? (Choose two.)

Answer options

• A. You can rotate the encryption key so that the attacker won't be able to decrypt the data
• B. The keys can be rotated and min_decryption_version moved forward to ensure this data cannot be decrypted B. The Vault administrator would need to seal the Vault server immediately
• C. Even if the attacker was able to access the raw data, they would only have encrypted bits (TLS in transit)

Correct answer: A, C

Explanation

The correct answers are A and C. Rotating the encryption key (A) prevents the attacker from decrypting previously intercepted data, while C highlights that the attacker only has access to encrypted information due to the encryption in transit. Option B is incorrect because moving the min_decryption_version does not apply to previously intercepted data, and option D is irrelevant as sealing the Vault server is not necessary in this context.