Free Practice Questions for HashiCorp HCVA0-003 Exam

The CLI command vault login -method ldap username=mitchellh generates a token that is response wrapped. This means that the token contains a base64-encoded response wrapper, which is a JSON object that contains information about the token, such as its policies, metadata, and expiration time. The response wrapper is used to verify the authenticity and integrity of the token, and to prevent replay attacks. The response wrapper also allows Vault to automatically renew the token when it expires, or to revoke it if it is compromised. The -method ldap option specifies that the authentication method is LDAP, which requires a username and password to be provided. The username mitchellh is an example of an LDAP user name, and the password will be hidden when entered. References:  Vault CLI Reference | Vault | HashiCorp Developer ,  Vault CLI Reference | Vault | HashiCorp Developer

The statement is false. The Vault encryption key is not stored in Vault’s backend storage, but rather in Vault’s memory. The Vault encryption key is the key that is used to encrypt and decrypt the data that is stored in Vault’s backend storage, such as secrets, tokens, policies, etc. The Vault encryption key is derived from the master key, which is generated when Vault is initialized. The master key is split into unseal keys using Shamir’s secret sharing algorithm, and the unseal keys are distributed to trusted operators. To start Vault, a quorum of unseal keys is required to reconstruct the master key and derive the encryption key. The encryption key is then kept in memory and used to protect the data in Vault’s backend storage. The encryption key is never written to disk or exposed via the API. References:  Seal/Unseal | Vault | HashiCorp Developer ,  Key Rotation | Vault | HashiCorp Developer

Comprehensive and Detailed in Depth Explanation:

Token is enabled by default and cannot be disabled.

Userpass is explicitly enabled.

Total: 2 auth methods.

Overall Explanation from Vault Docs:

“Tokens are the default auth method… Additional methods like userpass increase the count.”

Comprehensive and Detailed in Depth Explanation:

Vault can generate time-based one-time passwords (TOTP) for multi-factor authentication (MFA), mimicking apps like Google Authenticator. Let’s evaluate:

Option A: Cubbyhole Cubbyhole is a per-token secret store, not a TOTP generator. It’s for temporary secret storage, not MFA code generation. Incorrect. Vault Docs Insight: “Cubbyhole stores secrets tied to a token… no TOTP functionality.” (Different purpose.)

Option B: The random byte generator Vault’s /sys/tools/random endpoint generates random bytes, not time-based codes synced with a clock (TOTP requirement). It’s for generic randomness, not MFA. Incorrect. Vault Docs Insight: “Random bytes are not time-based… unsuitable for TOTP.” (Unrelated feature.)

Option C: TOTP secrets engine The TOTP engine generates and validates TOTP codes (e.g., 6-digit codes every 30s) using a shared secret, just like Google Authenticator. You create a key (vault write totp/keys/my-key) and fetch codes (vault read totp/code/my-key). Perfect for programmatic MFA. Correct. Vault Docs Insight: “The TOTP secrets engine can act as a TOTP code generator… replacing traditional generators like Google Authenticator.” (Exact match.)

Option D: The identity secrets engine The Identity engine manages user/entity identities and policies, not TOTP codes. It’s for identity management, not MFA generation. Incorrect. Vault Docs Insight: “Identity engine handles identity data… no TOTP generation.” (Different scope.)

Detailed Mechanics:

Enable: vault secrets enable totp. Create key: vault write totp/keys/my-key issuer=Vault. Get code: vault read totp/code/my-key returns { " data " :{ " code " : " 123456 " }}. Codes sync with time (RFC 6238), usable in APIs or apps.

Overall Explanation from Vault Docs:

“The TOTP secrets engine can act as a TOTP code generator… It provides an added layer of security since the ability to generate codes is guarded by policies and audited.”

Comprehensive and Detailed in Depth Explanation:

Vault tokens have a Time-To-Live (TTL) that determines their expiration time, after which they are revoked. Parent-child relationships mean that revoking a parent token also revokes its children, regardless of their TTLs. Let’s analyze:

A: TTL 4 hours - Expires after 4 hours, no children listed.

B: TTL 6 hours - Expires after 6 hours, parent to C.

C: TTL 4 hours (child of B) - Expires after 4 hours or if B is revoked earlier.

D: TTL 3 hours - Expires after 3 hours, parent to E.

E: TTL 5 hours (child of D) - Expires after 5 hours or if D is revoked earlier.

Analysis:

Shortest TTL is D (3 hours), so it expires first unless a parent above it (none listed) is revoked sooner.

E (5 hours) is a child of D. If D is revoked at 3 hours, E is also revoked, despite its longer TTL.

A and C (4 hours) expire after D.

B (6 hours) expires last among parents.

The question asks which token(s) are revoked first based on TTL alone, not manual revocation. D has the shortest TTL (3 hours) and will be revoked first. E’s revocation depends on D, but the question focuses on initial expiration. Thus, only D is revoked first based on its TTL.

Overall Explanation from Vault Docs:

Tokens form a hierarchy where child tokens inherit revocation from their parents. “When a parent token is revoked, all of its child tokens—and all of their leases—are revoked as well.” TTL dictates automatic expiration unless overridden by manual revocation or parent revocation. Here, D’s 3-hour TTL is the shortest, making it the first to expire naturally.

Comprehensive and Detailed in Depth Explanation:

Vault tokens have two key time attributes: TTL (Time-To-Live) and Max TTL (Maximum Time-To-Live), governing their lifecycle. Let’s dissect each option:

Option A: The TTL defines when the token will expire and be revoked The TTL is the current lifespan of a token before it expires. For example, a token with a TTL of 24h (vault token create -ttl=24h) expires 24 hours from creation unless renewed. Upon expiry, Vault revokes it automatically. This is a fundamental property of TTL, making this statement accurate. Correct. Vault Docs Insight: “The TTL defines when the token will expire… if it reaches its TTL, it will be revoked by Vault.” (Core definition.)

Option B: The TTL defines when another token will be generated TTL governs expiration, not token generation. New tokens are created explicitly (e.g., vault token create) or via auth methods, not automatically by TTL. This misunderstands TTL’s role—it’s about expiry, not regeneration. Incorrect. Vault Docs Insight: “TTL is the duration until expiration… New tokens are not generated by TTL.” (No generation link.)

Option C: The Max TTL defines the timeframe for which a token cannot be used This is backwards. Max TTL sets the upper limit a token can exist through renewals, not a period of inactivity or unusability. A token with a Max TTL of 72h can be renewed up to 72 hours from creation, after which it’s revoked. This option inverts the concept. Incorrect. Vault Docs Insight: “Max TTL defines the maximum timeframe for which the token can be renewed… not a usage restriction.” (Opposite meaning.)

Option D: The Max TTL defines the maximum timeframe for which a token can be renewed Max TTL caps the total lifespan of a token, including renewals. For example, a token with TTL=24h and Max TTL=72h (vault token create -ttl=24h -explicit-max-ttl=72h) can be renewed twice (24h + 24h + 24h = 72h) before hitting the limit. Beyond 72h, renewal fails, and it expires. This is the precise definition of Max TTL. Correct. Vault Docs Insight: “The Max TTL defines the maximum timeframe for which the token can be renewed… Once reached, it cannot be renewed further.” (Exact match.)

Detailed Mechanics:

TTL is dynamic, decreasing as time passes (e.g., vault token lookup shows ttl: 23h59m50s after 10 seconds). Renewal (vault token renew) resets TTL to its original value (e.g., 24h), but only up to Max TTL from creation. System defaults (768h/32 days) apply unless overridden. Periodic tokens (-period=24h) renew indefinitely within their period, ignoring Max TTL unless explicitly set.

Real-World Example:

Create: vault token create -ttl=1h -explicit-max-ttl=3h. After 1h, TTL=0, renewable. Renew at 2h total, TTL=1h again. At 3h total, Max TTL hits—revoked. Contrast with TTL-only: vault token create -ttl=1h, renewable up to system Max TTL (768h).

Overall Explanation from Vault Docs:

“The TTL defines when the token will expire… If it reaches its TTL, it will be immediately revoked by Vault. The Max TTL defines the maximum timeframe for which the token can be renewed… Once the Max TTL is reached, the token cannot be renewed any longer and will be revoked.” These attributes ensure controlled token lifecycles.

Comprehensive and Detailed in Depth Explanation:

Vault replication ensures data consistency across clusters, using a specific port:

A: 8200 - Default HTTP API port, not replication.

B: 8300 - Raft protocol port, not replication.

C: 8201 - Default replication port. Correct.

D: 8301 - Serf protocol port, not replication.

Overall Explanation from Vault Docs:

“Replication occurs on TCP port 8201 by default… distinct from the API (8200) and Raft (8300) ports.”

Comprehensive and Detailed in Depth Explanation:

Token renewal extends a token’s TTL. Let’s evaluate:

A: TTL - Defines expiration time, not used for renewal. Incorrect.

B: Token ID - The token’s unique identifier; can be specified to renew it (e.g., vault token renew < token-id > ). Correct.

C: Identity policy - Relates to access control, not renewal. Incorrect.

D: Token accessor - A unique identifier for operations like renewal without exposing the token (e.g., vault token renew -accessor < accessor > ). Correct.

Overall Explanation from Vault Docs:

“Tokens can be renewed with vault token renew using either the token ID or accessor… TTL is not an attribute for renewal.”

Comprehensive and Detailed in Depth Explanation:

cubbyhole is default; kv and transit are user-enabled. Total: 3.

Overall Explanation from Vault Docs:

“cubbyhole is enabled by default… User-enabled engines add to this.”

Comprehensive and Detailed in Depth Explanation:

KV v2 supports versioning. Let’s evaluate:

A: destroy removes a specific version permanently. Correct.

B: destroy targets specified versions, not all. Incorrect.

C: delete soft-deletes the current version. Correct.

D: metadata delete removes all versions and metadata. Correct.

Overall Explanation from Vault Docs:

“kv delete soft-deletes… kv destroy permanently removes versions… kv metadata delete wipes everything.”