You Can Pass This Exam For Free
Choose Your Study Path
Limited experience with HashiCorp tools or secrets management. You need to learn both Vault fundamentals and infrastructure security concepts from scratch.
Exam Overview
Format
57 questions, 60 minutes. Multiple choice, multiple answer, and true/false questions.
Scoring
Passing score is approximately 70%. No penalty for wrong answers -- always answer every question.
Domains & Weights
- Authentication Methods15%
- Vault Policies13%
- Vault Tokens15%
- Vault Leases7%
- Secrets Engines20%
- Encryption as a Service5%
- Vault Architecture Fundamentals8%
- Vault Deployment Architecture12%
- Access Management Architecture5%
Registration
$70.5 USD. Online proctored exam administered through Certiverse (HashiCorp's own exam portal, replacing PSI in May 2024). Exam fee is $70.50 USD. Available in English only.
Topic Priority Table
Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.
Authentication Methods
This domain covers how users and machines prove their identity to Vault. You must understand the different authentication methods, when to use each one, and the distinction between human and machine auth methods. Identity entities and groups allow mapping multiple auth methods to a single identity.
Key Topics
Must-Know Concepts
- Authentication methods are pluggable components that verify identity and return a Vault token upon successful authentication
- Human auth methods (userpass, LDAP, OIDC) require interactive login; machine auth methods (AppRole, AWS, Kubernetes) enable automated authentication
- AppRole uses role_id (like a username, relatively static) and secret_id (like a password, can be dynamic and single-use) for machine authentication
- Identity entities represent a single person or machine across multiple auth methods; groups aggregate entities for unified policy assignment
- You can authenticate via CLI (vault login), API (POST to /v1/auth/<method>/login), or UI (web interface login form)
- Auth methods must be explicitly enabled before use (vault auth enable <method>) and can be mounted at custom paths
- Each auth method maps to policies that determine what the resulting token can access
Common Exam Traps
Vault Policies
Policies are the primary authorization mechanism in Vault. Written in HCL, they define what paths a token can access and what capabilities (create, read, update, delete, list, sudo, deny) are allowed. Understanding policy syntax, path matching, and the default-deny behavior is critical.
Key Topics
Must-Know Concepts
- Vault uses a default-deny model: if no policy explicitly grants access to a path, access is denied
- Policy capabilities: create, read, update, delete, list, sudo (access protected paths), deny (explicit denial that overrides all other capabilities)
- Path matching: exact paths, glob patterns (* matches any suffix), and single-segment wildcards (+ matches exactly one path segment)
- The root policy grants unlimited access and cannot be modified or deleted. It should only be attached to root tokens
- The default policy is attached to all tokens by default and grants basic self-management capabilities (token lookup, renewal, etc.)
- Policies are configured via CLI (vault policy write <name> <file>) or UI and take effect immediately -- no restart required
- Multiple policies on a token are additive (union of permissions), but deny always wins
Common Exam Traps
Vault Tokens
Tokens are the core authentication mechanism in Vault. Every request requires a token. This domain tests your understanding of token types (service, batch, root, orphan, periodic), token hierarchy, TTLs, accessors, and when to use each type. This is the second-heaviest domain alongside authentication methods.
Key Topics
Must-Know Concepts
- Service tokens are persisted to storage, renewable, have parent-child relationships, and support all Vault features (accessors, cubbyhole, etc.)
- Batch tokens are NOT persisted, NOT renewable, have no parent-child relationships, and are designed for high-volume ephemeral workloads
- Root tokens have no TTL, no max TTL, and access everything. They should be revoked after initial setup and regenerated only when needed
- Orphan tokens have no parent. When a parent token is revoked, all child tokens are also revoked -- but orphan tokens survive parent revocation
- Periodic tokens have a period instead of a max TTL. They can be renewed indefinitely as long as renewal happens within each period
- Token accessors allow lookup, renewal, and revocation of tokens without knowing the actual token value -- useful for audit and management
- TTL (time-to-live) determines how long a token is valid. Max TTL is the absolute maximum lifetime a token can reach through renewals
Common Exam Traps
Vault Leases
Leases are Vault's mechanism for tracking the lifecycle of dynamic secrets. Every dynamic secret has a lease with an ID, a TTL, and the ability to be renewed or revoked. Understanding lease management is essential for operating dynamic secrets engines like Database and PKI.
Key Topics
Must-Know Concepts
- Every dynamic secret comes with a lease that includes a unique lease ID and a TTL
- Lease IDs are used to manage the lifecycle of dynamic secrets: renew to extend, revoke to immediately invalidate
- Renewing a lease extends the TTL, but not beyond the max TTL configured on the secrets engine or mount
- Revoking a lease immediately invalidates the dynamic secret (e.g., the database credentials are deleted)
- When a lease expires without renewal, Vault automatically revokes the associated secret
- Lease management commands: vault lease renew <lease_id>, vault lease revoke <lease_id>, vault lease revoke -prefix <path>
Common Exam Traps
Secrets Engines
Secrets engines are the core of Vault's functionality. This is the heaviest domain at 20%, covering KV (v1 and v2), Database, Transit, PKI, and other engines. You must understand when to use each engine, the difference between static and dynamic secrets, response wrapping, and how to enable and manage engines via CLI, API, and UI.
Key Topics
Must-Know Concepts
- Secrets engines are enabled at specific paths and each path is isolated. You can enable multiple instances of the same engine at different paths
- KV v1 stores key-value pairs with no versioning. KV v2 adds versioning, soft delete, metadata, and check-and-set (CAS)
- The Database secrets engine generates dynamic, short-lived database credentials that are automatically revoked when leases expire
- The Transit secrets engine provides encryption as a service: encrypt, decrypt, and manage keys WITHOUT storing the data itself in Vault
- Response wrapping provides a single-use wrapping token that references the actual secret, so only a token ID traverses the network
- Cubbyhole is a token-scoped secrets engine: each token has a private cubbyhole that dies with the token. Used internally by response wrapping
- Dynamic secrets provide unique credentials per consumer with automatic revocation, eliminating shared credential risks
- Enable secrets engines: vault secrets enable [-path=custom] <engine>. List enabled engines: vault secrets list
Common Exam Traps
Encryption as a Service
This domain focuses specifically on the Transit secrets engine for cryptographic operations. You must know how to encrypt, decrypt, and rotate encryption keys. While only 5% of the exam, questions here are straightforward if you understand the Transit engine well.
Key Topics
Must-Know Concepts
- Encrypt: vault write transit/encrypt/<key-name> plaintext=$(base64 <<< 'data') returns ciphertext prefixed with vault:v1:
- Decrypt: vault write transit/decrypt/<key-name> ciphertext=vault:v1:... returns base64-encoded plaintext
- Key rotation creates a new version of the encryption key. New encryptions use the latest key version. Old ciphertext can still be decrypted
- Rewrapping updates ciphertext to use the latest key version without exposing the plaintext to the client
- The ciphertext prefix vault:v1: indicates the key version used for encryption. After rotation, new ciphertext shows vault:v2:
Common Exam Traps
Vault Architecture Fundamentals
This domain covers how Vault works internally: how data is encrypted, the seal/unseal process, and environment variable configuration. Understanding these fundamentals is critical for the deployment and operations questions throughout the exam.
Key Topics
Must-Know Concepts
- Vault encrypts all data before writing it to storage. The storage backend never sees plaintext data
- The encryption barrier is the cryptographic layer between Vault and its storage backend. All data passes through this barrier
- When sealed, Vault has access to encrypted data in storage but cannot decrypt it. Only the unseal process restores the encryption key
- Shamir's Secret Sharing splits the master key into N shares with threshold K. Any K shares can reconstruct the master key
- During initialization, Vault generates a master key and encryption key. The master key encrypts the encryption key, and Shamir splits the master key
- Key environment variables: VAULT_ADDR (server URL), VAULT_TOKEN (auth token), VAULT_NAMESPACE (enterprise namespace), VAULT_SKIP_VERIFY (skip TLS verification)
Common Exam Traps
Vault Deployment Architecture
This domain covers how Vault is deployed in production: self-managed clusters vs HCP Vault, storage backends, Shamir vs auto-unseal, and replication strategies. Understanding deployment tradeoffs is essential for scenario-based questions.
Key Topics
Must-Know Concepts
- Self-managed Vault: organization installs, configures, and maintains Vault clusters. Full control but full operational burden
- HCP Vault Dedicated: HashiCorp manages the infrastructure, upgrades, and operations. Organizations consume Vault as a service
- Integrated Storage (Raft) is the recommended storage backend. It uses Raft consensus and requires no external dependencies
- Consul storage backend requires a separate Consul cluster. Still supported but adds operational complexity
- Auto-unseal uses a trusted KMS (AWS KMS, Azure Key Vault, GCP KMS) to automatically unseal Vault on restart. Recovery keys replace unseal keys
- DR replication creates passive standby clusters for failover. Performance replication creates active read replicas for scaling
- Shamir's Secret Sharing is the default unseal mechanism. Auto-unseal is preferred for production to eliminate manual intervention
Common Exam Traps
Access Management Architecture
This smaller domain covers Vault Agent and Vault Secrets Operator (VSO), which simplify how applications consume Vault secrets. Vault Agent handles auto-auth and caching for general workloads, while VSO provides Kubernetes-native secret synchronization.
Key Topics
Must-Know Concepts
- Vault Agent is a client-side daemon that handles auto-authentication, token lifecycle management, caching, and template rendering
- Auto-auth allows Vault Agent to automatically authenticate to Vault and manage token renewal without application involvement
- Agent caching reduces API calls to the Vault server by caching responses locally
- Agent templates render Vault secrets into configuration files using Go template syntax
- Vault Secrets Operator (VSO) is a Kubernetes operator that syncs Vault secrets into native Kubernetes Secret objects
- VSO features include instant updates (watching for secret changes), encrypted client cache, and secret transformation
Common Exam Traps
Vault Concepts You Must Not Confuse
These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.
Top Mistakes to Avoid
Exam-Ready Checklist
Recommended Resources
Free & Official Resources
Paid Courses & Practice Exams
These are recommended if you prefer a structured learning path. They can save time but are not required to pass.