Free HashiCorp Vault-Associate Actual Exam Questions - Question 14 Discussion

This one feels like it’s trying to trip you up on the “stored” part. Vault doesn’t keep the raw encryption key just sitting there in the backend storage, so B makes the most sense to me. The sealed key is stored but it’s encrypted, not the actual raw encryption key. So the statement saying it’s stored as-is is false. B.

B imo, storing the key in backend storage would be a huge security risk.

B vs A? The key point is that Vault encrypts data but doesn’t store the unencrypted encryption key in the backend storage—that would be a security risk. The key is usually derived or protected through mechanisms like Shamir’s Secret Sharing and only reconstructed in memory. So it feels safer to say B here since the key itself isn’t just sitting in backend storage.

B, because storing the key in backend storage would defeat encryption purpose.