Which command does not meet this requirement?

Security requirements demand that no secrets appear in the shell history.

Which command does not meet this requirement?

A. generate-password | vault kv put secret/password value

B. vault kv put secret/password value-itsasecret

C. vault kv put secret/password [email protected]

D. vault kv put secret/password value-SSECRET_VALUE

View Answer

Answer: B

Explanation:

The command that does not meet the security requirement of not having secrets appear in the shell history is B. vault kv put secret/password value-itsasecret. This command would store the secret value “itsasecret” in the key/value secrets engine at the path secret/password, but it would also expose the secret value in the shell history, which could be accessed by other users or malicious actors. This is not a secure way of storing secrets in Vault.

The other commands are more secure ways of storing secrets in Vault without revealing them in the

shell history.

A. generate-password | vault kv put secret/password value would use a pipe to pass the

output of the generate-password command, which could be a script or a tool that generates a

random password, to the vault kv put command, which would store the password in the key/value

secrets engine at the path secret/password. The password would not be visible in the shell history,

only the commands.

C. vault kv put secret/password [email protected] would use the @ syntax to

read the secret value from a file named data.txt, which could be encrypted or protected by file

permissions, and store it in the key/value secrets engine at the path secret/password. The file name

would be visible in the shell history, but not the secret value.

D. vault kv put secret/password value-

SSECRET_VALUE would use the -S syntax to read the secret value from the environment variable

SECRET_VALUE, which could be set and unset in the shell session, and store it in the key/value

secrets engine at the path secret/password. The environment variable name would be visible in the

shell history, but not the secret value.

Reference: [Write Secrets | Vault | HashiCorp Developer]