HashiCorp’s Security Automation certification program has two levels: Work up to the advanced Vault Professional Certification by starting with the foundational Vault Associate certification. The Associate certification validates your knowledge of open source Vault. Then, continue your certification journey with the Professional hands-on, lab-based exam to validate your years of production experience with both Vault and Vault Enterprise.
The Vault Associate certification is for Cloud Engineers specializing in security, development, or operations who know the basic concepts, skills, and use cases associated with open source Vault. This includes understanding what enterprise features exist and what can and cannot be done using the open source offering. You should have professional experience using Vault in production, but performing the exam objectives in a personal demo environment may be sufficient.
Assessment Type | Multiple choice |
Format | Online proctored |
Duration | 1 hour |
Price | $70.50 USD, plus locally applicable taxes and fees. Free retake not included. |
Language | English |
Expiration | 2 years |
1 | Compare authentication methods |
---|---|
1a | Describe authentication methods |
1b | Choose an authentication method based on use case |
1c | Differentiate human vs. system auth methods |
2 | Create Vault policies |
---|---|
2a | Illustrate the value of Vault policy |
2b | Describe Vault policy syntax: path |
2c | Describe Vault policy syntax: capabilities |
2d | Craft a Vault policy based on requirements |
3 | Assess Vault tokens |
---|---|
3a | Describe Vault token |
3b | Differentiate between service and batch tokens. Choose one based on use-case |
3c | Describe root token uses and lifecycle |
3d | Define token accessors |
3e | Explain time-to-live |
3f | Explain orphaned tokens |
3g | Create tokens based on need |
4 | Manage Vault leases |
---|---|
4a | Explain the purpose of a lease ID |
4b | Renew leases |
4c | Revoke leases |
5 | Compare and configure Vault secrets engines |
---|---|
5a | Choose a secret method based on use case |
5b | Contrast dynamic secrets vs. static secrets and their use cases |
5c | Define transit engine |
5d | Define secrets engines |
6 | Utilize Vault CLI |
---|---|
6a | Authenticate to Vault |
6b | Configure authentication methods |
6c | Configure Vault policies |
6d | Access Vault secrets |
6e | Enable Secret engines |
6f | Configure environment variables |
7 | Utilize Vault UI |
---|---|
7a | Authenticate to Vault |
7b | Configure authentication methods |
7c | Configure Vault policies |
7d | Access Vault secrets |
7e | Enable Secret engines |
8 | Be aware of the Vault API |
---|---|
8a | Authenticate to Vault via Curl |
8b | Access Vault secrets via Curl |
9 | Explain Vault architecture |
---|---|
9a | Describe the encryption of data stored by Vault |
9b | Describe cluster strategy |
9c | Describe storage backends |
9d | Describe the Vault agent |
9e | Describe secrets caching |
9f | Be aware of identities and groups |
9g | Describe Shamir secret sharing and unsealing |
9h | Be aware of replication |
9i | Describe seal/unseal |
9j | Explain response wrapping |
9k | Explain the value of short-lived, dynamically generated secrets |
10 | Explain encryption as a service |
---|---|
10a | Configure transit secret engine |
10b | Encrypt and decrypt secrets |
10c | Rotate the encryption key |
Visit the Exam-taker Handbook to learn about the requirements and policies for taking exams.
To renew your Vault Associate certification, you will need to take and pass the Vault Associate or Vault Operations Professional exam.
If you hold an unexpired Vault Associate certification there are two ways to recertify:
If you hold an expired Vault Associate certification: You can take the same Vault Associate exam again at any time. When you pass the exam, you will receive a new, second set of credentials with a new expiration date.
The Vault Operations Professional exam is a lab-based exam for Cloud Engineers focused on deploying, configuring, managing, and monitoring HashiCorp Vault. You are well-qualified to take this exam if you hold the Vault Associate Certification (or equivalent knowledge), have experience operating Vault in production, and can evaluate Vault Enterprise functionality and use cases.
We strongly recommend passing the associate-level Vault exam before taking the professional-level exam. Practitioners who are already experienced with Vault operations in a production environment—and understand the concepts covered in the associate exam— may be able to successfully pass the professional-level exam.
Assessment Type | Lab-based and multiple choice |
Format | Online proctored |
Duration | 4 hours; 15-minute break included |
Price | $295 USD, plus locally applicable taxes and fees. Includes free retake. |
Language | English |
Expiration | 2 years |
1 | Create a working Vault server configuration given a scenario |
---|---|
1a | Enable and configure secret engines |
1b | Practice production hardening |
1c | Auto unseal Vault |
1d | Implement integrated storage for open source and Enterprise Vault |
1e | Enable and configure authentication methods |
1f | Practice secure Vault initialization |
1g | Regenerate a root token |
1h | Rekey Vault and rotate encryption keys |
2 | Monitor a Vault environment |
---|---|
2a | Monitor and understand Vault telemetry |
2b | Monitor and understand Vault audit logs |
2c | Monitor and understand Vault operational logs |
3 | Employ the Vault security model |
---|---|
3a | Describe secure introduction of Vault clients |
3b | Describe the security implications of running Vault in Kubernetes |
4 | Build fault-tolerant Vault environments |
---|---|
4a | Configure a highly available (HA) cluster |
4b | [Vault Enterprise] Enable and configure disaster recovery (DR) replication |
4c | [Vault Enterprise] Promote a secondary cluster |
5 | Understand the hardware security module (HSM) integration |
---|---|
5a | [Vault Enterprise] Describe the benefits of auto unsealing with HSM |
5b | [Vault Enterprise] Describe the benefits and use cases of seal wrap (PKCS#11) |
6 | Scale Vault for performance |
---|---|
6a | Use batch tokens |
6b | [Vault Enterprise] Describe the use cases of performance standby nodes |
6c | [Vault Enterprise] Enable and configure performance replication |
6d | [Vault Enterprise] Create a paths filter |
7 | Configure access control |
---|---|
7a | Interpret Vault identity entities and groups |
7b | Write, deploy, and troubleshoot ACL policies |
7c | [Vault Enterprise] Understand Sentinel policies |
7d | [Vault Enterprise] Define control groups and describe their basic workflow |
7e | [Vault Enterprise] Describe and interpret multi-tenancy with namespaces |
8 | Configure Vault Agent |
---|---|
8a | Securely configure auto-auth and token sink |
8b | Configure templating |
This performance-based exam contains labs that must be completed in a virtual environment, and a shorter multiple-choice section. During the lab scenarios, exam-takers will be tested on performing real-world Vault operational tasks on the command line. The Vault UI and API can also be used where applicable, and exam-takers will have access to the Vault and Vault API documentation.
Visit the Exam-taker Handbook to learn about the requirements and policies for taking exams.
To renew your Vault Professional certification, you will need to take and pass the Vault Professional exam.
If you hold an unexpired Vault Professional certification: You can take the exam again starting 18 months after your previous exam date. When you pass the exam, the expiration date on your credentials will be extended.
If you hold an expired Vault Professional certification: You are eligible to recertify at any time. When you pass the exam again, you will receive a new, separate set of credentials with a new expiration date.
Sign up to be notified with updates to the HashiCorp Product Certifications program and to receive news and information about HashiCorp products.