HCP Vault Secrets Centralized secrets lifecycle management for developers. Learn More

Security
Automation Certification

HashiCorp’s Security Automation certification program has two levels: Work up to the advanced Vault Professional Certification by starting with the foundational Vault Associate certification. The Associate certification validates your knowledge of open source Vault. Then, continue your certification journey with the Professional hands-on, lab-based exam to validate your years of production experience with both Vault and Vault Enterprise.

HashiCorp Certified:

Vault Associate (002)

Product version tested:Vault 1.6.0 and higher

The Vault Associate certification is for Cloud Engineers specializing in security, development, or operations who know the basic concepts, skills, and use cases associated with open source Vault. This includes understanding what enterprise features exist and what can and cannot be done using the open source offering. You should have professional experience using Vault in production, but performing the exam objectives in a personal demo environment may be sufficient.

  • Basic terminal skills
  • Basic understanding of on premise or cloud architecture
  • Basic level of security understanding
Assessment TypeMultiple choice
FormatOnline proctored
Duration1 hour
Price$70.50 USD, plus locally applicable taxes and fees. Free retake not included.
LanguageEnglish
Expiration2 years
1Compare authentication methods
1aDescribe authentication methods
1bChoose an authentication method based on use case
1cDifferentiate human vs. system auth methods
2Create Vault policies
2aIllustrate the value of Vault policy
2bDescribe Vault policy syntax: path
2cDescribe Vault policy syntax: capabilities
2dCraft a Vault policy based on requirements
3Assess Vault tokens
3aDescribe Vault token
3bDifferentiate between service and batch tokens. Choose one based on use-case
3cDescribe root token uses and lifecycle
3dDefine token accessors
3eExplain time-to-live
3fExplain orphaned tokens
3gCreate tokens based on need
4Manage Vault leases
4aExplain the purpose of a lease ID
4bRenew leases
4cRevoke leases
5Compare and configure Vault secrets engines
5aChoose a secret method based on use case
5bContrast dynamic secrets vs. static secrets and their use cases
5cDefine transit engine
5dDefine secrets engines
6Utilize Vault CLI
6aAuthenticate to Vault
6bConfigure authentication methods
6cConfigure Vault policies
6dAccess Vault secrets
6eEnable Secret engines
6fConfigure environment variables
7Utilize Vault UI
7aAuthenticate to Vault
7bConfigure authentication methods
7cConfigure Vault policies
7dAccess Vault secrets
7eEnable Secret engines
8Be aware of the Vault API
8aAuthenticate to Vault via Curl
8bAccess Vault secrets via Curl
9Explain Vault architecture
9aDescribe the encryption of data stored by Vault
9bDescribe cluster strategy
9cDescribe storage backends
9dDescribe the Vault agent
9eDescribe secrets caching
9fBe aware of identities and groups
9gDescribe Shamir secret sharing and unsealing
9hBe aware of replication
9iDescribe seal/unseal
9jExplain response wrapping
9kExplain the value of short-lived, dynamically generated secrets
10Explain encryption as a service
10aConfigure transit secret engine
10bEncrypt and decrypt secrets
10cRotate the encryption key

Visit the Exam-taker Handbook to learn about the requirements and policies for taking exams.

To renew your Vault Associate certification, you will need to take and pass the Vault Associate or Vault Operations Professional exam.

If you hold an unexpired Vault Associate certification there are two ways to recertify:

  1. You can take the same Vault Associate exam again starting 18 months after your previous exam date. When you pass the exam, the expiration date on your credentials will be extended.
  2. You can take the Vault Professional level exam starting 18 months after your previous exam date. When you pass the exam, you will receive a new set of credentials for the Vault Professional certification, and the expiration date will be extended on your Vault Associate credentials.

If you hold an expired Vault Associate certification: You can take the same Vault Associate exam again at any time. When you pass the exam, you will receive a new, second set of credentials with a new expiration date.

HashiCorp Certified:

Vault Operations Professional

Product version tested:Vault 1.8.0 and higher

The Vault Operations Professional exam is a lab-based exam for Cloud Engineers focused on deploying, configuring, managing, and monitoring HashiCorp Vault. You are well-qualified to take this exam if you hold the Vault Associate Certification (or equivalent knowledge), have experience operating Vault in production, and can evaluate Vault Enterprise functionality and use cases.

We strongly recommend passing the associate-level Vault exam before taking the professional-level exam. Practitioners who are already experienced with Vault operations in a production environment—and understand the concepts covered in the associate exam— may be able to successfully pass the professional-level exam.

  • HashiCorp Certified: Vault Associate Certification (recommended)
  • Linux skills such as list and edit files via command terminal
  • Understanding of IP networking
  • Experience with Public Key Infrastructure (PKI), including PGP and TLS
  • Information security fundamentals such as network security and RBAC
  • Understand the concepts and functionality of infrastructure running in containers including starting and stopping services, and reading logs
Assessment TypeLab-based and multiple choice
FormatOnline proctored
Duration4 hours; 15-minute break included
Price$295 USD, plus locally applicable taxes and fees. Includes free retake.
LanguageEnglish
Expiration2 years
1Create a working Vault server configuration given a scenario
1aEnable and configure secret engines
1bPractice production hardening
1cAuto unseal Vault
1dImplement integrated storage for open source and Enterprise Vault
1eEnable and configure authentication methods
1fPractice secure Vault initialization
1gRegenerate a root token
1hRekey Vault and rotate encryption keys
2Monitor a Vault environment
2aMonitor and understand Vault telemetry
2bMonitor and understand Vault audit logs
2cMonitor and understand Vault operational logs
3Employ the Vault security model
3aDescribe secure introduction of Vault clients
3bDescribe the security implications of running Vault in Kubernetes
4Build fault-tolerant Vault environments
4aConfigure a highly available (HA) cluster
4b[Vault Enterprise] Enable and configure disaster recovery (DR) replication
4c[Vault Enterprise] Promote a secondary cluster
5Understand the hardware security module (HSM) integration
5a[Vault Enterprise] Describe the benefits of auto unsealing with HSM
5b[Vault Enterprise] Describe the benefits and use cases of seal wrap (PKCS#11)
6Scale Vault for performance
6aUse batch tokens
6b[Vault Enterprise] Describe the use cases of performance standby nodes
6c[Vault Enterprise] Enable and configure performance replication
6d[Vault Enterprise] Create a paths filter
7Configure access control
7aInterpret Vault identity entities and groups
7bWrite, deploy, and troubleshoot ACL policies
7c[Vault Enterprise] Understand Sentinel policies
7d[Vault Enterprise] Define control groups and describe their basic workflow
7e[Vault Enterprise] Describe and interpret multi-tenancy with namespaces
8Configure Vault Agent
8aSecurely configure auto-auth and token sink
8bConfigure templating

This performance-based exam contains labs that must be completed in a virtual environment, and a shorter multiple-choice section. During the lab scenarios, exam-takers will be tested on performing real-world Vault operational tasks on the command line. The Vault UI and API can also be used where applicable, and exam-takers will have access to the Vault and Vault API documentation.

Visit the Exam-taker Handbook to learn about the requirements and policies for taking exams.

To renew your Vault Professional certification, you will need to take and pass the Vault Professional exam.

If you hold an unexpired Vault Professional certification: You can take the exam again starting 18 months after your previous exam date. When you pass the exam, the expiration date on your credentials will be extended.

If you hold an expired Vault Professional certification: You are eligible to recertify at any time. When you pass the exam again, you will receive a new, separate set of credentials with a new expiration date.