Comprehensive and Detailed In-Depth Explanation:
The Transit secrets engine in Vault is designed for encryption as a service, allowing applications to encrypt data without managing keys locally. After enabling the engine, two critical steps are required before encryption can begin: creating an encryption key and defining a policy to allow its use.
Option C: You must create an encryption key using a command like vault write -f transit/keys/. This key is stored in Vault and used for encryption/decryption operations. Without it, no encryption can occur, as the Transit engine relies on named keys to perform cryptographic operations.
Option D: A policy must be written to grant the application permissions to use the key, such as path "transit/encrypt/" { capabilities = ["update"] } and path "transit/decrypt/" { capabilities = ["update"] }. Vault’s access control ensures that only authorized entities can perform encryption, making this step essential.
Option A (exporting the key) contradicts Vault’s security model, as keys should remain in Vault, not be exported to application servers. Option B (enabling the Transit API) is unnecessary, as enabling the engine automatically exposes its API endpoints. The official Transit documentation confirms that key creation and policy configuration are the next steps post-enablement.
