Test yourself
Secrets management foundations
Final exam · 12 questions · answers explained as you pick
How secrets leak
6 questions
01Environment variables leak through…
Incorrect — Anything that can inspect the process can read its environment.
Correct — Child processes inherit them and crash handlers often dump them.
Incorrect — Env vars are not resolved over DNS.
Incorrect — Scheduling does not expose variable contents.
02Passing a secret as a command-line argument is risky because…
Incorrect — Performance is not the issue.
Incorrect — They are the opposite of hidden.
Correct — Prefer stdin, a file, or an env var read from a manager.
Incorrect — The shell accepts it fine — that is the problem.
03A secret committed to git and later deleted is…
Incorrect — It remains in history until purged.
Correct — Assume every committed secret is compromised the moment it lands.
Incorrect — Private repos get cloned, forked, and leaked.
Incorrect — Git stores blobs verbatim, not encrypted.
04The correct response to a secret found in git history is…
Incorrect — Purging is not enough — the value is already exposed.
Correct — Rotation invalidates the leaked value; purging cleans up.
Incorrect — The secret may already be cloned or cached.
Incorrect — That prevents future adds, not past exposure.
05Base64 in a Kubernetes Secret is…
Incorrect — It is not encryption at all.
Correct — RBAC and etcd encryption are the real controls.
Incorrect — base64 is reversible by design.
Incorrect — Encryption at rest for etcd is off unless you configure it.
06What actually protects a Kubernetes Secret at rest is…
Incorrect — Encoding provides zero confidentiality.
Incorrect — The type alone adds no encryption.
Correct — Control who can read it and encrypt the datastore.
Incorrect — Namespaces are not a security boundary for reads with RBAC.
6 questions · explanations appear as you answer
Encrypting & choosing tools
6 questions
01SOPS encrypts…
Incorrect — It works at the value level inside files.
Correct — Diffs stay reviewable because keys stay plaintext and values do not.
Incorrect — That is TLS, not SOPS.
Incorrect — SOPS is for config files, not images.
02SOPS keeps YAML diffs reviewable by…
Correct — You can still see which keys changed in review.
Incorrect — That would make diffs meaningless.
Incorrect — SOPS keeps them in the same file, encrypted.
Incorrect — It very much encrypts the values.
03Sealed-secrets works by…
Incorrect — That would be no protection at all.
Correct — The SealedSecret is safe to commit; only the cluster unseals it.
Incorrect — That is the opposite of sealing.
Incorrect — It complements RBAC, not replaces it.
04For a GitOps flow where manifests live in git, secrets should be…
Incorrect — Never commit plaintext secrets.
Correct — Only ciphertext belongs in a git-backed source of truth.
Incorrect — That bypasses the whole GitOps model.
Incorrect — Encoding is not protection.
05A reasonable first branch in a secrets-manager decision tree is…
Incorrect — Vault is powerful but often more than a small team needs.
Incorrect — Cost alone ignores the actual requirements.
Correct — The former points to Vault/cloud managers; the latter to SOPS.
Incorrect — Fit the tool to the requirement, not habit.
06Cloud-native secret managers (AWS/GCP/Azure) are attractive when…
Incorrect — They do couple you to that cloud’s IAM.
Correct — They lean on the platform’s identity and remove ops burden.
Incorrect — They are built around IAM.
Incorrect — They are network services.
6 questions · explanations appear as you answer