Security & Encryption Glossary

Plain-language explanations of the security concepts behind Vaulted.

AES-256-GCM

AES-256-GCM is a symmetric encryption algorithm that combines the Advanced Encryption Standard with a 256-bit key and Galois/Counter Mode, providing both data confidentiality and built-in integrity verification in a single operation.

Ciphertext

Ciphertext is the encrypted output of a cryptographic algorithm — a scrambled representation of the original data that is unreadable without the corresponding decryption key.

Client-Side Encryption

Client-side encryption is the practice of encrypting data on the user's device — typically in a browser or native app — before transmitting it to a server, ensuring the server only ever receives and stores encrypted data.

Credential Management

Credential management is the set of policies, processes, and tools used to securely handle the full lifecycle of access credentials — including creation, secure storage, controlled sharing, regular rotation, and timely revocation.

Data Breach

A data breach is a security incident in which sensitive, protected, or confidential data is accessed, disclosed, or stolen by an unauthorized party, whether through hacking, insider threat, misconfiguration, or accidental exposure.

Encryption at Rest

Encryption at rest is the practice of storing data in encrypted form on persistent storage — such as disks, databases, or backup media — so that the data remains protected even if the storage medium is compromised.

Encryption in Transit

Encryption in transit is the practice of encrypting data as it travels between two systems across a network, typically implemented via TLS (Transport Layer Security) or its predecessor SSL, to prevent eavesdropping and tampering.

End-to-End Encryption

End-to-end encryption (E2EE) is a communication method where data is encrypted on the sender's device and can only be decrypted on the recipient's device, ensuring that no intermediary — including the service provider — can access the plaintext content.

Ephemeral Secrets

Ephemeral secrets are sensitive data items — such as passwords, tokens, or keys — that are intentionally designed to exist for a limited time period or number of accesses before being permanently and irrecoverably destroyed.

Key Derivation

Key derivation is the process of transforming a source value — typically a password, passphrase, or shared secret — into one or more cryptographic keys using a deterministic algorithm designed to produce high-entropy key material.

PBKDF2

PBKDF2 (Password-Based Key Derivation Function 2) is a key derivation algorithm defined in RFC 8018 that applies a pseudorandom function — typically HMAC-SHA-256 — iteratively to a password and salt to produce a derived key that is computationally expensive to brute-force.

Plaintext

Plaintext is data in its original, unencrypted, human-readable form. In cryptography, it refers to the input to an encryption algorithm or the output of a decryption algorithm.

Principle of Least Privilege

The principle of least privilege is a security concept that states every user, process, or system should be granted only the minimum level of access — and for the minimum amount of time — necessary to perform its authorized function.

Secret Sharing

Secret sharing, in the context of credential management, is the practice of transmitting sensitive information — such as passwords, API keys, or private keys — between parties through a channel designed to minimize exposure, limit persistence, and prevent unauthorized access.