Security & Encryption Glossary

Plain-language explanations of the security concepts behind Vaulted.

Access Control

Access control is the set of security mechanisms and policies that regulate which users, systems, or processes are permitted to access specific resources, and what actions they are authorized to perform on those resources.

AES-256-GCM

AES-256-GCM is a symmetric encryption algorithm that combines the Advanced Encryption Standard with a 256-bit key and Galois/Counter Mode, providing both data confidentiality and built-in integrity verification in a single operation.

Asymmetric Encryption

Asymmetric encryption is a cryptographic system that uses a pair of mathematically related keys — a public key that anyone can use to encrypt data, and a private key that only the owner possesses to decrypt it — eliminating the need to share a secret key in advance.

Audit Log

An audit log is a chronological, tamper-evident record of events and activities within a system — including user actions, access attempts, configuration changes, and security events — maintained for accountability, compliance, and forensic analysis.

bcrypt

bcrypt is a password hashing function based on the Blowfish block cipher that incorporates a built-in salt and a configurable cost factor, designed to be computationally expensive in a way that specifically resists acceleration by GPUs and custom hardware.

Brute-Force Attack

A brute-force attack is a cryptanalytic method that attempts to determine a password, encryption key, or other secret by systematically trying every possible combination until the correct value is found.

Certificate Authority

A certificate authority (CA) is a trusted third-party organization that issues, signs, and manages digital certificates used to verify the identity of entities — such as websites, organizations, or devices — within a public key infrastructure.

Ciphertext

Ciphertext is the encrypted output of a cryptographic algorithm — a scrambled representation of the original data that is unreadable without the corresponding decryption key.

Client-Side Encryption

Client-side encryption is the practice of encrypting data on the user's device — typically in a browser or native app — before transmitting it to a server, ensuring the server only ever receives and stores encrypted data.

Credential Management

Credential management is the set of policies, processes, and tools used to securely handle the full lifecycle of access credentials — including creation, secure storage, controlled sharing, regular rotation, and timely revocation.

Data Breach

A data breach is a security incident in which sensitive, protected, or confidential data is accessed, disclosed, or stolen by an unauthorized party, whether through hacking, insider threat, misconfiguration, or accidental exposure.

Data Exfiltration

Data exfiltration is the unauthorized transfer of data from an organization's systems to an external location controlled by an attacker, whether through network-based techniques, physical media, or compromised accounts.

Data Loss Prevention

Data loss prevention (DLP) is a set of strategies, tools, and processes designed to detect and prevent the unauthorized transmission, leakage, or exfiltration of sensitive data from an organization — whether intentional or accidental.

Digital Signature

A digital signature is a cryptographic scheme that uses a private key to generate a signature over a message or document, which anyone with the corresponding public key can verify to confirm the data's authenticity and integrity.

Encryption at Rest

Encryption at rest is the practice of storing data in encrypted form on persistent storage — such as disks, databases, or backup media — so that the data remains protected even if the storage medium is compromised.

Encryption in Transit

Encryption in transit is the practice of encrypting data as it travels between two systems across a network, typically implemented via TLS (Transport Layer Security) or its predecessor SSL, to prevent eavesdropping and tampering.

End-to-End Encryption

End-to-end encryption (E2EE) is a communication method where data is encrypted on the sender's device and can only be decrypted on the recipient's device, ensuring that no intermediary — including the service provider — can access the plaintext content.

Ephemeral Secrets

Ephemeral secrets are sensitive data items — such as passwords, tokens, or keys — that are intentionally designed to exist for a limited time period or number of accesses before being permanently and irrecoverably destroyed.

GDPR

The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union that governs how organizations collect, process, store, and share personal data of individuals within the EU and European Economic Area.

HIPAA

HIPAA (Health Insurance Portability and Accountability Act) is a U.S. federal law that establishes national standards for protecting the privacy and security of individually identifiable health information, known as Protected Health Information (PHI).

HMAC

HMAC (Hash-Based Message Authentication Code) is a cryptographic mechanism that combines a cryptographic hash function with a secret key to produce a fixed-size authentication code, allowing the recipient to verify both the integrity and the authenticity of a message.

Initialization Vector

An initialization vector (IV) is a random or pseudorandom value used as an additional input to an encryption algorithm alongside the key, ensuring that identical plaintext encrypted with the same key produces different ciphertext across operations.

JSON Web Token

A JSON Web Token (JWT) is a compact, URL-safe token format defined by RFC 7519 that represents claims between two parties as a digitally signed JSON object, enabling stateless authentication and information exchange.

Key Derivation

Key derivation is the process of transforming a source value — typically a password, passphrase, or shared secret — into one or more cryptographic keys using a deterministic algorithm designed to produce high-entropy key material.

Key Rotation

Key rotation is the security practice of periodically replacing active cryptographic keys or credentials with newly generated ones, and retiring or revoking the old keys, to limit the window of exposure if a key is compromised.

Key Wrapping

Key wrapping is a cryptographic operation that encrypts a key (the payload key) using another key (the wrapping key or key encryption key), providing confidentiality and integrity protection for key material during storage or transport.

Man-in-the-Middle Attack

A man-in-the-middle (MITM) attack is a cyberattack where an adversary secretly intercepts and potentially alters communications between two parties who believe they are communicating directly with each other.

Multi-Factor Authentication

Multi-factor authentication (MFA) is an authentication method that requires a user to present two or more independent credentials from different categories — something they know, something they have, or something they are — before access is granted.

Nonce

A nonce (number used once) is a unique, typically random or sequential value that is used exactly once in a cryptographic operation to ensure that identical inputs produce different outputs, preventing replay attacks and pattern analysis.

OAuth

OAuth 2.0 is an open authorization framework that enables a third-party application to obtain limited access to a user's resources on another service — such as their profile or data — without the user sharing their password with the third party.

Password Hashing

Password hashing is the practice of applying a computationally expensive, one-way cryptographic function to a password — combined with a unique salt — to produce a fixed-length digest that can verify the password without storing it in a recoverable form.

PBKDF2

PBKDF2 (Password-Based Key Derivation Function 2) is a key derivation algorithm defined in RFC 8018 that applies a pseudorandom function — typically HMAC-SHA-256 — iteratively to a password and salt to produce a derived key that is computationally expensive to brute-force.

PCI DSS

PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements established by the PCI Security Standards Council to protect cardholder data and ensure that all organizations that process, store, or transmit credit card information maintain a secure environment.

Phishing

Phishing is a social engineering attack in which an adversary sends fraudulent communications — typically email, SMS, or instant messages — that impersonate a trusted entity to trick recipients into revealing sensitive information, clicking malicious links, or installing malware.

Plaintext

Plaintext is data in its original, unencrypted, human-readable form. In cryptography, it refers to the input to an encryption algorithm or the output of a decryption algorithm.

Principle of Least Privilege

The principle of least privilege is a security concept that states every user, process, or system should be granted only the minimum level of access — and for the minimum amount of time — necessary to perform its authorized function.

Privilege Escalation

Privilege escalation is an attack technique where an adversary exploits a vulnerability, misconfiguration, or stolen credential to gain higher-level permissions than originally authorized — typically moving from a regular user to an administrator or root account.

Public Key Infrastructure

Public key infrastructure (PKI) is a comprehensive framework of roles, policies, hardware, software, and procedures used to create, manage, distribute, store, and revoke digital certificates and their associated public-private key pairs.

Ransomware

Ransomware is malware that encrypts a victim's files or locks them out of their systems, then demands payment — typically in cryptocurrency — in exchange for the decryption key or restored access.

Role-Based Access Control

Role-based access control (RBAC) is an access control model where permissions are assigned to roles — such as administrator, editor, or viewer — and users gain permissions by being assigned to roles, rather than having permissions granted directly to individual accounts.

RSA

RSA (Rivest-Shamir-Adleman) is an asymmetric cryptographic algorithm that derives its security from the computational difficulty of factoring the product of two large prime numbers, used for encryption, digital signatures, and secure key exchange.

Salt (Cryptography)

A cryptographic salt is a random value that is combined with a password or other input before it is processed by a hash function or key derivation function, ensuring that identical inputs produce different outputs and defeating precomputed attack tables.

Secret Sharing

Secret sharing, in the context of credential management, is the practice of transmitting sensitive information — such as passwords, API keys, or private keys — between parties through a channel designed to minimize exposure, limit persistence, and prevent unauthorized access.

Secrets Management

Secrets management is the discipline of securely storing, distributing, rotating, and auditing sensitive credentials — such as API keys, passwords, tokens, certificates, and encryption keys — across applications, infrastructure, and teams.

Self-Destructing Messages

Self-destructing messages are messages or shared data designed to be automatically and permanently deleted after being accessed a specified number of times or after a defined time period expires.

SHA-256

SHA-256 (Secure Hash Algorithm 256-bit) is a cryptographic hash function from the SHA-2 family that takes an arbitrary-length input and produces a fixed 256-bit (32-byte) digest, designed to be a one-way function where the output reveals nothing about the input.

Single Sign-On

Single sign-on (SSO) is an authentication scheme that allows a user to authenticate once with a central identity provider and then access multiple independent applications and services without being prompted for credentials again.

SOC 2

SOC 2 (System and Organization Controls 2) is an auditing framework developed by the AICPA that evaluates a service organization's controls related to security, availability, processing integrity, confidentiality, and privacy — known as the Trust Services Criteria.

Social Engineering

Social engineering is a class of attack techniques that manipulate human psychology — trust, fear, urgency, or helpfulness — to trick people into divulging confidential information, granting unauthorized access, or performing actions that compromise security.

Symmetric Encryption

Symmetric encryption is a cryptographic method where the same secret key is used for both encryption and decryption. Both the sender and recipient must possess the identical key to encrypt and decrypt data.

TLS/SSL

TLS (Transport Layer Security) is a cryptographic protocol that provides privacy, data integrity, and authentication for communication between two parties over a network. SSL (Secure Sockets Layer) is its deprecated predecessor; modern "SSL" references almost always mean TLS.