Glossary: Encryption

This glossary covers essential cybersecurity and password management terminology from password policies and zero-knowledge encryption to RBAC, API authentication, and compliance frameworks like GDPR and SOC 2.

AES encryption — a symmetric encryption algorithm adopted as the U.S. government standard and widely used globally for securing sensitive data. AES encrypts data in fixed block sizes (128 bits) using key lengths of 128, 192, or 256 bits, with AES-256 providing the strongest security. AES encryption is fast, efficient, and secure against known attacks, making it ideal for encrypting files, databases, communications, and full-disk encryption.

Use cases: Data protection, compliance requirements, secure communications, and protecting data at rest and in transit. AES-256 encryption is considered quantum-resistant for the foreseeable future and meets stringent security standards.

Asymmetric encryption — a cryptographic method that uses two mathematically related keys: a public key for encryption and a private key for decryption. This eliminates the need to share secret keys between parties. Anyone can encrypt data using a recipient's public key, but only the private key holder can decrypt it. Asymmetric algorithms include RSA, elliptic curve cryptography (ECC), and Diffie-Hellman. Asymmetric encryption enables secure key exchange, digital signatures, certificate-based authentication, and encrypted communications without prior key sharing.

While more computationally intensive than symmetric encryption, asymmetric encryption solves key distribution challenges and enables secure communications at scale, forming the foundation for SSL/TLS, PGP, and blockchain technologies.

Client-side encryption — a security method that performs all cryptographic operations (encryption and decryption) on user devices before data transmission to servers, ensuring servers only receive encrypted data they cannot decrypt. Client-side encryption protects data privacy since service providers, network observers, and server breaches cannot access plaintext content. Encryption keys remain on client devices or derive from user passwords unknown to servers. Client-side encryption enables zero-knowledge architecture where providers cannot access user data.

Client-side encryption provides maximum security and privacy but requires careful implementation to prevent key exposure through client vulnerabilities or malicious code.

Encryption — the process of converting readable data (plaintext) into an unreadable format (ciphertext) using cryptographic algorithms and keys to protect information from unauthorized access. Encryption ensures data confidentiality during storage (encryption at rest) and transmission (encryption in transit), preventing interception or theft.

Modern encryption standards include AES-256, RSA, and elliptic curve cryptography. Effective encryption requires strong algorithms, proper key management, secure key storage, and regular cryptographic updates to address evolving threats and maintain data security.

Encryption key — a string of bits used by cryptographic algorithms to transform plaintext into ciphertext (encryption) and ciphertext back to plaintext (decryption). Key strength depends on length (measured in bits) and randomness — longer keys provide exponentially stronger security. Symmetric encryption uses identical keys for encryption and decryption, while asymmetric encryption uses key pairs.

Proper key management includes secure generation using cryptographic random number generators, protected storage (hardware security modules, key vaults), access controls, rotation policies, and secure destruction. Key length recommendations: AES-256 for symmetric, RSA-2048 or ECC-256 for asymmetric encryption.

End-to-end encryption — a security method that encrypts data on the sender's device and decrypts it only on the recipient's device, ensuring that intermediary servers, service providers, or network observers cannot access the plaintext content. E2EE uses public-key cryptography where only the communicating parties possess the decryption keys.

End-to-end encryption provides maximum privacy since even service providers cannot decrypt user data, protecting against server breaches, government surveillance, and unauthorized access.

Hashing — a cryptographic process that transforms input data of any size into a fixed-length string (hash value or digest) using mathematical algorithms, creating unique digital fingerprints for data integrity verification and password storage. Hash functions are one-way operations—computing hashes from data is easy, but reversing hashes to original data is computationally infeasible. Common hash algorithms include SHA-256, SHA-3, and bcrypt. Hashing verifies file integrity, stores passwords securely without saving plaintext, creates digital signatures, and enables blockchain technology.

Unlike encryption, hashing is irreversible and deterministic (same input always produces identical output), making it ideal for password verification and data integrity checking.

Key management — the process that encompasses the complete lifecycle of cryptographic keys: generation, distribution, storage, rotation, backup, and destruction. Effective key management ensures keys are created using strong randomness, stored securely (encrypted, access-controlled), distributed through secure channels, rotated regularly, backed up safely, and destroyed completely when no longer needed. Key management systems (KMS) automate key lifecycle operations, enforce policies, provide audit trails, and integrate with encryption systems.

Poor key management undermines encryption security — lost keys cause data loss, compromised keys expose data, and improper destruction leaves keys recoverable.

Password-based key derivation function (PBKDF2) — a cryptographic algorithm that derives encryption keys from passwords by applying hash functions repeatedly (iterations) with salt, making password cracking computationally expensive. PBKDF2 transforms weak user passwords into strong encryption keys suitable for protecting sensitive data. The iteration count (typically 100,000+ for PBKDF2-HMAC-SHA256) determines computational cost, with higher iterations providing stronger protection against brute-force attacks at the cost of performance.

PBKDF2 is widely used in password managers, disk encryption, and secure storage systems. PBKDF2 remains important for password-based encryption requiring standardized, well-tested key derivation.

Public key cryptography — a cryptographic system using mathematically linked key pairs (public and private keys) where public keys can be freely distributed while private keys remain secret. Public key cryptography enables secure communications without prior key exchange, digital signatures for authentication and non-repudiation, and secure key establishment. The public key encrypts data or verifies signatures, while the private key decrypts data or creates signatures. Public key infrastructure (PKI) manages public key distribution through digital certificates.

Public key cryptography powers SSL/TLS encryption, email encryption (PGP/S/MIME), code signing, blockchain transactions, and modern authentication protocols, solving key distribution challenges inherent in symmetric encryption.

Salting — a cryptographic technique adding random data (salt) to passwords before hashing, ensuring identical passwords produce different hash values and preventing rainbow table attacks. Each password receives a unique random salt stored alongside the hash, making precomputed hash attacks infeasible since attackers must compute hashes for each salt individually. Salting protects against password cracking when password databases are compromised, even for common passwords.

Modern password hashing algorithms like bcrypt, scrypt, and Argon2 incorporate salting automatically. Effective salting uses cryptographically random salts of sufficient length (at least 128 bits), unique salts per password, and combines with slow hashing algorithms to maximize password security.

Symmetric encryption — an encryption that uses a single shared secret key for both encrypting and decrypting data, requiring secure key distribution between communicating parties. Symmetric algorithms like AES, ChaCha20, and DES are computationally efficient, enabling fast encryption of large data volumes. Symmetric encryption excels at protecting data at rest (encrypted databases, files) and securing communications when parties can securely exchange keys.

Organizations use symmetric encryption for disk encryption, database encryption, VPN connections, and bulk data protection, often combining it with asymmetric encryption for secure key exchange.

Vault encryption — a security method that protects password vaults and secrets repositories by encrypting all stored data using strong cryptographic algorithms, ensuring credentials remain secure even if storage is compromised. Vault encryption typically uses AES-256 encryption with keys derived from master passwords or encryption keys stored in hardware security modules. Modern password managers implement vault encryption with zero-knowledge architecture where encryption occurs client-side and providers cannot access vault contents.

Vault encryption protects passwords, API keys, certificates, and sensitive data at rest, during synchronization, and in backups. Effective vault encryption combines strong algorithms, secure key derivation, client-side encryption, and protection against unauthorized access or data breaches.

Zero-knowledge encryption — security model where service providers cannot access, decrypt, or view user data because encryption and decryption occur exclusively on client devices using keys never shared with servers. Zero-knowledge architecture ensures providers have "zero knowledge" of user data content, protecting privacy even if servers are compromised or compelled to provide data. Users control encryption keys, typically derived from master passwords unknown to providers.

Zero-knowledge encryption protects against insider threats, server breaches, and legal data requests. Password managers, encrypted cloud storage, and privacy-focused services implement zero-knowledge encryption to provide maximum data privacy while maintaining usability through client-side cryptographic operations.