Glossary
A plain-English reference for the terms that come up in articles about document security. If a term is missing, write in.
- 3-2-1 backup rule
- Three copies of your data, on two different media, with one copy off-site. A minimum viable backup strategy.
- AES-256
- A widely-used symmetric encryption algorithm with a 256-bit key. The underlying algorithm used by BitLocker, FileVault, 7-Zip, VeraCrypt, and many cloud providers for encryption at rest.
- At rest (encryption)
- Encryption applied to data stored on a disk or in a cloud bucket, as opposed to encryption applied while data is moving over a network ("in transit").
- Backup, immutable
- A backup that cannot be modified or deleted for a defined retention period, even by an administrator or attacker with valid credentials. Critical for ransomware resilience.
- BitLocker
- Full-disk encryption built into supported editions of Windows. Encrypts the contents of the system drive using AES.
- CIA triad
- Confidentiality, Integrity, Availability. The three properties traditionally used to describe information security goals.
- Client-side encryption
- Encryption that happens on your device before data is uploaded to a cloud service, so that the cloud provider cannot read your files even if compelled.
- Cryptographic erasure
- Destroying data by deleting or overwriting the key that encrypted it, rendering the ciphertext useless. Particularly relevant for SSDs where physical overwriting is unreliable.
- End-to-end encryption (E2EE)
- Encryption where only the endpoints (sender and recipient) can decrypt the content. The service carrying the message, even if compromised, cannot read it.
- FileVault
- Apple's full-disk encryption for macOS, using AES-XTS with a key stored in the Secure Enclave on Apple-silicon Macs.
- HSTS
- HTTP Strict Transport Security. A web security header that tells browsers to only connect to a site over HTTPS, preventing downgrade attacks.
- In transit (encryption)
- Encryption applied to data moving between two systems over a network, typically via TLS/HTTPS.
- Key management
- The practices and systems used to generate, store, rotate, and retire cryptographic keys. Often the weakest link in an otherwise strong encryption setup.
- Passphrase
- A long password, typically a sequence of words, used to derive an encryption key. Longer than a typical password; easier to remember than a random string.
- Password manager
- Software that generates, stores, and fills strong, unique passwords for each of your accounts. Reduces the number of secrets you need to remember to one.
- Ransomware
- Malicious software that encrypts a victim's files and demands payment for the decryption key. Modern variants also steal data before encrypting, threatening to publish it.
- Shared responsibility model
- In cloud services, the division of security responsibilities between the provider (the infrastructure) and the customer (the configuration and data).
- Threat model
- An explicit statement of who you are defending against, what you are defending, and what attacks you are taking seriously. A necessary precondition for useful security decisions.
- TLS
- Transport Layer Security, the cryptographic protocol that makes HTTPS work. Provides confidentiality, integrity, and authentication for network connections.
- VeraCrypt
- Open-source disk and file encryption software, successor to TrueCrypt. Commonly used to create encrypted container files.
- Zero-knowledge
- Marketing term meaning the service provider cannot read your data. Usually a synonym for client-side or end-to-end encryption. Verify the technical claim before trusting the label.