Encryption-and-Key-Management

Symmetric encryption protects data by using the same secret key to encrypt and decrypt the information.

Asymmetric encryption uses a public and private key pair so data can be protected or verified without sharing one single secret key.

Public key infrastructure is the trust framework that manages key pairs, certificates, and authorities so systems can verify identity and establish trust.

A digital certificate binds a public key to an identity so systems can evaluate whether they should trust that key.

A certificate authority issues and signs certificates that other systems may trust as part of a public key infrastructure.

Key rotation is the practice of replacing cryptographic keys on a defined schedule or when risk changes so long-lived exposure is reduced.

Hashing transforms input data into a fixed-length value that is useful for integrity checks, comparison, and secure password-storage workflows.

A digital signature uses cryptographic keys to help prove who signed data and whether that data changed afterward.

TLS is the protocol family widely used to protect data in transit by authenticating endpoints and establishing encrypted communication.

Perfect forward secrecy helps ensure that compromise of a long-term key does not automatically expose past encrypted sessions.

Key escrow is the practice of storing a recoverable copy of a cryptographic key with a trusted authority or process.

A hardware security module is a dedicated device or managed service designed to protect cryptographic keys and perform sensitive cryptographic operations.

Certificate revocation is the process of marking a certificate as no longer trustworthy before its normal expiration date.

The Online Certificate Status Protocol is a way for systems to check whether a certificate has been revoked without relying only on expiration dates.

Salting is the practice of adding unique random data to a value before hashing it so identical inputs do not produce the same stored result.

Mutual TLS is a form of TLS where both sides of the connection authenticate with certificates instead of only the server doing so.

Envelope encryption is a design where data is encrypted with one key and that key is then protected with another key used for stronger centralized control.

Certificate Transparency is a public logging approach that helps detect whether certificates have been issued in ways that should be reviewed or questioned.

Certificate pinning is a trust restriction that tells an application to accept only specific certificates or public keys for a destination instead of relying on the full public trust store alone.

Secure transport is the broader practice of protecting data while it moves between systems so communication remains confidential, intact, and appropriately authenticated.