Glossary of Terms


An adversary is a person or entity with motivation to compromise your data. Identifying this set of actors is a key component in a risk assessment exercise.


An asset refers to data you value and take steps to maintain control over who or what has access to it. Taking stock of your digital assets is the first step in a risk assessment exercise.

disk image, file container

A file created as a copy of a storage volume or media. It is typically used to hold data for storage, or a compressed version of software. We refer to “disk image” and “file container” interchangeably.


An approach to protecting the content of data by running it through an algorithm that effectively scrambles it, rendering it readable only to those who have the key.

end-to-end encryption

A method to scramble data such that only the sender and the intended recipient(s) have the ability to make content readable. Service providers don't have access to content when end-to-end encryption is applied.


A device that communicates with others on a network, such as a smartphone or computer. We interact with these devices on a daily basis; they put the "end" in end-to-end encryption. See end-to-end encryption.

evil maid attack

A scenario in which an attacker compromises an unattended device by infecting it with malware or another form of physical tampering.


A program crafted to take advantage of a flaw in a system, with the intention of granting the attacker access to data and other valuable resources on the affected system. See vulnerability.

faraday box

A case made with material that blocks electromagnetic currents. If you want to increase your location privacy while in the field, block the signals emanating from your phone by placing it in one of these cases.

full disk encryption

A process that encrypts all the data stored on the hard disk of a device while it powers down. This prevents someone without the decryption key from reading or tampering with your device's data.

intrusion detection

A set of techniques designed to signal that a device has been tampered with while left unattended. You can use intrusion detection to indicate an evil maid attack has occurred. See “evil maid” attack.


A programming language most commonly used for web development. Disabling JavaScript in the browser will stop some ads and malicious content from loading on webpages, but may decrease functionality on web pages that depend on it.


A malicious program created to keep a record of everything you type into a device. Attackers use keyloggers to harvest sensitive data like passwords and correspondence.


Refers to pair of keys made up of a public and private key that are used in public key cryptography. The public key is used if you want to encrypt a message to someone, or verify a signed message from someone else. The private key can decrypt messages intended for you, and sign messages as yourself to send to others. See public key cryptography.

local data

Local data (or, “data at rest”) refers to the memory stored on a device's hard disk. Contrasted with data accessed on cloud platforms, local storage rests on a device you own.


Shorthand for "malicious software," malware is designed to make your computer act on an attacker's behalf. Typically delivered through malicious messages or webpages, this software is used to harvest passwords, take down websites, and record audio and video.

operating system

The base software that powers your computer, typically one of Windows, macOS, or a Linux distribution.


Passphrases are conceptually the same as passwords, but tend to be longer for additional security.

password manager

A program that securely stores usernames and passwords for all of your accounts. In addition to secure credential storage, you can use a password manager to generate cryptographically strong passwords.

Pretty Good Privacy (PGP)

Pretty Good Privacy, or PGP for short, is a standard for public key cryptography that is commonly used for sending and receiving encrypted emails. The most popular implementation of PGP is similarly named GPG. See public key cryptography for more.


A scheme of using fraudulent emails or web pages disguised as legitimate ones to trick users into entering private information. See social engineering.


An additional piece of software that integrates with an existing product.

private key

In encryption systems that rely on public key cryptography, such as PGP, a private key is used to decrypt messages, and should therefore not be shared. See public key cryptography

public key

In encryption systems that rely on public key cryptography, such as PGP, a public key is used to encrypt messages, and can be shared widely with others. See public key cryptography

public key cryptography

Based around pairs of keys, each person has a public key that is disseminated widely and a private key that is securely stored and only known to the owner. See keypair.

recovery key

A long series of characters that Apple and Microsoft provide when creating an encrypted disk that should be kept in a secure place. If you lose the password to the disk, the recovery key can be used to unlock it.

risk assessment

An exercise that identifies the potential risks and adversaries you face, how likely they are to succeed, and how much effort you should invest in protecting against their efforts

social engineering

Tricking a user into divulging sensitive information through techniques like impersonation and phishing.

The Onion Router (Tor)

Tor encrypts your network traffic across multiple servers, masking the source more strongly than a VPN would. Tor Browser also features anti-fingerprinting measures to further protect your privacy.

transit encryption

Most internet communication between multiple people go through third-party servers. Transit encryption ensures that network traffic between individuals and the server is encrypted, but the server can still see the message unencrypted. See also end-to-end encryption.

travel phone/computer

A travel device has only the bare minimum of necessary information on it, intended for use in situations in the field.

Two-factor authentication (2FA)

A second layer of authentication, after your password, that is needed to log into an account. The authentication step usually takes the form of a random code generated on a mobile application or sent via an SMS message, though it can also be transmitted through a hardware token. See USB security token.

security key

A device that can be thought of as a digital key to unlock access to specific accounts. These devices are typically used as a second-factor. See two-factor authentication.

Virtual Private Network (VPN)

Virtual Private Networks route all of your internet traffic through someone else's server, masking your device as the source. When your VPN is on, your VPN service doing the internet-ing on your behalf.


A flaw in a software program that potentially opens up security or privacy holes. Check regularly for software updates that might address vulnerabilities. See exploit.