5 exercises on the language of cryptography and secrets management — the exact terms used in data-protection policies, key-management docs, and security checklists.
Key patterns in this set
encrypt at rest & in transit — the two states of data protection
manage secrets in a secrets manager; never hard-code
end-to-end encryption; a CA issues a certificate
0 / 5 completed
1 / 5
A data-protection design note reads:
"We encrypt every record ___ using AES-256 on the storage volume, and we also encrypt it ___ with TLS while it travels between services."
Which pair of phrases correctly fills the two blanks?
Encrypt at rest / in transit.
These are the two canonical states of data protection:
at rest — data stored on disk, in a database, or in a backup (protected by disk/volume/field encryption)
in transit (also in motion) — data moving across a network (protected by TLS/HTTPS/mTLS)
some frameworks add in use — data being processed in memory (confidential computing)
The phrases "in storage", "when idle", "on cable", "on the wire only" are informal paraphrases, not the standard compliance vocabulary you will see in SOC 2, ISO 27001, and cloud docs. Usage: "all customer data is encrypted at rest and in transit by default."
2 / 5
A key-management policy states:
"We ___ the data-encryption keys every 90 days through the KMS, so even a leaked key only exposes a bounded window of data."
Which verb is the standard collocation for periodically replacing cryptographic keys?
Rotate keys.
"Rotate keys" is the standard cryptographic term for periodically replacing keys while keeping older versions available to decrypt old data. It limits the blast radius of any single compromised key.
key rotation — the scheduled process
KMS — Key Management Service (AWS KMS, Cloud KMS, Vault)
envelope encryption — a data key encrypted by a key-encryption key (KEK)
"Swap", "recycle", and "refresh" are not the established verb here — only "rotate" carries the versioned, scheduled meaning recognised across cryptography and compliance. Note the parallel: you also rotate credentials and rotate certificates. Usage: "automatic key rotation is enabled on every KMS key."
3 / 5
A secure-authentication guide explains password storage:
"Never store passwords in plaintext. Instead, ___ each password with a slow algorithm like bcrypt or Argon2, and add a unique random ___ per user so identical passwords produce different stored values."
Which pair of terms fills the blanks?
Hash a password, add a salt.
Passwords should be hashed, not encrypted:
hash — a one-way function (bcrypt, scrypt, Argon2) that cannot be reversed; you verify by re-hashing the input
salt — a unique random value mixed into each password before hashing so identical passwords yield different hashes and rainbow tables fail
pepper — a secret added to all passwords, stored separately (a real but secondary concept)
Why the distractors are wrong: encrypt is reversible (wrong for passwords); encode (e.g. Base64) provides no security; sign is for integrity/authenticity, not storage. A nonce is a number used once in protocols, not password storage. Usage: "we hash passwords with Argon2id and a per-user salt."
4 / 5
A platform-security checklist reads:
"Application code must never contain hard-coded API keys or database passwords. All secrets must be stored in and retrieved from a dedicated secrets ___ such as HashiCorp Vault."
Which word completes the standard term for tooling that securely stores credentials?
Secrets manager.
A "secrets manager" is dedicated tooling that securely stores, controls access to, audits, and rotates sensitive values (API keys, DB passwords, certificates). The general practice is "manage secrets".
hard-coded secret — the anti-pattern of putting a secret in source code
secret scanning — detecting committed secrets in repos (e.g. gitleaks)
"Secrets folder/database/cache" miss the point — a plain database or folder lacks the access control, rotation, and audit logging that define a secrets manager. Usage: "the CI pipeline pulls credentials from the secrets manager at runtime; nothing is committed to git."
5 / 5
A messaging app's security page states:
"Conversations use ___: messages are encrypted on the sender's device and can only be decrypted on the recipient's device, so not even our servers can read them."
Which term names this model, and which related artefact does a Certificate Authority (CA) issue to bind a public key to an identity?
End-to-end encryption; a certificate.
"End-to-end encryption (E2EE)" means only the communicating endpoints hold the keys — intermediaries (including the service provider) cannot read the content. Signal, WhatsApp, and iMessage use it.
end-to-end encryption (E2EE) — keys live only at the endpoints
certificate — a CA-signed document binding a public key to an identity (X.509, used in TLS)
certificate authority (CA), certificate revocation list (CRL)
The distractors are not real models: "edge-to-edge", "point-to-point" (a vague networking phrase), and "host-to-host" do not describe E2EE; and a CA issues a certificate, not a token, licence, or keystore (a keystore merely holds keys/certs). Usage: "we offer end-to-end encryption and pin the server certificate."