Reference

Terms & glossary

Plain-language definitions of the storage, cryptography and tooling terms used across these manuals.

Storage & the S3 ecosystem

S3 — the de-facto standard API for storing files as objects in buckets. Originally an Amazon service, “S3” now means the protocol; dozens of tools speak it. KerPlace is S3-compatible, so you are not locked to one vendor.

Bucket — a top-level container for objects, like a drive or top-level folder.

Object — a stored item: its bytes plus metadata (size, type, timestamps, an ETag). Identified by a key (its name/path within a bucket).

ETag — a short tag for an object. For a plain upload it is the MD5 of the bytes; for an encrypted object KerPlace returns an opaque tag (as AWS does for encrypted objects).

Versioning — keeping an object’s history instead of overwriting it.

Cryptography & key custody

PQC (post-quantum cryptography) — encryption that stays secure against future quantum computers. See Post-quantum encryption.

ML-KEM — the post-quantum algorithm KerPlace uses to protect each object’s key, standardized by NIST as FIPS 203 (strongest set: ML-KEM-1024).

AES-256-GCM — the fast, authenticated cipher KerPlace uses to encrypt the object bytes.

DEK (data-encryption key) — a unique random key per object that encrypts that object.

KEK (key-encryption key) — the higher-level key that wraps the DEKs. Whoever holds it controls access; where it lives is the heart of the security model.

KMS (key-management service) — a hardened service that holds keys and performs wrap/unwrap so the keys never leave it. KerPlace can delegate its KEK to an external KMS.

Vault — HashiCorp Vault, a popular open-source KMS KerPlace can use for external, revocable key custody. It also supports K-of-N unseal — requiring several people to bring the service up.

Envelope encryption — encrypt data with a DEK, then encrypt the DEK with a KEK.

Tools & filesystem access

mc — the MinIO Client, a friendly S3 command-line tool. Works with KerPlace unchanged.

alias — a nickname you give a server in a client so you don’t retype its URL and credentials (other tools call it a “remote”, “profile” or “host”).

FUSE — a Linux mechanism that presents a bucket as an ordinary mounted folder, so you can cd into it and read/write files that map to S3 calls underneath.

s3fs — a specific FUSE adapter that mounts an S3 bucket as a folder.

rclone — a versatile tool to copy/sync files between storage backends; speaks S3 and can also mount a bucket as a folder.

Erasure coding (Reed-Solomon) — splitting each object into data + parity shards so it survives losing some drives, with checksums to catch corruption.

Full detail, source & scripts in the repository → https://github.com/agalletero/kerplace/blob/main/docs/GLOSSARY.md