The Vault uses a three-layer encryption scheme:

Layer 1 Device Encryption Key

Layer 2 Vault Master Encryption Key

Layer 3 Content Encryption Keys

Vault Encryption Model (v0)

The Vault uses Envelope Encryption:

1. Master Key (root secret)

   3.1 Master Key

2. Encryption Key (derived from Master Key)

   3.2 Encryption Keys (derived)

3. Data encrypted with symmetric AEAD

   3.3 Encryption Scheme

4. Key commitment stored externally

   3.4 Storage Format (unified object)