Generated per device.
Stored in secure enclave / TPM / keychain.
Used to decrypt:
If device is lost, device key is lost → attacker gets nothing.