Derived from:

• user secret (PIN, passphrase, biometric)
• device-specific salt

Used to encrypt:

• attribute leaves
• document blobs
• policy bundles

Can be re-derived after recovery.