ADR-022 wires the three controls ADR-015 specified but left without registration paths (C1-C4 from review #001): composition authority, scoped env, and capabilities now enter through a HandlerRegistration bundle. Provenance (Local, FromOpenAPI, FromMCP, FromCall, Session) determines which ops can compose — leaves don't get composition authority. CompositionAuthority replaces handler_identity: Identity (it's a declared authority bundle, not a peer identity). Capabilities are per-request from the bundle (resolves closure-capture vs context ambiguity). Kernel/user analogy: user's authority checked at External gate; handler's composition authority used inside; scoped env bounds reachability. Also fixes W1 (stale ADR-020 path example) and W3 (from_mcp missing from adapter lists in operation-registry.md). Spec updates: operation-registry.md (OperationRegistry, HandlerRegistration, OperationContext, OperationEnv, registration example, capability injection), call-protocol.md (build_root_context), README.md, overview.md, open-questions.md (OQ-23), call/README.md.
9.7 KiB
ADR-020: HD Derivation for Encryption Keys
Status
Accepted
Context
The vault encrypts external credentials (API keys, OAuth tokens) that cannot be derived from the BIP39 seed — they're arbitrary bytes. The encryption key for AES-256-GCM must come from somewhere. Two approaches exist:
The TypeScript predecessor
The @alkdev/storage library (/workspace/@alkdev/storage/src/graphs/crypto.ts)
implemented credential encryption before the vault existed. It uses
PBKDF2 (Password-Based Key Derivation Function 2) with a password and
salt:
key = PBKDF2(password, salt, iterations=100_000, hash=SHA-256, output=32 bytes)
- The password is the secret (a user-provided string, not a BIP39 seed)
- The salt is 16 bytes, randomly generated per encryption, and is load-bearing — it participates in key derivation
- Iterations: 100,000 for key_version=1, 200,000 for key_version=2
- The resulting key is used for AES-256-GCM encryption
This was the right design before the vault existed: without a BIP39 seed, PBKDF2 from a password was the only option. The salt prevents rainbow-table attacks, and the iteration count slows brute-force.
The vault's approach
The vault derives the encryption key from the BIP39 seed via SLIP-0010
HD derivation at path m/74'/2'/0'/0':
seed → SLIP-0010 derive(m/74'/2'/0'/0') → first 32 bytes → AES-256-GCM key
- The seed is the secret (64 bytes, derived from the BIP39 mnemonic)
- The salt is generated (32 bytes) but not used in key derivation —
it's stored in
EncryptedData.saltfor forward compatibility - No PBKDF2, no iteration count, no password stretching
- The key is deterministic: the same mnemonic + path always produces the same key
Why HD derivation is better now
With the vault in place, HD derivation is strictly better than PBKDF2 for credential encryption:
-
No password to manage. The BIP39 mnemonic is already the root of trust. PBKDF2 requires a separate password — another secret to manage, lose, or have stolen. HD derivation uses the seed that already exists.
-
Deterministic and reproducible. The same mnemonic always produces the same encryption key at the same path. A backup node derives the same key. PBKDF2 with a different password produces a different key — there's no way to reproduce the key without the exact password.
-
No iteration overhead. PBKDF2 with 100k iterations is intentionally slow (that's the point — it slows brute-force). HD derivation is a few HMAC operations — effectively instant. This matters when encrypting or decrypting multiple credentials at startup.
-
Domain separation via paths. Different encryption purposes can use different derivation paths (
m/74'/2'/0'/0'for v2,m/74'/2'/0'/1'for a future v3). PBKDF2 has no equivalent — the only versioning knob is the iteration count or the password. See ADR-021 for the version-indexed path scheme. -
The salt becomes unnecessary for key derivation. HD derivation doesn't need a salt — the path provides domain separation. The salt field in
EncryptedDatais kept for wire-format compatibility but does not participate in key derivation.
The compatibility problem
The EncryptedData wire format is the same across both implementations
(keyVersion, salt, iv, data — all base64-encoded strings). But the
key derivation is different:
- TS v1: PBKDF2(password, salt, 100k iterations) → key
- Rust v1: SLIP-0010(seed,
m/74'/2'/0'/0') → key
Data encrypted by the TS implementation cannot be decrypted by the vault — the keys are different even if the password equals the mnemonic. This is a hard incompatibility at the crypto layer, not a format issue.
Decision
1. HD derivation is the vault's encryption key derivation method
The vault uses SLIP-0010 HD derivation from the BIP39 seed at path
m/74'/2'/0'/0' (PATHS::ENCRYPTION) to produce the AES-256-GCM
encryption key. No PBKDF2. No password-based key derivation. The seed is
the sole secret input.
2. The salt field is unused in vault-encrypted data
The EncryptedData.salt field exists in the wire format for compatibility
with the TS EncryptedDataSchema, but the vault does not use it for key
derivation. The vault generates a random salt and stores it (for wire-format
consistency), but it plays no cryptographic role. If a future KDF-based
derivation is needed (see "Future KDF" below), the field is already present.
3. key_version semantics
| Version | Key derivation | Used by | Decryptable by vault? |
|---|---|---|---|
| 1 | PBKDF2 (password + salt + 100k iterations) | TS @alkdev/storage |
No — different key |
| 2 | SLIP-0010 HD derivation (seed → m/74'/2'/0'/0') |
Rust vault | Yes |
The vault stamps key_version: 2 on new encryptions. CURRENT_KEY_VERSION
is 2.
The current source uses CURRENT_KEY_VERSION = 1 with HD derivation.
This is a drift from the spec — the source's v1 is HD-derived, but the TS
v1 is PBKDF2-derived. Same version number, different derivation. The source
must be updated to use key_version: 2 for HD-derived data, reserving v1
for the TS PBKDF2 legacy.
4. Migration path: TS → vault
TS-encrypted credentials (PBKDF2, key_version=1) are migrated to vault- encrypted credentials (HD derivation, key_version=2) through a one-time re-encryption:
- Decrypt the TS-encrypted data with the original password and PBKDF2
(using the TS
@alkdev/storagedecrypt()function or a migration tool that implements PBKDF2) - Re-encrypt the plaintext with the vault at
key_version: 2 - Replace the old
EncryptedDatablob in storage
The vault does not implement PBKDF2. The migration is performed by a
separate tool or script that has access to both the TS decrypt() function
and the vault's encrypt(). This is a one-time migration — once all data
is at key_version=2, PBKDF2 is no longer needed.
5. No PBKDF2 in the vault
The vault does not implement PBKDF2 and does not support decrypting
key_version=1 (TS PBKDF2) data. The vault's decrypt() method derives the
key via HD derivation and attempts decryption. If the data was encrypted
with PBKDF2 (TS), decryption fails (wrong key) — this is correct behavior,
not a bug. The migration tool handles the TS→vault transition.
6. Future KDF (not v2)
If a future use case requires KDF-based key derivation (e.g., stretching a
key derived from a non-seed source, or using a salt for additional domain
separation), it would be a new key_version with its own derivation method.
The salt field is available for this. This is additive — it doesn't
change v2 data. See OQ-22 (key rotation).
Consequences
Positive:
- One secret (the BIP39 seed) is the root of trust for both derived keys and encryption keys. No separate password to manage.
- Encryption key derivation is instant (HD derivation) vs. slow (PBKDF2 100k iterations). Startup with many credentials is fast.
- The encryption key is reproducible — a backup node with the same mnemonic derives the same key and can decrypt the same credentials.
- Domain separation via paths — future encryption purposes can use different paths without changing the wire format.
- Clean break from the TS approach. No PBKDF2 code in the vault. The vault is smaller and simpler.
Negative:
- TS-encrypted data cannot be decrypted by the vault. Migration requires a
separate tool with access to both the TS
decrypt()and the vault'sencrypt(). This is expected — the TS implementation is being replaced, not integrated. - The
saltfield is unused in v2. It occupies 44 bytes (base64-encoded 32 bytes) perEncryptedDatablob for no cryptographic purpose. This is the cost of wire-format compatibility — keeping the field means the struct doesn't need to change if a future KDF uses it. CURRENT_KEY_VERSIONmust change from 1 to 2 in the source. If any vault-encrypted data already exists at key_version=1 (with HD derivation), it would need re-encryption at key_version=2. In practice, the vault is pre-production, so this is a source change, not a data migration.
Assumptions
-
The TS
@alkdev/storageencrypted data is the only legacy. If other systems produce PBKDF2-encryptedEncryptedDatablobs, they need the same migration treatment. The assumption is that@alkdev/storageis the only consumer. -
The vault is pre-production. No significant amount of vault-encrypted data (HD derivation, key_version=1) exists in production. Bumping to key_version=2 is a source change, not a data migration. If vault-encrypted data does exist, it needs re-encryption at key_version=2 (decrypt with HD key at v1 path, re-encrypt at v2 — same key, just version bump).
-
The migration is one-time and one-directional. Once data is at key_version=2, there's no path back to PBKDF2. The TS
@alkdev/storagecrypto module becomes legacy after migration. -
The
saltfield's forward compatibility is worth the 44 bytes. If a future KDF is never needed, the salt field is wasted space. The assumption is that the cost is negligible (credentials are small, not bulk data) and the flexibility is worth it.
References
- ADR-018: Vault as standalone crate
- ADR-019: Vault assembly-layer-only access
- encryption.md — AES-256-GCM, EncryptedData
- mnemonic-derivation.md — SLIP-0010, PATHS::ENCRYPTION
- OQ-20: Salt/KDF Phase B (resolved by this ADR)
- OQ-22: Key rotation mechanism (still open — this ADR defines v2 but not the rotation workflow)
- TypeScript predecessor:
/workspace/@alkdev/storage/src/graphs/crypto.ts - TypeScript secret graph:
/workspace/@alkdev/storage/src/graphs/modules/secret-graph.ts