Crypto4: Make vault encryption keys immutable over algorithm changes

[hvge]

Description

The current implementation of secure vault encryption has a critical limitation: the vault encryption key changes whenever the activation algorithm changes. Although we don’t yet support algorithm migration in applications, this issue will become critical once that feature is introduced. To ensure stability and backward compatibility, we should make the key exposed to applications immutable across algorithm changes.

Current situation

• When the application requests a vault encryption key:
  • The SDK returns the key as provided by the server.
  • Unfortunately, this key depends on the selected PowerAuth algorithm, and will therefore change once the algorithm changes.

Proposed solution

To make the vault key immutable while still maintaining cryptographic flexibility:

• During activation (or upgrade)

  • Generate two 32-byte random values — one for each secure vault key type.
  • Encrypt both random values using the volatile vault encryption keys and the UKE (Unauthenticated Key Encryption) scheme.
  • Store the resulting encrypted blobs in persistent storage.

• When the application requests a vault encryption key:

  • Fetch the current vault encryption key from the server.
  • Decrypt the corresponding stored random value using UKE.
  • Return the decrypted key to the application.

Advantages

• The key material returned to the application remains stable, even if the underlying PowerAuth algorithm changes.
• Future algorithm migrations can be handled transparently by simply re-encrypting the stored random values with the new vault encryption keys.

Acceptance criteria

No response

Technical specification

No response

QA specification

No response