What is Key Wrapping?

Key wrapping addresses a practical problem in cryptographic systems: how do you protect encryption keys themselves? If a data encryption key is stored in plaintext, anyone with access to the storage can use it. Key wrapping solves this by encrypting the data key with a separate wrapping key, creating a layered key hierarchy where access to the encrypted data requires possessing both the wrapped key and the means to unwrap it.

AES-KW (AES Key Wrap, defined in RFC 3394) is the most widely used key wrapping algorithm. Unlike general-purpose encryption modes, AES-KW is specifically designed for wrapping key material. It provides both confidentiality and integrity — if the wrapping key is wrong or the wrapped data has been tampered with, the unwrap operation fails rather than producing incorrect key material. This integrity check is critical because silently producing a wrong key would lead to decrypting data into garbage without any error indication.

Key wrapping is foundational to key management systems, HSMs (Hardware Security Modules), and envelope encryption schemes used by cloud providers. In envelope encryption, data is encrypted with a data key, and the data key is wrapped with a master key. This pattern allows efficient key rotation — when the master key changes, only the small wrapped keys need re-encryption, not the entire dataset.

How Vaulted uses Key Wrapping

Vaulted uses AES-KW key wrapping when a passphrase is set on a secret. The flow works as follows: the browser generates a random AES-256-GCM key for encrypting the secret, then derives a wrapping key from the passphrase using PBKDF2. The AES-256-GCM key is wrapped (encrypted) using AES-KW with the derived wrapping key. The wrapped key, salt, and IV are included in the URL fragment. The recipient enters the passphrase, re-derives the wrapping key via PBKDF2, unwraps the AES-256-GCM key, and decrypts the secret.