These are the changes as implemented in the above issue:
MasterKey is derived from the opaque export key using "OPAQUE-derived Lock Keeper master key" as the domain separation string.
ExportKey should not be used for anything else, but to derive MasterKey. MasterKey gets derived immediately after ExportKey is known, after which ExportKey is discarded and MasterKey is cached within the Session.
MasterKey should not be used directly to encrypt anything, but specific domain separated keys should be derived.
To encrypt the StorageKey, a key is derived from MasterKey using the user ID + the domain separator "storage key"
TBD, see also: https://github.com/boltlabs-inc/key-mgmt/issues/356
These are the changes as implemented in the above issue: