@metamask-previews/keyring-controller 22.0.2-preview-a272c5e1 → 22.0.2-preview-cf465cec

package/dist/KeyringController.mjs

@@ -9,7 +9,7 @@ var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (
     if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
     return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
 };
-var _KeyringController_instances, _KeyringController_controllerOperationMutex, _KeyringController_vaultOperationMutex, _KeyringController_keyringBuilders, _KeyringController_encryptor, _KeyringController_cacheEncryptionKey, _KeyringController_keyrings, _KeyringController_unsupportedKeyrings, _KeyringController_password, _KeyringController_encryptionKey, _KeyringController_qrKeyringStateListener, _KeyringController_registerMessageHandlers, _KeyringController_getKeyringById, _KeyringController_getKeyringByIdOrDefault, _KeyringController_getKeyringMetadata, _KeyringController_getKeyringBuilderForType, _KeyringController_addQRKeyring, _KeyringController_subscribeToQRKeyringEvents, _KeyringController_unsubscribeFromQRKeyringsEvents, _KeyringController_createNewVaultWithKeyring, _KeyringController_updateCachedEncryptionKey, _KeyringController_verifySeedPhrase, _KeyringController_getUpdatedKeyrings, _KeyringController_getSerializedKeyrings, _KeyringController_getSessionState, _KeyringController_restoreSerializedKeyrings, _KeyringController_unlockKeyrings, _KeyringController_updateVault, _KeyringController_isNewEncryptionAvailable, _KeyringController_isEnvelopeEncryptionEnabled, _KeyringController_getAccountsFromKeyrings, _KeyringController_createKeyringWithFirstAccount, _KeyringController_newKeyring, _KeyringController_createKeyring, _KeyringController_clearKeyrings, _KeyringController_restoreKeyring, _KeyringController_destroyKeyring, _KeyringController_removeEmptyKeyrings, _KeyringController_assertNoDuplicateAccounts, _KeyringController_setUnlocked, _KeyringController_assertIsUnlocked, _KeyringController_persistOrRollback, _KeyringController_withRollback, _KeyringController_assertControllerMutexIsLocked, _KeyringController_withControllerLock, _KeyringController_withVaultLock;
+var _KeyringController_instances, _KeyringController_controllerOperationMutex, _KeyringController_vaultOperationMutex, _KeyringController_keyringBuilders, _KeyringController_encryptor, _KeyringController_keyrings, _KeyringController_unsupportedKeyrings, _KeyringController_encryptionKey, _KeyringController_qrKeyringStateListener, _KeyringController_registerMessageHandlers, _KeyringController_getKeyringById, _KeyringController_getKeyringByIdOrDefault, _KeyringController_getKeyringMetadata, _KeyringController_getKeyringBuilderForType, _KeyringController_addQRKeyring, _KeyringController_subscribeToQRKeyringEvents, _KeyringController_unsubscribeFromQRKeyringsEvents, _KeyringController_createNewVaultWithKeyring, _KeyringController_deriveEncryptionKey, _KeyringController_useEncryptionKey, _KeyringController_verifySeedPhrase, _KeyringController_getUpdatedKeyrings, _KeyringController_getSerializedKeyrings, _KeyringController_getSessionState, _KeyringController_restoreSerializedKeyrings, _KeyringController_unlockKeyrings, _KeyringController_updateVault, _KeyringController_isNewEncryptionAvailable, _KeyringController_getAccountsFromKeyrings, _KeyringController_createKeyringWithFirstAccount, _KeyringController_newKeyring, _KeyringController_createKeyring, _KeyringController_clearKeyrings, _KeyringController_restoreKeyring, _KeyringController_destroyKeyring, _KeyringController_removeEmptyKeyrings, _KeyringController_assertNoDuplicateAccounts, _KeyringController_setUnlocked, _KeyringController_assertIsUnlocked, _KeyringController_persistOrRollback, _KeyringController_withRollback, _KeyringController_assertControllerMutexIsLocked, _KeyringController_withControllerLock, _KeyringController_withVaultLock;
 function $importDefault(module) {
     if (module?.__esModule) {
         return module.default;
@@ -145,17 +145,6 @@ function assertIsValidPassword(password) {
         throw new Error(KeyringControllerError.InvalidEmptyPassword);
     }
 }
-/**
- * Assert that the provided cacheEncryptionKey is true.
- *
- * @param cacheEncryptionKey - The cacheEncryptionKey to check.
- * @throws If the cacheEncryptionKey is not true.
- */
-function assertIsCacheEncryptionKeyTrue(cacheEncryptionKey) {
-    if (!cacheEncryptionKey) {
-        throw new Error(KeyringControllerError.CacheEncryptionKeyDisabled);
-    }
-}
 /**
  * Checks if the provided value is a serialized keyrings array.
  *
@@ -246,7 +235,6 @@ export class KeyringController extends BaseController {
                 keyrings: { persist: false, anonymous: false },
                 encryptionKey: { persist: false, anonymous: false },
                 encryptionSalt: { persist: false, anonymous: false },
-                encryptedEncryptionKey: { persist: true, anonymous: false },
             },
             messenger,
             state: {
@@ -259,24 +247,17 @@ export class KeyringController extends BaseController {
         _KeyringController_vaultOperationMutex.set(this, new Mutex());
         _KeyringController_keyringBuilders.set(this, void 0);
         _KeyringController_encryptor.set(this, void 0);
-        _KeyringController_cacheEncryptionKey.set(this, void 0);
         _KeyringController_keyrings.set(this, void 0);
         _KeyringController_unsupportedKeyrings.set(this, void 0);
-        _KeyringController_password.set(this, void 0);
         _KeyringController_encryptionKey.set(this, void 0);
         _KeyringController_qrKeyringStateListener.set(this, void 0);
         __classPrivateFieldSet(this, _KeyringController_keyringBuilders, keyringBuilders
             ? keyringBuilders.concat(defaultKeyringBuilders)
             : defaultKeyringBuilders, "f");
+        assertIsExportableKeyEncryptor(encryptor);
         __classPrivateFieldSet(this, _KeyringController_encryptor, encryptor, "f");
         __classPrivateFieldSet(this, _KeyringController_keyrings, [], "f");
         __classPrivateFieldSet(this, _KeyringController_unsupportedKeyrings, [], "f");
-        // This option allows the controller to cache an exported key
-        // for use in decrypting and encrypting data without password
-        __classPrivateFieldSet(this, _KeyringController_cacheEncryptionKey, Boolean(options.cacheEncryptionKey), "f");
-        if (__classPrivateFieldGet(this, _KeyringController_cacheEncryptionKey, "f")) {
-            assertIsExportableKeyEncryptor(encryptor);
-        }
         __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_registerMessageHandlers).call(this);
     }
     /**
@@ -363,22 +344,19 @@ export class KeyringController extends BaseController {
     /**
      * Create a new vault and primary keyring.
      *
-     * This only works if keyrings are empty. If there is a pre-existing unlocked
-     * vault, calling this will have no effect. If there is a pre-existing locked
-     * vault, it will be replaced.
+     * This only works if keyrings are empty. If there is a pre-existing unlocked vault, calling this will have no effect.
+     * If there is a pre-existing locked vault, it will be replaced.
      *
      * @param password - Password to unlock the new vault.
-     * @param encryptionKey - Optional encryption key to encrypt the new vault. If
-     * set, envelope encryption will be used.
      * @returns Promise resolving when the operation ends successfully.
      */
-    async createNewVaultAndKeychain(password, encryptionKey) {
+    async createNewVaultAndKeychain(password) {
         return __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_persistOrRollback).call(this, async () => {
             const accounts = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_getAccountsFromKeyrings).call(this);
             if (!accounts.length) {
                 await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_createNewVaultWithKeyring).call(this, password, {
                     type: KeyringTypes.hd,
-                }, encryptionKey);
+                });
             }
         });
     }
@@ -407,16 +385,7 @@ export class KeyringController extends BaseController {
         if (!this.state.vault) {
             throw new Error(KeyringControllerError.VaultError);
         }
-        if (this.state.encryptedEncryptionKey) {
-            // Envelope encryption mode.
-            assertIsExportableKeyEncryptor(__classPrivateFieldGet(this, _KeyringController_encryptor, "f"));
-            const key = (await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").decrypt(password, this.state.encryptedEncryptionKey));
-            const importedKey = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").importKey(key);
-            await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").decryptWithKey(importedKey, this.state.vault);
-        }
-        else {
-            await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").decrypt(password, this.state.vault);
-        }
+        await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").decrypt(password, this.state.vault);
     }
     /**
      * Returns the status of the vault.
@@ -605,7 +574,7 @@ export class KeyringController extends BaseController {
                     try {
                         wallet = importers.fromEtherWallet(input, password);
                     }
-                    catch {
+                    catch (e) {
                         wallet = wallet || (await Wallet.fromV3(input, password, true));
                     }
                     privateKey = bytesToHex(wallet.getPrivateKey());
@@ -663,7 +632,6 @@ export class KeyringController extends BaseController {
         __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_assertIsUnlocked).call(this);
         return __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_withRollback).call(this, async () => {
             __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_unsubscribeFromQRKeyringsEvents).call(this);
-            __classPrivateFieldSet(this, _KeyringController_password, undefined, "f");
             __classPrivateFieldSet(this, _KeyringController_encryptionKey, undefined, "f");
             await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_clearKeyrings).call(this);
             this.update((state) => {
@@ -845,33 +813,10 @@ export class KeyringController extends BaseController {
      * @returns Promise resolving when the operation completes.
      */
     changePassword(password) {
-        return this.changePasswordAndEncryptionKey(password);
-    }
-    /**
-     * Changes the password and encryption key used to encrypt the vault.
-     *
-     * @param password - The new password.
-     * @param encryptionKey - The new encryption key. If omitted, the encryption
-     * key will not be changed.
-     * @returns Promise resolving when the operation completes.
-     */
-    changePasswordAndEncryptionKey(password, encryptionKey) {
         __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_assertIsUnlocked).call(this);
         return __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_persistOrRollback).call(this, async () => {
             assertIsValidPassword(password);
-            // Update password.
-            __classPrivateFieldSet(this, _KeyringController_password, password, "f");
-            // Update encryption key.
-            __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_updateCachedEncryptionKey).call(this, encryptionKey);
-            // We need to clear encryption key and salt from state
-            // to force the controller to re-encrypt the vault using
-            // the new password.
-            if (__classPrivateFieldGet(this, _KeyringController_cacheEncryptionKey, "f")) {
-                this.update((state) => {
-                    delete state.encryptionKey;
-                    delete state.encryptionSalt;
-                });
-            }
+            await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_deriveEncryptionKey).call(this, password);
         });
     }
     /**
@@ -879,12 +824,13 @@ export class KeyringController extends BaseController {
      * using the given encryption key and salt.
      *
      * @param encryptionKey - Key to unlock the keychain.
-     * @param encryptionSalt - Salt to unlock the keychain.
      * @returns Promise resolving when the operation completes.
      */
-    async submitEncryptionKey(encryptionKey, encryptionSalt) {
+    async submitEncryptionKey(encryptionKey) {
         const { newMetadata } = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_withRollback).call(this, async () => {
-            const result = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_unlockKeyrings).call(this, undefined, encryptionKey, encryptionSalt);
+            const result = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_unlockKeyrings).call(this, {
+                exportedEncryptionKey: encryptionKey,
+            });
             __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_setUnlocked).call(this);
             return result;
         });
@@ -912,7 +858,7 @@ export class KeyringController extends BaseController {
      */
     async submitPassword(password) {
         const { newMetadata } = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_withRollback).call(this, async () => {
-            const result = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_unlockKeyrings).call(this, password);
+            const result = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_unlockKeyrings).call(this, { password });
             __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_setUnlocked).call(this);
             return result;
         });
@@ -922,6 +868,12 @@ export class KeyringController extends BaseController {
             // can attempt to upgrade the vault.
             await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_withRollback).call(this, async () => {
                 if (newMetadata || __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_isNewEncryptionAvailable).call(this)) {
+                    await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_deriveEncryptionKey).call(this, password, {
+                        // If the vault is being upgraded, we want to ignore the metadata
+                        // that is already in the vault, so we can effectively
+                        // re-encrypt the vault with the new encryption config.
+                        ignoreVautKeyMetadata: true,
+                    });
                     await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_updateVault).call(this);
                 }
             });
@@ -1175,7 +1127,7 @@ export class KeyringController extends BaseController {
         });
     }
 }
-_KeyringController_controllerOperationMutex = new WeakMap(), _KeyringController_vaultOperationMutex = new WeakMap(), _KeyringController_keyringBuilders = new WeakMap(), _KeyringController_encryptor = new WeakMap(), _KeyringController_cacheEncryptionKey = new WeakMap(), _KeyringController_keyrings = new WeakMap(), _KeyringController_unsupportedKeyrings = new WeakMap(), _KeyringController_password = new WeakMap(), _KeyringController_encryptionKey = new WeakMap(), _KeyringController_qrKeyringStateListener = new WeakMap(), _KeyringController_instances = new WeakSet(), _KeyringController_registerMessageHandlers = function _KeyringController_registerMessageHandlers() {
+_KeyringController_controllerOperationMutex = new WeakMap(), _KeyringController_vaultOperationMutex = new WeakMap(), _KeyringController_keyringBuilders = new WeakMap(), _KeyringController_encryptor = new WeakMap(), _KeyringController_keyrings = new WeakMap(), _KeyringController_unsupportedKeyrings = new WeakMap(), _KeyringController_encryptionKey = new WeakMap(), _KeyringController_qrKeyringStateListener = new WeakMap(), _KeyringController_instances = new WeakSet(), _KeyringController_registerMessageHandlers = function _KeyringController_registerMessageHandlers() {
     this.messagingSystem.registerActionHandler(`${name}:signMessage`, this.signMessage.bind(this));
     this.messagingSystem.registerActionHandler(`${name}:signEip7702Authorization`, this.signEip7702Authorization.bind(this));
     this.messagingSystem.registerActionHandler(`${name}:signPersonalMessage`, this.signPersonalMessage.bind(this));
@@ -1244,10 +1196,9 @@ async function _KeyringController_addQRKeyring() {
  * @param keyring - A object containing the params to instantiate a new keyring.
  * @param keyring.type - The keyring type.
  * @param keyring.opts - Optional parameters required to instantiate the keyring.
- * @param encryptionKey - Optional encryption key to encrypt the vault.
  * @returns A promise that resolves to the state.
  */
-async function _KeyringController_createNewVaultWithKeyring(password, keyring, encryptionKey) {
+async function _KeyringController_createNewVaultWithKeyring(password, keyring) {
     __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_assertControllerMutexIsLocked).call(this);
     if (typeof password !== 'string') {
         throw new TypeError(KeyringControllerError.WrongPasswordType);
@@ -1256,18 +1207,64 @@ async function _KeyringController_createNewVaultWithKeyring(password, keyring, e
         delete state.encryptionKey;
         delete state.encryptionSalt;
     });
-    __classPrivateFieldSet(this, _KeyringController_password, password, "f");
-    __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_updateCachedEncryptionKey).call(this, encryptionKey);
+    await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_deriveEncryptionKey).call(this, password);
     await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_clearKeyrings).call(this);
     await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_createKeyringWithFirstAccount).call(this, keyring.type, keyring.opts);
     __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_setUnlocked).call(this);
-}, _KeyringController_updateCachedEncryptionKey = function _KeyringController_updateCachedEncryptionKey(encryptionKey) {
-    if (!encryptionKey && this.state.encryptedEncryptionKey) {
-        __classPrivateFieldSet(this, _KeyringController_encryptionKey, this.state.encryptionKey, "f");
+}, _KeyringController_deriveEncryptionKey = 
+/**
+ * Derive the vault encryption key from the provided password, and
+ * assign it to the class variable for later use with cryptographic
+ * functions.
+ *
+ * When the controller has a vault in its state, the key is derived
+ * using the salt from the vault. If the vault is empty, a new salt
+ * is generated and used to derive the key.
+ *
+ * @param password - The password to use for decryption or derivation.
+ */
+async function _KeyringController_deriveEncryptionKey(password, options = {
+    ignoreVautKeyMetadata: false,
+}) {
+    __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_assertControllerMutexIsLocked).call(this);
+    const { vault } = this.state;
+    if (typeof password !== 'string') {
+        throw new TypeError(KeyringControllerError.WrongPasswordType);
+    }
+    let salt, keyMetadata;
+    if (vault && !options.ignoreVautKeyMetadata) {
+        const parsedVault = JSON.parse(vault);
+        salt = parsedVault.salt;
+        keyMetadata = parsedVault.keyMetadata;
     }
     else {
-        __classPrivateFieldSet(this, _KeyringController_encryptionKey, encryptionKey, "f");
+        salt = __classPrivateFieldGet(this, _KeyringController_encryptor, "f").generateSalt();
     }
+    const exportedEncryptionKey = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").exportKey(await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").keyFromPassword(password, salt, true, keyMetadata));
+    __classPrivateFieldSet(this, _KeyringController_encryptionKey, {
+        salt,
+        exported: exportedEncryptionKey,
+    }, "f");
+}, _KeyringController_useEncryptionKey = 
+/**
+ * Use the provided encryption key and salt to set the
+ * encryptionKey class variable. This method is used
+ * when the user provides an encryption key and salt
+ * to unlock the keychain, instead of using a password.
+ *
+ * @param encryptionKey - The encryption key to use.
+ * @param encryptionSalt - The salt to use for the encryption key.
+ */
+async function _KeyringController_useEncryptionKey(encryptionKey, encryptionSalt) {
+    __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_assertControllerMutexIsLocked).call(this);
+    if (typeof encryptionKey !== 'string' ||
+        typeof encryptionSalt !== 'string') {
+        throw new TypeError(KeyringControllerError.WrongEncryptionKeyType);
+    }
+    __classPrivateFieldSet(this, _KeyringController_encryptionKey, {
+        salt: encryptionSalt,
+        exported: encryptionKey,
+    }, "f");
 }, _KeyringController_verifySeedPhrase = 
 /**
  * Internal non-exclusive method to verify the seed phrase.
@@ -1356,7 +1353,6 @@ async function _KeyringController_getSerializedKeyrings({ includeUnsupported } =
 async function _KeyringController_getSessionState() {
     return {
         keyrings: await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_getSerializedKeyrings).call(this),
-        password: __classPrivateFieldGet(this, _KeyringController_password, "f"),
         encryptionKey: __classPrivateFieldGet(this, _KeyringController_encryptionKey, "f"),
     };
 }, _KeyringController_restoreSerializedKeyrings = 
@@ -1386,63 +1382,28 @@ async function _KeyringController_restoreSerializedKeyrings(serializedKeyrings)
  * Unlock Keyrings, decrypting the vault and deserializing all
  * keyrings contained in it, using a password or an encryption key with salt.
  *
- * @param password - The keyring controller password.
- * @param encryptionKey - An exported key string to unlock keyrings with.
- * @param encryptionSalt - The salt used to encrypt the vault.
+ * @param credentials - The credentials to unlock the keyrings.
  * @returns A promise resolving to the deserialized keyrings array.
  */
-async function _KeyringController_unlockKeyrings(password, encryptionKey, encryptionSalt) {
+async function _KeyringController_unlockKeyrings(credentials) {
     return __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_withVaultLock).call(this, async () => {
-        const { vault: encryptedVault, encryptedEncryptionKey } = this.state;
-        if (!encryptedVault) {
+        if (!this.state.vault) {
             throw new Error(KeyringControllerError.VaultError);
         }
-        let vault;
-        const updatedState = {};
-        if (__classPrivateFieldGet(this, _KeyringController_cacheEncryptionKey, "f")) {
-            assertIsExportableKeyEncryptor(__classPrivateFieldGet(this, _KeyringController_encryptor, "f"));
-            if (password) {
-                if (encryptedEncryptionKey) {
-                    const key = (await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").decrypt(password, encryptedEncryptionKey));
-                    const importedKey = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").importKey(key);
-                    vault = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").decryptWithKey(importedKey, encryptedVault);
-                    __classPrivateFieldSet(this, _KeyringController_password, password, "f");
-                    updatedState.encryptionKey = key;
-                }
-                else {
-                    const result = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").decryptWithDetail(password, encryptedVault);
-                    vault = result.vault;
-                    __classPrivateFieldSet(this, _KeyringController_password, password, "f");
-                    updatedState.encryptionKey = result.exportedKeyString;
-                    updatedState.encryptionSalt = result.salt;
-                }
-            }
-            else {
-                const parsedEncryptedVault = JSON.parse(encryptedVault);
-                if (encryptionSalt !== parsedEncryptedVault.salt) {
-                    throw new Error(KeyringControllerError.ExpiredCredentials);
-                }
-                if (typeof encryptionKey !== 'string') {
-                    throw new TypeError(KeyringControllerError.WrongPasswordType);
-                }
-                const key = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").importKey(encryptionKey);
-                vault = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").decryptWithKey(key, parsedEncryptedVault);
-                // This call is required on the first call because encryptionKey
-                // is not yet inside the memStore
-                updatedState.encryptionKey = encryptionKey;
-                // we can safely assume that encryptionSalt is defined here
-                // because we compare it with the salt from the vault
-                // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-                updatedState.encryptionSalt = encryptionSalt;
-            }
+        const parsedEncryptedVault = JSON.parse(this.state.vault);
+        if ('password' in credentials) {
+            await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_deriveEncryptionKey).call(this, credentials.password);
         }
         else {
-            if (typeof password !== 'string') {
-                throw new TypeError(KeyringControllerError.WrongPasswordType);
-            }
-            vault = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").decrypt(password, encryptedVault);
-            __classPrivateFieldSet(this, _KeyringController_password, password, "f");
+            const { exportedEncryptionKey } = credentials;
+            await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_useEncryptionKey).call(this, exportedEncryptionKey, parsedEncryptedVault.salt);
+        }
+        const encryptionKey = __classPrivateFieldGet(this, _KeyringController_encryptionKey, "f")?.exported;
+        if (!encryptionKey) {
+            throw new Error(KeyringControllerError.MissingCredentials);
         }
+        const key = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").importKey(encryptionKey);
+        const vault = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").decryptWithKey(key, parsedEncryptedVault);
         if (!isSerializedKeyringsArray(vault)) {
             throw new Error(KeyringControllerError.VaultDataError);
         }
@@ -1450,10 +1411,8 @@ async function _KeyringController_unlockKeyrings(password, encryptionKey, encryp
         const updatedKeyrings = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_getUpdatedKeyrings).call(this);
         this.update((state) => {
             state.keyrings = updatedKeyrings;
-            if (updatedState.encryptionKey || updatedState.encryptionSalt) {
-                state.encryptionKey = updatedState.encryptionKey;
-                state.encryptionSalt = updatedState.encryptionSalt;
-            }
+            state.encryptionKey = encryptionKey;
+            state.encryptionSalt = parsedEncryptedVault.salt;
         });
         return { keyrings, newMetadata };
     });
@@ -1461,81 +1420,41 @@ async function _KeyringController_unlockKeyrings(password, encryptionKey, encryp
     return __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_withVaultLock).call(this, async () => {
         // Ensure no duplicate accounts are persisted.
         await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_assertNoDuplicateAccounts).call(this);
-        const { encryptionKey, encryptionSalt, vault } = this.state;
-        // READ THIS CAREFULLY:
-        // We do check if the vault is still considered up-to-date, if not, we would not re-use the
-        // cached key and we will re-generate a new one (based on the password).
-        //
-        // This helps doing seamless updates of the vault. Useful in case we change some cryptographic
-        // parameters to the KDF.
-        const useCachedKey = encryptionKey && vault && __classPrivateFieldGet(this, _KeyringController_encryptor, "f").isVaultUpdated?.(vault);
-        if (!__classPrivateFieldGet(this, _KeyringController_password, "f") && !encryptionKey) {
+        if (!__classPrivateFieldGet(this, _KeyringController_encryptionKey, "f")) {
             throw new Error(KeyringControllerError.MissingCredentials);
         }
         const serializedKeyrings = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_getSerializedKeyrings).call(this);
         if (!serializedKeyrings.some((keyring) => keyring.type === KeyringTypes.hd)) {
             throw new Error(KeyringControllerError.NoHdKeyring);
         }
-        const updatedState = {};
-        if (__classPrivateFieldGet(this, _KeyringController_cacheEncryptionKey, "f")) {
-            assertIsExportableKeyEncryptor(__classPrivateFieldGet(this, _KeyringController_encryptor, "f"));
-            if (useCachedKey) {
-                const key = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").importKey(encryptionKey);
-                const vaultJSON = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").encryptWithKey(key, serializedKeyrings);
-                vaultJSON.salt = encryptionSalt;
-                updatedState.vault = JSON.stringify(vaultJSON);
-            }
-            else if (__classPrivateFieldGet(this, _KeyringController_password, "f")) {
-                if (__classPrivateFieldGet(this, _KeyringController_encryptionKey, "f")) {
-                    // Update cached key.
-                    updatedState.encryptionKey = __classPrivateFieldGet(this, _KeyringController_encryptionKey, "f");
-                    // Encrypt key and update encrypted key.
-                    const encryptedKey = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").encrypt(__classPrivateFieldGet(this, _KeyringController_password, "f"), __classPrivateFieldGet(this, _KeyringController_encryptionKey, "f"));
-                    updatedState.encryptedEncryptionKey = encryptedKey;
-                    // Encrypt and update vault.
-                    const importedKey = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").importKey(__classPrivateFieldGet(this, _KeyringController_encryptionKey, "f"));
-                    const vaultJSON = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").encryptWithKey(importedKey, serializedKeyrings);
-                    updatedState.vault = JSON.stringify(vaultJSON);
-                }
-                else {
-                    const { vault: newVault, exportedKeyString } = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").encryptWithDetail(__classPrivateFieldGet(this, _KeyringController_password, "f"), serializedKeyrings);
-                    updatedState.vault = newVault;
-                    updatedState.encryptionKey = exportedKeyString;
-                }
-            }
-        }
-        else {
-            assertIsValidPassword(__classPrivateFieldGet(this, _KeyringController_password, "f"));
-            updatedState.vault = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").encrypt(__classPrivateFieldGet(this, _KeyringController_password, "f"), serializedKeyrings);
-        }
-        if (__classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_isEnvelopeEncryptionEnabled).call(this)) {
-            assertIsCacheEncryptionKeyTrue(__classPrivateFieldGet(this, _KeyringController_cacheEncryptionKey, "f"));
-        }
-        if (!updatedState.vault) {
-            throw new Error(KeyringControllerError.MissingVaultData);
+        const key = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").importKey(__classPrivateFieldGet(this, _KeyringController_encryptionKey, "f").exported);
+        const encryptedVault = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").encryptWithKey(key, serializedKeyrings);
+        if (__classPrivateFieldGet(this, _KeyringController_encryptionKey, "f").salt) {
+            // We need to include the salt used to derive
+            // the encryption key, to be able to derive it
+            // from password again.
+            encryptedVault.salt = __classPrivateFieldGet(this, _KeyringController_encryptionKey, "f").salt;
         }
+        const updatedState = {
+            vault: JSON.stringify(encryptedVault),
+            encryptionKey: __classPrivateFieldGet(this, _KeyringController_encryptionKey, "f").exported,
+            encryptionSalt: __classPrivateFieldGet(this, _KeyringController_encryptionKey, "f").salt,
+        };
         const updatedKeyrings = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_getUpdatedKeyrings).call(this);
         this.update((state) => {
             state.vault = updatedState.vault;
             state.keyrings = updatedKeyrings;
-            if (updatedState.encryptionKey) {
-                state.encryptionKey = updatedState.encryptionKey;
-                state.encryptionSalt = JSON.parse(updatedState.vault).salt;
-            }
-            if (updatedState.encryptedEncryptionKey) {
-                state.encryptedEncryptionKey = updatedState.encryptedEncryptionKey;
-            }
+            state.encryptionKey = updatedState.encryptionKey;
+            state.encryptionSalt = updatedState.encryptionSalt;
         });
         return true;
     });
 }, _KeyringController_isNewEncryptionAvailable = function _KeyringController_isNewEncryptionAvailable() {
     const { vault } = this.state;
-    if (!vault || !__classPrivateFieldGet(this, _KeyringController_password, "f") || !__classPrivateFieldGet(this, _KeyringController_encryptor, "f").isVaultUpdated) {
+    if (!vault || !__classPrivateFieldGet(this, _KeyringController_encryptor, "f").isVaultUpdated) {
         return false;
     }
     return !__classPrivateFieldGet(this, _KeyringController_encryptor, "f").isVaultUpdated(vault);
-}, _KeyringController_isEnvelopeEncryptionEnabled = function _KeyringController_isEnvelopeEncryptionEnabled() {
-    return this.state.encryptedEncryptionKey || __classPrivateFieldGet(this, _KeyringController_encryptionKey, "f");
 }, _KeyringController_getAccountsFromKeyrings = 
 /**
  * Retrieves all the accounts from keyrings instances
@@ -1620,8 +1539,7 @@ async function _KeyringController_createKeyring(type, data) {
     if (keyring.init) {
         await keyring.init();
     }
-    if (type === KeyringTypes.hd &&
-        (!isObject(data) || !data.mnemonic)) {
+    if (type === KeyringTypes.hd && (!isObject(data) || !data.mnemonic)) {
         if (!keyring.generateRandomMnemonic) {
             throw new Error(KeyringControllerError.UnsupportedGenerateRandomMnemonic);
         }
@@ -1743,16 +1661,11 @@ async function _KeyringController_assertNoDuplicateAccounts(additionalKeyrings =
     }
 }, _KeyringController_persistOrRollback = 
 /**
- * Execute the given function after acquiring the controller lock and save the
- * vault to state after it (only if needed), or rollback to their previous
- * state in case of error.
- *
- * ATTENTION: The callback must **not** alter `controller.state`. Any state
- * change performed by the callback will not be rolled back on error.
+ * Execute the given function after acquiring the controller lock
+ * and save the vault to state after it (only if needed), or rollback to their
+ * previous state in case of error.
  *
- * @param callback - The function to execute. This callback must **not** alter
- * `controller.state`. Any state change performed by the callback will not be
- * rolled back on error.
+ * @param callback - The function to execute.
  * @returns The result of the function.
  */
 async function _KeyringController_persistOrRollback(callback) {
@@ -1777,13 +1690,16 @@ async function _KeyringController_persistOrRollback(callback) {
 async function _KeyringController_withRollback(callback) {
     return __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_withControllerLock).call(this, async ({ releaseLock }) => {
         const currentSerializedKeyrings = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_getSerializedKeyrings).call(this);
-        const currentPassword = __classPrivateFieldGet(this, _KeyringController_password, "f");
+        const currentEncryptionKey = __classPrivateFieldGet(this, _KeyringController_encryptionKey, "f")?.exported;
+        const currentEncryptionSalt = __classPrivateFieldGet(this, _KeyringController_encryptionKey, "f")?.salt;
         try {
             return await callback({ releaseLock });
         }
         catch (e) {
-            // Keyrings and password are restored to their previous state
-            __classPrivateFieldSet(this, _KeyringController_password, currentPassword, "f");
+            // Keyrings and encryption credentials are restored to their previous state
+            if (currentEncryptionKey && currentEncryptionSalt) {
+                __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_useEncryptionKey).call(this, currentEncryptionKey, currentEncryptionSalt);
+            }
             await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_restoreSerializedKeyrings).call(this, currentSerializedKeyrings);
             throw e;
         }