npm - @metamask-previews/keyring-controller - Versions diffs - 22.1.0-preview-7b919d75 → 22.1.0-preview-982a3250 - Mend

@metamask-previews/keyring-controller 22.1.0-preview-7b919d75 → 22.1.0-preview-982a3250

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/CHANGELOG.md +0 -13
package/dist/KeyringController.cjs +117 -105
package/dist/KeyringController.cjs.map +1 -1
package/dist/KeyringController.d.cts +10 -24
package/dist/KeyringController.d.cts.map +1 -1
package/dist/KeyringController.d.mts +10 -24
package/dist/KeyringController.d.mts.map +1 -1
package/dist/KeyringController.mjs +118 -106
package/dist/KeyringController.mjs.map +1 -1
package/dist/constants.cjs +0 -1
package/dist/constants.cjs.map +1 -1
package/dist/constants.d.cts +0 -1
package/dist/constants.d.cts.map +1 -1
package/dist/constants.d.mts +0 -1
package/dist/constants.d.mts.map +1 -1
package/dist/constants.mjs +0 -1
package/dist/constants.mjs.map +1 -1
package/package.json +1 -1

package/CHANGELOG.md CHANGED Viewed

@@ -7,25 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
-### Added
-- Added optional `SupportedKeyDerivationOptions` type parameter to the `ExportableKeyEncryptor` type ([#5963](https://github.com/MetaMask/core/pull/5963))
-  - This type parameter allows specifying the key derivation options supported by the injected encryptor.
 ### Changed
-- **BREAKING:** The `KeyringController` constructor now requires an encryptor supporting the `keyFromPassword`, `exportKey` and `generateSalt` methods ([#5963](https://github.com/MetaMask/core/pull/5963))
 - Bump `@metamask/keyring-api` from `^18.0.0` to `^19.0.0` ([#6146](https://github.com/MetaMask/core/pull/6146))
 - Bump `@metamask/keyring-internal-api` from `^6.2.0` to `^7.0.0` ([#6146](https://github.com/MetaMask/core/pull/6146))
 - Bump `@metamask/utils` from `^11.2.0` to `^11.4.2` ([#6054](https://github.com/MetaMask/core/pull/6054))
-### Removed
-- **BREAKING:** The `cacheEncryptionKey` parameter has been removed from the `KeyringController` constructor options ([#5963](https://github.com/MetaMask/core/pull/5963))
-  - This parameter was previously used to enable encryption key in-memory caching, but it is no longer needed as the controller now always uses the latest encryption key.
-- **BREAKING:** The `submitEncryptionKey` method does not accept an `encryptionSalt` argument anymore ([#5963](https://github.com/MetaMask/core/pull/5963))
-  - The encryption salt is now always taken from the vault.
 ## [22.1.0]
 ### Added

package/dist/KeyringController.cjs CHANGED Viewed

@@ -36,7 +36,7 @@ var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
-var _KeyringController_instances, _KeyringController_controllerOperationMutex, _KeyringController_vaultOperationMutex, _KeyringController_keyringBuilders, _KeyringController_encryptor, _KeyringController_keyrings, _KeyringController_unsupportedKeyrings, _KeyringController_encryptionKey, _KeyringController_qrKeyringStateListener, _KeyringController_registerMessageHandlers, _KeyringController_getKeyringById, _KeyringController_getKeyringByIdOrDefault, _KeyringController_getKeyringMetadata, _KeyringController_getKeyringBuilderForType, _KeyringController_addQRKeyring, _KeyringController_subscribeToQRKeyringEvents, _KeyringController_unsubscribeFromQRKeyringsEvents, _KeyringController_createNewVaultWithKeyring, _KeyringController_deriveEncryptionKey, _KeyringController_useEncryptionKey, _KeyringController_verifySeedPhrase, _KeyringController_getUpdatedKeyrings, _KeyringController_getSerializedKeyrings, _KeyringController_getSessionState, _KeyringController_restoreSerializedKeyrings, _KeyringController_unlockKeyrings, _KeyringController_updateVault, _KeyringController_isNewEncryptionAvailable, _KeyringController_getAccountsFromKeyrings, _KeyringController_createKeyringWithFirstAccount, _KeyringController_newKeyring, _KeyringController_createKeyring, _KeyringController_clearKeyrings, _KeyringController_restoreKeyring, _KeyringController_destroyKeyring, _KeyringController_removeEmptyKeyrings, _KeyringController_assertNoDuplicateAccounts, _KeyringController_setUnlocked, _KeyringController_assertIsUnlocked, _KeyringController_persistOrRollback, _KeyringController_withRollback, _KeyringController_assertControllerMutexIsLocked, _KeyringController_withControllerLock, _KeyringController_withVaultLock;
+var _KeyringController_instances, _KeyringController_controllerOperationMutex, _KeyringController_vaultOperationMutex, _KeyringController_keyringBuilders, _KeyringController_encryptor, _KeyringController_cacheEncryptionKey, _KeyringController_keyrings, _KeyringController_unsupportedKeyrings, _KeyringController_password, _KeyringController_qrKeyringStateListener, _KeyringController_registerMessageHandlers, _KeyringController_getKeyringById, _KeyringController_getKeyringByIdOrDefault, _KeyringController_getKeyringMetadata, _KeyringController_getKeyringBuilderForType, _KeyringController_addQRKeyring, _KeyringController_subscribeToQRKeyringEvents, _KeyringController_unsubscribeFromQRKeyringsEvents, _KeyringController_createNewVaultWithKeyring, _KeyringController_verifySeedPhrase, _KeyringController_getUpdatedKeyrings, _KeyringController_getSerializedKeyrings, _KeyringController_getSessionState, _KeyringController_restoreSerializedKeyrings, _KeyringController_unlockKeyrings, _KeyringController_updateVault, _KeyringController_isNewEncryptionAvailable, _KeyringController_getAccountsFromKeyrings, _KeyringController_createKeyringWithFirstAccount, _KeyringController_newKeyring, _KeyringController_createKeyring, _KeyringController_clearKeyrings, _KeyringController_restoreKeyring, _KeyringController_destroyKeyring, _KeyringController_removeEmptyKeyrings, _KeyringController_assertNoDuplicateAccounts, _KeyringController_setUnlocked, _KeyringController_assertIsUnlocked, _KeyringController_persistOrRollback, _KeyringController_withRollback, _KeyringController_assertControllerMutexIsLocked, _KeyringController_withControllerLock, _KeyringController_withVaultLock;
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.KeyringController = exports.getDefaultKeyringState = exports.keyringBuilderFactory = exports.SignTypedDataVersion = exports.AccountImportStrategy = exports.isCustodyKeyring = exports.KeyringTypes = void 0;
 const util_1 = require("@ethereumjs/util");
@@ -255,6 +255,7 @@ class KeyringController extends base_controller_1.BaseController {
      * @param options - Initial options used to configure this controller
      * @param options.encryptor - An optional object for defining encryption schemes.
      * @param options.keyringBuilders - Set a new name for account.
+     * @param options.cacheEncryptionKey - Whether to cache or not encryption key.
      * @param options.messenger - A restricted messenger.
      * @param options.state - Initial state to set on this controller.
      */
@@ -280,17 +281,23 @@ class KeyringController extends base_controller_1.BaseController {
         _KeyringController_vaultOperationMutex.set(this, new async_mutex_1.Mutex());
         _KeyringController_keyringBuilders.set(this, void 0);
         _KeyringController_encryptor.set(this, void 0);
+        _KeyringController_cacheEncryptionKey.set(this, void 0);
         _KeyringController_keyrings.set(this, void 0);
         _KeyringController_unsupportedKeyrings.set(this, void 0);
-        _KeyringController_encryptionKey.set(this, void 0);
+        _KeyringController_password.set(this, void 0);
         _KeyringController_qrKeyringStateListener.set(this, void 0);
         __classPrivateFieldSet(this, _KeyringController_keyringBuilders, keyringBuilders
             ? keyringBuilders.concat(defaultKeyringBuilders)
             : defaultKeyringBuilders, "f");
-        assertIsExportableKeyEncryptor(encryptor);
         __classPrivateFieldSet(this, _KeyringController_encryptor, encryptor, "f");
         __classPrivateFieldSet(this, _KeyringController_keyrings, [], "f");
         __classPrivateFieldSet(this, _KeyringController_unsupportedKeyrings, [], "f");
+        // This option allows the controller to cache an exported key
+        // for use in decrypting and encrypting data without password
+        __classPrivateFieldSet(this, _KeyringController_cacheEncryptionKey, Boolean(options.cacheEncryptionKey), "f");
+        if (__classPrivateFieldGet(this, _KeyringController_cacheEncryptionKey, "f")) {
+            assertIsExportableKeyEncryptor(encryptor);
+        }
         __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_registerMessageHandlers).call(this);
     }
     /**
@@ -665,7 +672,7 @@ class KeyringController extends base_controller_1.BaseController {
         __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_assertIsUnlocked).call(this);
         return __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_withRollback).call(this, async () => {
             __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_unsubscribeFromQRKeyringsEvents).call(this);
-            __classPrivateFieldSet(this, _KeyringController_encryptionKey, undefined, "f");
+            __classPrivateFieldSet(this, _KeyringController_password, undefined, "f");
             await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_clearKeyrings).call(this);
             this.update((state) => {
                 state.isUnlocked = false;
@@ -847,9 +854,22 @@ class KeyringController extends base_controller_1.BaseController {
      */
     changePassword(password) {
         __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_assertIsUnlocked).call(this);
+        // If the password is the same, do nothing.
+        if (__classPrivateFieldGet(this, _KeyringController_password, "f") === password) {
+            return Promise.resolve();
+        }
         return __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_persistOrRollback).call(this, async () => {
             assertIsValidPassword(password);
-            await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_deriveEncryptionKey).call(this, password);
+            __classPrivateFieldSet(this, _KeyringController_password, password, "f");
+            // We need to clear encryption key and salt from state
+            // to force the controller to re-encrypt the vault using
+            // the new password.
+            if (__classPrivateFieldGet(this, _KeyringController_cacheEncryptionKey, "f")) {
+                this.update((state) => {
+                    delete state.encryptionKey;
+                    delete state.encryptionSalt;
+                });
+            }
         });
     }
     /**
@@ -863,10 +883,7 @@ class KeyringController extends base_controller_1.BaseController {
      */
     async submitEncryptionKey(encryptionKey, encryptionSalt) {
         const { newMetadata } = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_withRollback).call(this, async () => {
-            const result = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_unlockKeyrings).call(this, {
-                exportedEncryptionKey: encryptionKey,
-                encryptionKeySalt: encryptionSalt,
-            });
+            const result = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_unlockKeyrings).call(this, undefined, encryptionKey, encryptionSalt);
             __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_setUnlocked).call(this);
             return result;
         });
@@ -893,8 +910,9 @@ class KeyringController extends base_controller_1.BaseController {
     async exportEncryptionKey() {
         __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_assertIsUnlocked).call(this);
         return await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_withControllerLock).call(this, async () => {
-            assertIsEncryptionKeySet(__classPrivateFieldGet(this, _KeyringController_encryptionKey, "f")?.exported);
-            return __classPrivateFieldGet(this, _KeyringController_encryptionKey, "f").exported;
+            const { encryptionKey } = this.state;
+            assertIsEncryptionKeySet(encryptionKey);
+            return encryptionKey;
         });
     }
     /**
@@ -906,7 +924,7 @@ class KeyringController extends base_controller_1.BaseController {
      */
     async submitPassword(password) {
         const { newMetadata } = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_withRollback).call(this, async () => {
-            const result = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_unlockKeyrings).call(this, { password });
+            const result = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_unlockKeyrings).call(this, password);
             __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_setUnlocked).call(this);
             return result;
         });
@@ -916,12 +934,6 @@ class KeyringController extends base_controller_1.BaseController {
             // can attempt to upgrade the vault.
             await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_withRollback).call(this, async () => {
                 if (newMetadata || __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_isNewEncryptionAvailable).call(this)) {
-                    await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_deriveEncryptionKey).call(this, password, {
-                        // If the vault is being upgraded, we want to ignore the metadata
-                        // that is already in the vault, so we can effectively
-                        // re-encrypt the vault with the new encryption config.
-                        useVaultKeyMetadata: false,
-                    });
                     await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_updateVault).call(this);
                 }
             });
@@ -1176,7 +1188,7 @@ class KeyringController extends base_controller_1.BaseController {
     }
 }
 exports.KeyringController = KeyringController;
-_KeyringController_controllerOperationMutex = new WeakMap(), _KeyringController_vaultOperationMutex = new WeakMap(), _KeyringController_keyringBuilders = new WeakMap(), _KeyringController_encryptor = new WeakMap(), _KeyringController_keyrings = new WeakMap(), _KeyringController_unsupportedKeyrings = new WeakMap(), _KeyringController_encryptionKey = new WeakMap(), _KeyringController_qrKeyringStateListener = new WeakMap(), _KeyringController_instances = new WeakSet(), _KeyringController_registerMessageHandlers = function _KeyringController_registerMessageHandlers() {
+_KeyringController_controllerOperationMutex = new WeakMap(), _KeyringController_vaultOperationMutex = new WeakMap(), _KeyringController_keyringBuilders = new WeakMap(), _KeyringController_encryptor = new WeakMap(), _KeyringController_cacheEncryptionKey = new WeakMap(), _KeyringController_keyrings = new WeakMap(), _KeyringController_unsupportedKeyrings = new WeakMap(), _KeyringController_password = new WeakMap(), _KeyringController_qrKeyringStateListener = new WeakMap(), _KeyringController_instances = new WeakSet(), _KeyringController_registerMessageHandlers = function _KeyringController_registerMessageHandlers() {
     this.messagingSystem.registerActionHandler(`${name}:signMessage`, this.signMessage.bind(this));
     this.messagingSystem.registerActionHandler(`${name}:signEip7702Authorization`, this.signEip7702Authorization.bind(this));
     this.messagingSystem.registerActionHandler(`${name}:signPersonalMessage`, this.signPersonalMessage.bind(this));
@@ -1256,60 +1268,10 @@ async function _KeyringController_createNewVaultWithKeyring(password, keyring) {
         delete state.encryptionKey;
         delete state.encryptionSalt;
     });
-    await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_deriveEncryptionKey).call(this, password);
+    __classPrivateFieldSet(this, _KeyringController_password, password, "f");
     await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_clearKeyrings).call(this);
     await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_createKeyringWithFirstAccount).call(this, keyring.type, keyring.opts);
     __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_setUnlocked).call(this);
-}, _KeyringController_deriveEncryptionKey =
-/**
- * Derive the vault encryption key from the provided password, and
- * assign it to the instance variable for later use with cryptographic
- * functions.
- *
- * When the controller has a vault in its state, the key is derived
- * using the salt from the vault. If the vault is empty, a new salt
- * is generated and used to derive the key.
- *
- * @param password - The password to use for decryption or derivation.
- * @param options - Options for the key derivation.
- * @param options.useVaultKeyMetadata - Whether to use the vault key metadata
- */
-async function _KeyringController_deriveEncryptionKey(password, options = {
-    useVaultKeyMetadata: true,
-}) {
-    __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_assertControllerMutexIsLocked).call(this);
-    const { vault } = this.state;
-    if (typeof password !== 'string') {
-        throw new TypeError(constants_1.KeyringControllerError.WrongPasswordType);
-    }
-    let salt, keyMetadata;
-    if (vault && options.useVaultKeyMetadata) {
-        const parsedVault = JSON.parse(vault);
-        salt = parsedVault.salt;
-        keyMetadata = parsedVault.keyMetadata;
-    }
-    else {
-        salt = __classPrivateFieldGet(this, _KeyringController_encryptor, "f").generateSalt();
-    }
-    const exportedEncryptionKey = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").exportKey(await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").keyFromPassword(password, salt, true, keyMetadata));
-    __classPrivateFieldSet(this, _KeyringController_encryptionKey, {
-        salt,
-        exported: exportedEncryptionKey,
-    }, "f");
-}, _KeyringController_useEncryptionKey = function _KeyringController_useEncryptionKey(encryptionKey, encryptionSalt) {
-    __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_assertControllerMutexIsLocked).call(this);
-    if (typeof encryptionKey !== 'string' ||
-        typeof encryptionSalt !== 'string') {
-        throw new TypeError(constants_1.KeyringControllerError.WrongEncryptionKeyType);
-    }
-    const { vault } = this.state;
-    if (vault && JSON.parse(vault).salt !== encryptionSalt) {
-        throw new Error(constants_1.KeyringControllerError.ExpiredCredentials);
-    }
-    __classPrivateFieldSet(this, _KeyringController_encryptionKey, {
-        salt: encryptionSalt,
-        exported: encryptionKey,
-    }, "f");
 }, _KeyringController_verifySeedPhrase =
 /**
  * Internal non-exclusive method to verify the seed phrase.
@@ -1390,7 +1352,7 @@ async function _KeyringController_getSerializedKeyrings({ includeUnsupported } =
     return serializedKeyrings;
 }, _KeyringController_getSessionState =
 /**
- * Get a snapshot of session data held by instance variables.
+ * Get a snapshot of session data held by class variables.
  *
  * @returns An object with serialized keyrings, keyrings metadata,
  * and the user password.
@@ -1398,7 +1360,7 @@ async function _KeyringController_getSerializedKeyrings({ includeUnsupported } =
 async function _KeyringController_getSessionState() {
     return {
         keyrings: await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_getSerializedKeyrings).call(this),
-        encryptionKey: __classPrivateFieldGet(this, _KeyringController_encryptionKey, "f"),
+        password: __classPrivateFieldGet(this, _KeyringController_password, "f"),
     };
 }, _KeyringController_restoreSerializedKeyrings =
 /**
@@ -1427,27 +1389,54 @@ async function _KeyringController_restoreSerializedKeyrings(serializedKeyrings)
  * Unlock Keyrings, decrypting the vault and deserializing all
  * keyrings contained in it, using a password or an encryption key with salt.
  *
- * @param credentials - The credentials to unlock the keyrings.
+ * @param password - The keyring controller password.
+ * @param encryptionKey - An exported key string to unlock keyrings with.
+ * @param encryptionSalt - The salt used to encrypt the vault.
  * @returns A promise resolving to the deserialized keyrings array.
  */
-async function _KeyringController_unlockKeyrings(credentials) {
+async function _KeyringController_unlockKeyrings(password, encryptionKey, encryptionSalt) {
     return __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_withVaultLock).call(this, async () => {
-        if (!this.state.vault) {
+        const encryptedVault = this.state.vault;
+        if (!encryptedVault) {
             throw new Error(constants_1.KeyringControllerError.VaultError);
         }
-        const parsedEncryptedVault = JSON.parse(this.state.vault);
-        if ('password' in credentials) {
-            await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_deriveEncryptionKey).call(this, credentials.password);
+        let vault;
+        const updatedState = {};
+        if (__classPrivateFieldGet(this, _KeyringController_cacheEncryptionKey, "f")) {
+            assertIsExportableKeyEncryptor(__classPrivateFieldGet(this, _KeyringController_encryptor, "f"));
+            if (password) {
+                const result = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").decryptWithDetail(password, encryptedVault);
+                vault = result.vault;
+                __classPrivateFieldSet(this, _KeyringController_password, password, "f");
+                updatedState.encryptionKey = result.exportedKeyString;
+                updatedState.encryptionSalt = result.salt;
+            }
+            else {
+                const parsedEncryptedVault = JSON.parse(encryptedVault);
+                if (encryptionSalt && encryptionSalt !== parsedEncryptedVault.salt) {
+                    throw new Error(constants_1.KeyringControllerError.ExpiredCredentials);
+                }
+                else {
+                    encryptionSalt = parsedEncryptedVault.salt;
+                }
+                if (typeof encryptionKey !== 'string') {
+                    throw new TypeError(constants_1.KeyringControllerError.WrongPasswordType);
+                }
+                const key = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").importKey(encryptionKey);
+                vault = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").decryptWithKey(key, parsedEncryptedVault);
+                // This call is required on the first call because encryptionKey
+                // is not yet inside the memStore
+                updatedState.encryptionKey = encryptionKey;
+                updatedState.encryptionSalt = encryptionSalt;
+            }
         }
         else {
-            __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_useEncryptionKey).call(this, credentials.exportedEncryptionKey, credentials.encryptionKeySalt || parsedEncryptedVault.salt);
-        }
-        const encryptionKey = __classPrivateFieldGet(this, _KeyringController_encryptionKey, "f")?.exported;
-        if (!encryptionKey) {
-            throw new Error(constants_1.KeyringControllerError.MissingCredentials);
+            if (typeof password !== 'string') {
+                throw new TypeError(constants_1.KeyringControllerError.WrongPasswordType);
+            }
+            vault = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").decrypt(password, encryptedVault);
+            __classPrivateFieldSet(this, _KeyringController_password, password, "f");
         }
-        const key = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").importKey(encryptionKey);
-        const vault = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").decryptWithKey(key, parsedEncryptedVault);
         if (!isSerializedKeyringsArray(vault)) {
             throw new Error(constants_1.KeyringControllerError.VaultDataError);
         }
@@ -1455,8 +1444,10 @@ async function _KeyringController_unlockKeyrings(credentials) {
         const updatedKeyrings = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_getUpdatedKeyrings).call(this);
         this.update((state) => {
             state.keyrings = updatedKeyrings;
-            state.encryptionKey = encryptionKey;
-            state.encryptionSalt = parsedEncryptedVault.salt;
+            if (updatedState.encryptionKey || updatedState.encryptionSalt) {
+                state.encryptionKey = updatedState.encryptionKey;
+                state.encryptionSalt = updatedState.encryptionSalt;
+            }
         });
         return { keyrings, newMetadata };
     });
@@ -1464,36 +1455,57 @@ async function _KeyringController_unlockKeyrings(credentials) {
     return __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_withVaultLock).call(this, async () => {
         // Ensure no duplicate accounts are persisted.
         await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_assertNoDuplicateAccounts).call(this);
-        if (!__classPrivateFieldGet(this, _KeyringController_encryptionKey, "f")) {
+        const { encryptionKey, encryptionSalt, vault } = this.state;
+        // READ THIS CAREFULLY:
+        // We do check if the vault is still considered up-to-date, if not, we would not re-use the
+        // cached key and we will re-generate a new one (based on the password).
+        //
+        // This helps doing seamless updates of the vault. Useful in case we change some cryptographic
+        // parameters to the KDF.
+        const useCachedKey = encryptionKey && vault && __classPrivateFieldGet(this, _KeyringController_encryptor, "f").isVaultUpdated?.(vault);
+        if (!__classPrivateFieldGet(this, _KeyringController_password, "f") && !encryptionKey) {
             throw new Error(constants_1.KeyringControllerError.MissingCredentials);
         }
         const serializedKeyrings = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_getSerializedKeyrings).call(this);
         if (!serializedKeyrings.some((keyring) => keyring.type === KeyringTypes.hd)) {
             throw new Error(constants_1.KeyringControllerError.NoHdKeyring);
         }
-        const key = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").importKey(__classPrivateFieldGet(this, _KeyringController_encryptionKey, "f").exported);
-        const encryptedVault = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").encryptWithKey(key, serializedKeyrings);
-        // We need to include the salt used to derive
-        // the encryption key, to be able to derive it
-        // from password again.
-        encryptedVault.salt = __classPrivateFieldGet(this, _KeyringController_encryptionKey, "f").salt;
-        const updatedState = {
-            vault: JSON.stringify(encryptedVault),
-            encryptionKey: __classPrivateFieldGet(this, _KeyringController_encryptionKey, "f").exported,
-            encryptionSalt: __classPrivateFieldGet(this, _KeyringController_encryptionKey, "f").salt,
-        };
+        const updatedState = {};
+        if (__classPrivateFieldGet(this, _KeyringController_cacheEncryptionKey, "f")) {
+            assertIsExportableKeyEncryptor(__classPrivateFieldGet(this, _KeyringController_encryptor, "f"));
+            if (useCachedKey) {
+                const key = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").importKey(encryptionKey);
+                const vaultJSON = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").encryptWithKey(key, serializedKeyrings);
+                vaultJSON.salt = encryptionSalt;
+                updatedState.vault = JSON.stringify(vaultJSON);
+            }
+            else if (__classPrivateFieldGet(this, _KeyringController_password, "f")) {
+                const { vault: newVault, exportedKeyString } = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").encryptWithDetail(__classPrivateFieldGet(this, _KeyringController_password, "f"), serializedKeyrings);
+                updatedState.vault = newVault;
+                updatedState.encryptionKey = exportedKeyString;
+            }
+        }
+        else {
+            assertIsValidPassword(__classPrivateFieldGet(this, _KeyringController_password, "f"));
+            updatedState.vault = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").encrypt(__classPrivateFieldGet(this, _KeyringController_password, "f"), serializedKeyrings);
+        }
+        if (!updatedState.vault) {
+            throw new Error(constants_1.KeyringControllerError.MissingVaultData);
+        }
         const updatedKeyrings = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_getUpdatedKeyrings).call(this);
         this.update((state) => {
             state.vault = updatedState.vault;
             state.keyrings = updatedKeyrings;
-            state.encryptionKey = updatedState.encryptionKey;
-            state.encryptionSalt = updatedState.encryptionSalt;
+            if (updatedState.encryptionKey) {
+                state.encryptionKey = updatedState.encryptionKey;
+                state.encryptionSalt = JSON.parse(updatedState.vault).salt;
+            }
         });
         return true;
     });
 }, _KeyringController_isNewEncryptionAvailable = function _KeyringController_isNewEncryptionAvailable() {
     const { vault } = this.state;
-    if (!vault || !__classPrivateFieldGet(this, _KeyringController_encryptor, "f").isVaultUpdated) {
+    if (!vault || !__classPrivateFieldGet(this, _KeyringController_password, "f") || !__classPrivateFieldGet(this, _KeyringController_encryptor, "f").isVaultUpdated) {
         return false;
     }
     return !__classPrivateFieldGet(this, _KeyringController_encryptor, "f").isVaultUpdated(vault);
@@ -1732,13 +1744,13 @@ async function _KeyringController_persistOrRollback(callback) {
 async function _KeyringController_withRollback(callback) {
     return __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_withControllerLock).call(this, async ({ releaseLock }) => {
         const currentSerializedKeyrings = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_getSerializedKeyrings).call(this);
-        const currentEncryptionKey = (0, lodash_1.cloneDeep)(__classPrivateFieldGet(this, _KeyringController_encryptionKey, "f"));
+        const currentPassword = __classPrivateFieldGet(this, _KeyringController_password, "f");
         try {
             return await callback({ releaseLock });
         }
         catch (e) {
-            // Keyrings and encryption credentials are restored to their previous state
-            __classPrivateFieldSet(this, _KeyringController_encryptionKey, currentEncryptionKey, "f");
+            // Keyrings and password are restored to their previous state
+            __classPrivateFieldSet(this, _KeyringController_password, currentPassword, "f");
             await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_restoreSerializedKeyrings).call(this, currentSerializedKeyrings);
             throw e;
         }