@metamask-previews/keyring-controller 24.0.0-preview-70abd50a → 24.0.0-preview-1f85e85a

package/CHANGELOG.md

@@ -7,26 +7,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-### Added
-
-- Added optional `EncryptionKey`, `SupportedKeyDerivationOptions` and `EncryptionResult` type parameters to the `KeyringController`, `ExportableKeyEncryptor` and `KeyringControllerOptions` types ([#5963](https://github.com/MetaMask/core/pull/5963))
-  - This type parameter allows specifying the encryption key, key derivation options and encryption result types supported by the injected encryptor, defaulting to `@metamask/browser-passworder` types.
-
-### Changed
-
-- **BREAKING:** The `KeyringController` constructor options now require an encryptor ([#5963](https://github.com/MetaMask/core/pull/5963))
-  - The `encryptor` constructor option was previously optional and defaulted to an instance of `@metamask/browser-passworder`.
-- **BREAKING:** The `GenericEncryptor` and `ExportableKeyEncryptor` types have been merged into a single `Encryptor` type ([#5963](https://github.com/MetaMask/core/pull/5963))
-
-### Removed
-
-- **BREAKING:** The `cacheEncryptionKey` parameter has been removed from the `KeyringController` constructor options ([#5963](https://github.com/MetaMask/core/pull/5963))
-  - This parameter was previously used to enable encryption key in-memory caching, but it is no longer needed as the controller now always uses the latest encryption key.
-
-### Fixed
-
-- Fixed incorrect type for `decryptWithKey` method of `ExportableKeyEncryptor` ([#5963](https://github.com/MetaMask/core/pull/5963))
-
 ## [24.0.0]
 
 ### Changed

package/dist/KeyringController.cjs

@@ -36,11 +36,12 @@ var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
-var _KeyringController_instances, _KeyringController_controllerOperationMutex, _KeyringController_vaultOperationMutex, _KeyringController_keyringBuilders, _KeyringController_encryptor, _KeyringController_keyrings, _KeyringController_unsupportedKeyrings, _KeyringController_encryptionKey, _KeyringController_registerMessageHandlers, _KeyringController_getKeyringById, _KeyringController_getKeyringByIdOrDefault, _KeyringController_getKeyringMetadata, _KeyringController_getKeyringBuilderForType, _KeyringController_createNewVaultWithKeyring, _KeyringController_deriveEncryptionKey, _KeyringController_setEncryptionKey, _KeyringController_verifySeedPhrase, _KeyringController_getUpdatedKeyrings, _KeyringController_getSerializedKeyrings, _KeyringController_getSessionState, _KeyringController_restoreSerializedKeyrings, _KeyringController_unlockKeyrings, _KeyringController_updateVault, _KeyringController_isNewEncryptionAvailable, _KeyringController_getAccountsFromKeyrings, _KeyringController_createKeyringWithFirstAccount, _KeyringController_newKeyring, _KeyringController_createKeyring, _KeyringController_clearKeyrings, _KeyringController_restoreKeyring, _KeyringController_destroyKeyring, _KeyringController_removeEmptyKeyrings, _KeyringController_assertNoDuplicateAccounts, _KeyringController_setUnlocked, _KeyringController_assertIsUnlocked, _KeyringController_persistOrRollback, _KeyringController_withRollback, _KeyringController_assertControllerMutexIsLocked, _KeyringController_withControllerLock, _KeyringController_withVaultLock;
+var _KeyringController_instances, _KeyringController_controllerOperationMutex, _KeyringController_vaultOperationMutex, _KeyringController_keyringBuilders, _KeyringController_encryptor, _KeyringController_cacheEncryptionKey, _KeyringController_keyrings, _KeyringController_unsupportedKeyrings, _KeyringController_password, _KeyringController_registerMessageHandlers, _KeyringController_getKeyringById, _KeyringController_getKeyringByIdOrDefault, _KeyringController_getKeyringMetadata, _KeyringController_getKeyringBuilderForType, _KeyringController_createNewVaultWithKeyring, _KeyringController_verifySeedPhrase, _KeyringController_getUpdatedKeyrings, _KeyringController_getSerializedKeyrings, _KeyringController_getSessionState, _KeyringController_restoreSerializedKeyrings, _KeyringController_unlockKeyrings, _KeyringController_updateVault, _KeyringController_isNewEncryptionAvailable, _KeyringController_getAccountsFromKeyrings, _KeyringController_createKeyringWithFirstAccount, _KeyringController_newKeyring, _KeyringController_createKeyring, _KeyringController_clearKeyrings, _KeyringController_restoreKeyring, _KeyringController_destroyKeyring, _KeyringController_removeEmptyKeyrings, _KeyringController_assertNoDuplicateAccounts, _KeyringController_setUnlocked, _KeyringController_assertIsUnlocked, _KeyringController_persistOrRollback, _KeyringController_withRollback, _KeyringController_assertControllerMutexIsLocked, _KeyringController_withControllerLock, _KeyringController_withVaultLock;
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.KeyringController = exports.getDefaultKeyringState = exports.keyringBuilderFactory = exports.SignTypedDataVersion = exports.AccountImportStrategy = exports.isCustodyKeyring = exports.KeyringTypes = void 0;
 const util_1 = require("@ethereumjs/util");
 const base_controller_1 = require("@metamask/base-controller");
+const encryptorUtils = __importStar(require("@metamask/browser-passworder"));
 const eth_hd_keyring_1 = require("@metamask/eth-hd-keyring");
 const eth_sig_util_1 = require("@metamask/eth-sig-util");
 const eth_simple_keyring_1 = __importDefault(require("@metamask/eth-simple-keyring"));
@@ -135,6 +136,23 @@ function assertHasUint8ArrayMnemonic(keyring) {
         throw new Error("Can't get mnemonic bytes from keyring");
     }
 }
+/**
+ * Assert that the provided encryptor supports
+ * encryption and encryption key export.
+ *
+ * @param encryptor - The encryptor to check.
+ * @throws If the encryptor does not support key encryption.
+ */
+function assertIsExportableKeyEncryptor(encryptor) {
+    if (!('importKey' in encryptor &&
+        typeof encryptor.importKey === 'function' &&
+        'decryptWithKey' in encryptor &&
+        typeof encryptor.decryptWithKey === 'function' &&
+        'encryptWithKey' in encryptor &&
+        typeof encryptor.encryptWithKey === 'function')) {
+        throw new Error(constants_1.KeyringControllerError.UnsupportedEncryptionKeyExport);
+    }
+}
 /**
  * Assert that the provided password is a valid non-empty string.
  *
@@ -236,11 +254,12 @@ class KeyringController extends base_controller_1.BaseController {
      * @param options - Initial options used to configure this controller
      * @param options.encryptor - An optional object for defining encryption schemes.
      * @param options.keyringBuilders - Set a new name for account.
+     * @param options.cacheEncryptionKey - Whether to cache or not encryption key.
      * @param options.messenger - A restricted messenger.
      * @param options.state - Initial state to set on this controller.
      */
     constructor(options) {
-        const { encryptor, keyringBuilders, messenger, state } = options;
+        const { encryptor = encryptorUtils, keyringBuilders, messenger, state, } = options;
         super({
             name,
             metadata: {
@@ -286,15 +305,22 @@ class KeyringController extends base_controller_1.BaseController {
         _KeyringController_vaultOperationMutex.set(this, new async_mutex_1.Mutex());
         _KeyringController_keyringBuilders.set(this, void 0);
         _KeyringController_encryptor.set(this, void 0);
+        _KeyringController_cacheEncryptionKey.set(this, void 0);
         _KeyringController_keyrings.set(this, void 0);
         _KeyringController_unsupportedKeyrings.set(this, void 0);
-        _KeyringController_encryptionKey.set(this, void 0);
+        _KeyringController_password.set(this, void 0);
         __classPrivateFieldSet(this, _KeyringController_keyringBuilders, keyringBuilders
             ? keyringBuilders.concat(defaultKeyringBuilders)
             : defaultKeyringBuilders, "f");
         __classPrivateFieldSet(this, _KeyringController_encryptor, encryptor, "f");
         __classPrivateFieldSet(this, _KeyringController_keyrings, [], "f");
         __classPrivateFieldSet(this, _KeyringController_unsupportedKeyrings, [], "f");
+        // This option allows the controller to cache an exported key
+        // for use in decrypting and encrypting data without password
+        __classPrivateFieldSet(this, _KeyringController_cacheEncryptionKey, Boolean(options.cacheEncryptionKey), "f");
+        if (__classPrivateFieldGet(this, _KeyringController_cacheEncryptionKey, "f")) {
+            assertIsExportableKeyEncryptor(encryptor);
+        }
         __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_registerMessageHandlers).call(this);
     }
     /**
@@ -665,7 +691,7 @@ class KeyringController extends base_controller_1.BaseController {
     async setLocked() {
         __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_assertIsUnlocked).call(this);
         return __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_withRollback).call(this, async () => {
-            __classPrivateFieldSet(this, _KeyringController_encryptionKey, undefined, "f");
+            __classPrivateFieldSet(this, _KeyringController_password, undefined, "f");
             await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_clearKeyrings).call(this);
             this.update((state) => {
                 state.isUnlocked = false;
@@ -847,11 +873,22 @@ class KeyringController extends base_controller_1.BaseController {
      */
     changePassword(password) {
         __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_assertIsUnlocked).call(this);
+        // If the password is the same, do nothing.
+        if (__classPrivateFieldGet(this, _KeyringController_password, "f") === password) {
+            return Promise.resolve();
+        }
         return __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_persistOrRollback).call(this, async () => {
             assertIsValidPassword(password);
-            await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_deriveEncryptionKey).call(this, password, {
-                ignoreExistingVault: true,
-            });
+            __classPrivateFieldSet(this, _KeyringController_password, password, "f");
+            // We need to clear encryption key and salt from state
+            // to force the controller to re-encrypt the vault using
+            // the new password.
+            if (__classPrivateFieldGet(this, _KeyringController_cacheEncryptionKey, "f")) {
+                this.update((state) => {
+                    delete state.encryptionKey;
+                    delete state.encryptionSalt;
+                });
+            }
         });
     }
     /**
@@ -860,15 +897,12 @@ class KeyringController extends base_controller_1.BaseController {
      * consistency with the vault salt.
      *
      * @param encryptionKey - Key to unlock the keychain.
-     * @param keyDerivationSalt - Optional salt to unlock the keychain.
+     * @param encryptionSalt - Optional salt to unlock the keychain.
      * @returns Promise resolving when the operation completes.
      */
-    async submitEncryptionKey(encryptionKey, keyDerivationSalt) {
+    async submitEncryptionKey(encryptionKey, encryptionSalt) {
         const { newMetadata } = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_withRollback).call(this, async () => {
-            const result = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_unlockKeyrings).call(this, {
-                encryptionKey,
-                keyDerivationSalt,
-            });
+            const result = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_unlockKeyrings).call(this, undefined, encryptionKey, encryptionSalt);
             __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_setUnlocked).call(this);
             return result;
         });
@@ -895,8 +929,9 @@ class KeyringController extends base_controller_1.BaseController {
     async exportEncryptionKey() {
         __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_assertIsUnlocked).call(this);
         return await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_withControllerLock).call(this, async () => {
-            assertIsEncryptionKeySet(__classPrivateFieldGet(this, _KeyringController_encryptionKey, "f")?.serialized);
-            return __classPrivateFieldGet(this, _KeyringController_encryptionKey, "f").serialized;
+            const { encryptionKey } = this.state;
+            assertIsEncryptionKeySet(encryptionKey);
+            return encryptionKey;
         });
     }
     /**
@@ -908,7 +943,7 @@ class KeyringController extends base_controller_1.BaseController {
      */
     async submitPassword(password) {
         const { newMetadata } = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_withRollback).call(this, async () => {
-            const result = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_unlockKeyrings).call(this, { password });
+            const result = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_unlockKeyrings).call(this, password);
             __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_setUnlocked).call(this);
             return result;
         });
@@ -918,12 +953,6 @@ class KeyringController extends base_controller_1.BaseController {
             // can attempt to upgrade the vault.
             await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_withRollback).call(this, async () => {
                 if (newMetadata || __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_isNewEncryptionAvailable).call(this)) {
-                    await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_deriveEncryptionKey).call(this, password, {
-                        // If the vault is being upgraded, we want to ignore the metadata
-                        // that is already in the vault, so we can effectively
-                        // re-encrypt the vault with the new encryption config.
-                        ignoreExistingVault: true,
-                    });
                     await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_updateVault).call(this);
                 }
             });
@@ -986,7 +1015,7 @@ class KeyringController extends base_controller_1.BaseController {
     }
 }
 exports.KeyringController = KeyringController;
-_KeyringController_controllerOperationMutex = new WeakMap(), _KeyringController_vaultOperationMutex = new WeakMap(), _KeyringController_keyringBuilders = new WeakMap(), _KeyringController_encryptor = new WeakMap(), _KeyringController_keyrings = new WeakMap(), _KeyringController_unsupportedKeyrings = new WeakMap(), _KeyringController_encryptionKey = new WeakMap(), _KeyringController_instances = new WeakSet(), _KeyringController_registerMessageHandlers = function _KeyringController_registerMessageHandlers() {
+_KeyringController_controllerOperationMutex = new WeakMap(), _KeyringController_vaultOperationMutex = new WeakMap(), _KeyringController_keyringBuilders = new WeakMap(), _KeyringController_encryptor = new WeakMap(), _KeyringController_cacheEncryptionKey = new WeakMap(), _KeyringController_keyrings = new WeakMap(), _KeyringController_unsupportedKeyrings = new WeakMap(), _KeyringController_password = new WeakMap(), _KeyringController_instances = new WeakSet(), _KeyringController_registerMessageHandlers = function _KeyringController_registerMessageHandlers() {
     this.messenger.registerActionHandler(`${name}:signMessage`, this.signMessage.bind(this));
     this.messenger.registerActionHandler(`${name}:signEip7702Authorization`, this.signEip7702Authorization.bind(this));
     this.messenger.registerActionHandler(`${name}:signPersonalMessage`, this.signPersonalMessage.bind(this));
@@ -1045,70 +1074,10 @@ async function _KeyringController_createNewVaultWithKeyring(password, keyring) {
         delete state.encryptionKey;
         delete state.encryptionSalt;
     });
-    await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_deriveEncryptionKey).call(this, password, {
-        ignoreExistingVault: true,
-    });
+    __classPrivateFieldSet(this, _KeyringController_password, password, "f");
     await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_clearKeyrings).call(this);
     await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_createKeyringWithFirstAccount).call(this, keyring.type, keyring.opts);
     __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_setUnlocked).call(this);
-}, _KeyringController_deriveEncryptionKey = 
-/**
- * Derive the vault encryption key from the provided password, and
- * assign it to the instance variable for later use with cryptographic
- * functions.
- *
- * When the controller has a vault in its state, the key is derived
- * using the salt from the vault. If the vault is empty, a new salt
- * is generated and used to derive the key.
- *
- * If `options.ignoreExistingVault` is set to `false`, the existing
- * vault is completely ignored: the new key won't be able to decrypt
- * the existing vault, and should be used to re-encrypt it.
- *
- * @param password - The password to use for decryption or derivation.
- * @param options - Options for the key derivation.
- * @param options.ignoreExistingVault - Whether to use the existing vault salt and key metadata
- */
-async function _KeyringController_deriveEncryptionKey(password, options = {
-    ignoreExistingVault: false,
-}) {
-    __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_assertControllerMutexIsLocked).call(this);
-    const { vault } = this.state;
-    if (typeof password !== 'string') {
-        throw new TypeError(constants_1.KeyringControllerError.WrongPasswordType);
-    }
-    let serializedEncryptionKey, salt;
-    if (vault && !options.ignoreExistingVault) {
-        // The `decryptWithDetail` method is being used here instead of
-        // `keyFromPassword` + `exportKey` to let the encryptor handle
-        // any legacy encryption formats and metadata that might be
-        // present (or absent) in the vault.
-        const { exportedKeyString, salt: existingSalt } = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").decryptWithDetail(password, vault);
-        serializedEncryptionKey = exportedKeyString;
-        salt = existingSalt;
-    }
-    else {
-        salt = __classPrivateFieldGet(this, _KeyringController_encryptor, "f").generateSalt();
-        serializedEncryptionKey = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").exportKey(await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").keyFromPassword(password, salt, true));
-    }
-    __classPrivateFieldSet(this, _KeyringController_encryptionKey, {
-        salt,
-        serialized: serializedEncryptionKey,
-    }, "f");
-}, _KeyringController_setEncryptionKey = function _KeyringController_setEncryptionKey(encryptionKey, keyDerivationSalt) {
-    __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_assertControllerMutexIsLocked).call(this);
-    if (typeof encryptionKey !== 'string' ||
-        typeof keyDerivationSalt !== 'string') {
-        throw new TypeError(constants_1.KeyringControllerError.WrongEncryptionKeyType);
-    }
-    const { vault } = this.state;
-    if (vault && JSON.parse(vault).salt !== keyDerivationSalt) {
-        throw new Error(constants_1.KeyringControllerError.ExpiredCredentials);
-    }
-    __classPrivateFieldSet(this, _KeyringController_encryptionKey, {
-        salt: keyDerivationSalt,
-        serialized: encryptionKey,
-    }, "f");
 }, _KeyringController_verifySeedPhrase = 
 /**
  * Internal non-exclusive method to verify the seed phrase.
@@ -1189,7 +1158,7 @@ async function _KeyringController_getSerializedKeyrings({ includeUnsupported } =
     return serializedKeyrings;
 }, _KeyringController_getSessionState = 
 /**
- * Get a snapshot of session data held by instance variables.
+ * Get a snapshot of session data held by class variables.
  *
  * @returns An object with serialized keyrings, keyrings metadata,
  * and the user password.
@@ -1197,7 +1166,7 @@ async function _KeyringController_getSerializedKeyrings({ includeUnsupported } =
 async function _KeyringController_getSessionState() {
     return {
         keyrings: await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_getSerializedKeyrings).call(this),
-        encryptionKey: __classPrivateFieldGet(this, _KeyringController_encryptionKey, "f"),
+        password: __classPrivateFieldGet(this, _KeyringController_password, "f"),
     };
 }, _KeyringController_restoreSerializedKeyrings = 
 /**
@@ -1226,27 +1195,54 @@ async function _KeyringController_restoreSerializedKeyrings(serializedKeyrings)
  * Unlock Keyrings, decrypting the vault and deserializing all
  * keyrings contained in it, using a password or an encryption key with salt.
  *
- * @param credentials - The credentials to unlock the keyrings.
+ * @param password - The keyring controller password.
+ * @param encryptionKey - An exported key string to unlock keyrings with.
+ * @param encryptionSalt - The salt used to encrypt the vault.
  * @returns A promise resolving to the deserialized keyrings array.
  */
-async function _KeyringController_unlockKeyrings(credentials) {
+async function _KeyringController_unlockKeyrings(password, encryptionKey, encryptionSalt) {
     return __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_withVaultLock).call(this, async () => {
-        if (!this.state.vault) {
+        const encryptedVault = this.state.vault;
+        if (!encryptedVault) {
             throw new Error(constants_1.KeyringControllerError.VaultError);
         }
-        const parsedEncryptedVault = JSON.parse(this.state.vault);
-        if ('password' in credentials) {
-            await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_deriveEncryptionKey).call(this, credentials.password);
+        let vault;
+        const updatedState = {};
+        if (__classPrivateFieldGet(this, _KeyringController_cacheEncryptionKey, "f")) {
+            assertIsExportableKeyEncryptor(__classPrivateFieldGet(this, _KeyringController_encryptor, "f"));
+            if (password) {
+                const result = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").decryptWithDetail(password, encryptedVault);
+                vault = result.vault;
+                __classPrivateFieldSet(this, _KeyringController_password, password, "f");
+                updatedState.encryptionKey = result.exportedKeyString;
+                updatedState.encryptionSalt = result.salt;
+            }
+            else {
+                const parsedEncryptedVault = JSON.parse(encryptedVault);
+                if (encryptionSalt && encryptionSalt !== parsedEncryptedVault.salt) {
+                    throw new Error(constants_1.KeyringControllerError.ExpiredCredentials);
+                }
+                else {
+                    encryptionSalt = parsedEncryptedVault.salt;
+                }
+                if (typeof encryptionKey !== 'string') {
+                    throw new TypeError(constants_1.KeyringControllerError.WrongPasswordType);
+                }
+                const key = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").importKey(encryptionKey);
+                vault = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").decryptWithKey(key, parsedEncryptedVault);
+                // This call is required on the first call because encryptionKey
+                // is not yet inside the memStore
+                updatedState.encryptionKey = encryptionKey;
+                updatedState.encryptionSalt = encryptionSalt;
+            }
         }
         else {
-            __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_setEncryptionKey).call(this, credentials.encryptionKey, credentials.keyDerivationSalt || parsedEncryptedVault.salt);
-        }
-        const encryptionKey = __classPrivateFieldGet(this, _KeyringController_encryptionKey, "f")?.serialized;
-        if (!encryptionKey) {
-            throw new Error(constants_1.KeyringControllerError.MissingCredentials);
+            if (typeof password !== 'string') {
+                throw new TypeError(constants_1.KeyringControllerError.WrongPasswordType);
+            }
+            vault = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").decrypt(password, encryptedVault);
+            __classPrivateFieldSet(this, _KeyringController_password, password, "f");
         }
-        const key = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").importKey(encryptionKey);
-        const vault = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").decryptWithKey(key, parsedEncryptedVault);
         if (!isSerializedKeyringsArray(vault)) {
             throw new Error(constants_1.KeyringControllerError.VaultDataError);
         }
@@ -1254,8 +1250,10 @@ async function _KeyringController_unlockKeyrings(credentials) {
         const updatedKeyrings = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_getUpdatedKeyrings).call(this);
         this.update((state) => {
             state.keyrings = updatedKeyrings;
-            state.encryptionKey = encryptionKey;
-            state.encryptionSalt = parsedEncryptedVault.salt;
+            if (updatedState.encryptionKey || updatedState.encryptionSalt) {
+                state.encryptionKey = updatedState.encryptionKey;
+                state.encryptionSalt = updatedState.encryptionSalt;
+            }
         });
         return { keyrings, newMetadata };
     });
@@ -1263,36 +1261,57 @@ async function _KeyringController_unlockKeyrings(credentials) {
     return __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_withVaultLock).call(this, async () => {
         // Ensure no duplicate accounts are persisted.
         await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_assertNoDuplicateAccounts).call(this);
-        if (!__classPrivateFieldGet(this, _KeyringController_encryptionKey, "f")) {
+        const { encryptionKey, encryptionSalt, vault } = this.state;
+        // READ THIS CAREFULLY:
+        // We do check if the vault is still considered up-to-date, if not, we would not re-use the
+        // cached key and we will re-generate a new one (based on the password).
+        //
+        // This helps doing seamless updates of the vault. Useful in case we change some cryptographic
+        // parameters to the KDF.
+        const useCachedKey = encryptionKey && vault && __classPrivateFieldGet(this, _KeyringController_encryptor, "f").isVaultUpdated?.(vault);
+        if (!__classPrivateFieldGet(this, _KeyringController_password, "f") && !encryptionKey) {
             throw new Error(constants_1.KeyringControllerError.MissingCredentials);
         }
         const serializedKeyrings = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_getSerializedKeyrings).call(this);
         if (!serializedKeyrings.some((keyring) => keyring.type === KeyringTypes.hd)) {
             throw new Error(constants_1.KeyringControllerError.NoHdKeyring);
         }
-        const key = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").importKey(__classPrivateFieldGet(this, _KeyringController_encryptionKey, "f").serialized);
-        const encryptedVault = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").encryptWithKey(key, serializedKeyrings);
-        // We need to include the salt used to derive
-        // the encryption key, to be able to derive it
-        // from password again.
-        encryptedVault.salt = __classPrivateFieldGet(this, _KeyringController_encryptionKey, "f").salt;
-        const updatedState = {
-            vault: JSON.stringify(encryptedVault),
-            encryptionKey: __classPrivateFieldGet(this, _KeyringController_encryptionKey, "f").serialized,
-            encryptionSalt: __classPrivateFieldGet(this, _KeyringController_encryptionKey, "f").salt,
-        };
+        const updatedState = {};
+        if (__classPrivateFieldGet(this, _KeyringController_cacheEncryptionKey, "f")) {
+            assertIsExportableKeyEncryptor(__classPrivateFieldGet(this, _KeyringController_encryptor, "f"));
+            if (useCachedKey) {
+                const key = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").importKey(encryptionKey);
+                const vaultJSON = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").encryptWithKey(key, serializedKeyrings);
+                vaultJSON.salt = encryptionSalt;
+                updatedState.vault = JSON.stringify(vaultJSON);
+            }
+            else if (__classPrivateFieldGet(this, _KeyringController_password, "f")) {
+                const { vault: newVault, exportedKeyString } = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").encryptWithDetail(__classPrivateFieldGet(this, _KeyringController_password, "f"), serializedKeyrings);
+                updatedState.vault = newVault;
+                updatedState.encryptionKey = exportedKeyString;
+            }
+        }
+        else {
+            assertIsValidPassword(__classPrivateFieldGet(this, _KeyringController_password, "f"));
+            updatedState.vault = await __classPrivateFieldGet(this, _KeyringController_encryptor, "f").encrypt(__classPrivateFieldGet(this, _KeyringController_password, "f"), serializedKeyrings);
+        }
+        if (!updatedState.vault) {
+            throw new Error(constants_1.KeyringControllerError.MissingVaultData);
+        }
         const updatedKeyrings = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_getUpdatedKeyrings).call(this);
         this.update((state) => {
             state.vault = updatedState.vault;
             state.keyrings = updatedKeyrings;
-            state.encryptionKey = updatedState.encryptionKey;
-            state.encryptionSalt = updatedState.encryptionSalt;
+            if (updatedState.encryptionKey) {
+                state.encryptionKey = updatedState.encryptionKey;
+                state.encryptionSalt = JSON.parse(updatedState.vault).salt;
+            }
         });
         return true;
     });
 }, _KeyringController_isNewEncryptionAvailable = function _KeyringController_isNewEncryptionAvailable() {
     const { vault } = this.state;
-    if (!vault || !__classPrivateFieldGet(this, _KeyringController_encryptor, "f").isVaultUpdated) {
+    if (!vault || !__classPrivateFieldGet(this, _KeyringController_password, "f") || !__classPrivateFieldGet(this, _KeyringController_encryptor, "f").isVaultUpdated) {
         return false;
     }
     return !__classPrivateFieldGet(this, _KeyringController_encryptor, "f").isVaultUpdated(vault);
@@ -1526,13 +1545,13 @@ async function _KeyringController_persistOrRollback(callback) {
 async function _KeyringController_withRollback(callback) {
     return __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_withControllerLock).call(this, async ({ releaseLock }) => {
         const currentSerializedKeyrings = await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_getSerializedKeyrings).call(this);
-        const currentEncryptionKey = (0, lodash_1.cloneDeep)(__classPrivateFieldGet(this, _KeyringController_encryptionKey, "f"));
+        const currentPassword = __classPrivateFieldGet(this, _KeyringController_password, "f");
         try {
             return await callback({ releaseLock });
         }
         catch (e) {
-            // Keyrings and encryption credentials are restored to their previous state
-            __classPrivateFieldSet(this, _KeyringController_encryptionKey, currentEncryptionKey, "f");
+            // Keyrings and password are restored to their previous state
+            __classPrivateFieldSet(this, _KeyringController_password, currentPassword, "f");
             await __classPrivateFieldGet(this, _KeyringController_instances, "m", _KeyringController_restoreSerializedKeyrings).call(this, currentSerializedKeyrings);
             throw e;
         }