# Key management
The master key is the root secret. enigma-storage never writes it in plaintext and never prompts for passwords. Applications decide how to gather secrets and select providers that match their threat model.
## Providers and protections
- FileSealedKeyProvider: relies on local salt and device-derived wrapping key. Protects against casual browsing of files but not a fully compromised host.
- PasswordKeyProvider: protects the master key with Argon2id-derived wrapping key from application-supplied password bytes. Defends against disk theft when password is strong and distinct.
- ForeignKeyProvider: uses a key supplied at runtime (Android Keystore, iOS Keychain, HSM/KMS). Avoids local persistence entirely.
- OS vault providers: store the key in platform keychains (DPAPI, macOS Keychain, Linux Secret Service). Integrate with system policies and user profiles.
## Threat considerations
- Assume disk contents are exposed without these protections. Always enable encryption at rest (mandatory).
- Headless Linux servers may lack Secret Service; prefer ForeignKeyProvider or FileSealedKeyProvider there.
- Password prompts are outside the crate; ensure your UI prevents password reuse and avoids echoing secrets.
- Rotate keys by creating a new store or re-encrypting values with a fresh master key sourced from a provider.