pub fn encrypt_with_envelope(
root_key: &[u8; 32],
nonce: &Nonce<16>,
plaintext: &[u8],
aad: &[u8],
) -> Result<Vec<u8>, CryptoError>Expand description
Encrypts plaintext using a derived key and wraps it in an envelope.
§Security
A unique encryption key is derived from the root key using the provided nonce:
derived_key = derive_scoped_key(root_key, "commit:<hex(nonce)>")
Each commit gets a unique encryption key. The nonce is embedded in the envelope header so decryption can re-derive the same key.