WrappedDEK
A single envelope of a per-resource Data Encryption Key (DEK) wrapped to one passkey-bound X25519 public key. Multiple WrappedDEK rows can exist per resource — one per active passkey of the owner, plus recipient passkeys when the resource is shared (T2.4) and admin escrow keys (T2.5). The browser unwraps with the X25519 priv derived from the WebAuthn PRF output, then AES-GCM-decrypts the resource's ciphertext with the recovered DEK.
Wire shape mirrors console/src/crypto/passkey/wrap.ts: ephemeral sender pubkey + AES-GCM nonce + AES-GCM ciphertext, all base64- standard. The ENT row stores raw bytes; this resolver layer encodes.
type WrappedDEK {
id: ID!
resourceType: WrappedDEKResourceType!
resourceID: ID!
passkeyEncryptionKey: PasskeyEncryptionKey!
ephemeralPubkey: String!
wrappedDek: String!
nonce: String!
createdAt: Time!
}
Fields
WrappedDEK.id ● ID! non-null scalar
WrappedDEK.resourceType ● WrappedDEKResourceType! non-null enum
Type of the encrypted resource (e.g. STRATEGY). Discriminator on the (resource_type, resource_id) lookup.
WrappedDEK.resourceID ● ID! non-null scalar
UUID of the encrypted resource row.
WrappedDEK.passkeyEncryptionKey ● PasskeyEncryptionKey! non-null object
The passkey encryption key this DEK is wrapped to. Read path joins on this to pick the envelope matching the calling user's active passkey.
WrappedDEK.ephemeralPubkey ● String! non-null scalar
32-byte sender ephemeral X25519 public key from the wrap-time keypair, base64-standard. Mixed into HKDF info on unwrap.
WrappedDEK.wrappedDek ● String! non-null scalar
AES-GCM ciphertext of the 32-byte DEK, base64-standard.
WrappedDEK.nonce ● String! non-null scalar
12-byte AES-GCM nonce used during the wrap, base64-standard.
WrappedDEK.createdAt ● Time! non-null scalar
Returned By
setStrategyWrappedDEKs mutation
Member Of
Strategy object