// GLOSSARY
Envelope encryption
Encrypting data with a unique data key, then encrypting that data key with a master key. Compromise of one stored secret doesn't expose the rest, and the master key can live in an HSM/KMS. A standard pattern for storing users' exchange API keys.
Envelope encryption wraps secrets in two layers: each secret is encrypted with its own data key, and the data key is itself encrypted ("wrapped") by a master key that never leaves a key-management service or hardware module.
Worked example
A custody service storing your Kalshi API key generates a fresh data key, encrypts your API key with it, encrypts the data key with the master key, and stores both ciphertexts. To sign a request it asks the KMS to unwrap the data key in memory, decrypts, uses, and discards. A database leak yields only ciphertext; the master key was never in the database at all.
Why it matters for trading infrastructure
Anyone holding plaintext exchange keys can trade as you. Envelope encryption (often combined with asymmetric schemes like X25519 for key exchange) is how a service can use your keys on your instruction without warehousing them in readable form — the model Mithril uses for venue-key custody. Trade-offs versus holding keys yourself are discussed in agent custody for prediction markets.