BV uses hierarchical envelope encryption.
Each level limits the blast radius of compromise.
==> KSK
==> SUK
==> WSK
==> EVK
==> DEK
==> Secret
KSK (Key Server Key)
SUK (Server Usage Key)
WSK (Workspace Key)
EVK (Environment Key)
DEK (Data Encryption Key)
Compromise of a lower level only affects that scope:
DEK ==> one secret
EVK ==> one environment
WSK ==> one workspace
SUK ==> one customer