Provide an overview over key derivations
diff --git a/storage/doc/design.md b/storage/doc/design.md
index f43c51f..c3ea7a9 100644
--- a/storage/doc/design.md
+++ b/storage/doc/design.md
@@ -220,6 +220,26 @@
The chunk ID and the backup snapshot timestamp get added
to prevent an attacker from renaming and swapping files/chunks.
+## Key derivation overview
+
+The original entropy comes from a BIP39 seed (12 words = 128 bit size)
+obtained from Java's `SecureRandom`.
+A PBKDF SHA512 based derivation defined in BIP39 turns this into a 512 bit seed key.
+
+The derived seed key (512 bit size) gets split into two parts:
+1. app data encryption key - 256 bit - first half of seed key
+ * used to encrypt app data retrieved from AOSP
+ * locked in Android's key store for this usage
+ * device needs to be unlocked for decryption
+ * usage deprecated, should not be used for other operations
+2. main key - 256 bit - second half of seed key used to derive application specific keys:
+ 1. HKDF with info "stream key"
+ * this stream key is then used to derive a new key for each stream
+ * the tink library will create various new subkeys based on salt/nonce/counter
+ 2. HKDF with info "Chunk ID calculation"
+ * used to generate deterministic hashes (HMAC-SHA256) over the chunk contents
+ without leaking information about the file contents to third parties
+
# Data structures
## Local caches