Usage

The proposed flow:

The things I considered

The way I see this flow is by having 3 separated entities and each of them have one information to be able to decrypt the information.

The PIN is only known by the customer (composed of 6 digits).

The vault passphrase is defined in the environment variable of the vault service and the same value is used for all customers (I would prefer to have a better system here, but for the moment this is the simplest way to add one extra layer of security without adding more components or complexity).

The User Salt is a random string defined in an external database (most probably the authentication database) this salt adds an extra layer of security. The information is saved in a remote database and must be provided like the PIN when required (at creation and decryption / signing transation).

The databases and servers themself must also use encryption at-rest and in transit.

The vault service and the vault database must also be accessed from private and controlled network to avoid leaking information and block unwanted access.

The environment variables must be handled carefully to avoid any leaks of information.

Preferably the vault service and database have access control to limit who can access the components.