MetaMask · ieow · Apr 9, 2026 · Apr 9, 2026 · Apr 9, 2026
@@ -18,6 +18,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Add `SecretMetadata.compareByTimestamp` static method for comparing metadata by timestamp ([#7284](https://github.com/MetaMask/core/pull/7284))
 - Add `SecretMetadata.matchesType` static method for checking if metadata matches a given type ([#7284](https://github.com/MetaMask/core/pull/7284))
 - Re-export `EncAccountDataType` from `@metamask/toprf-secure-backup` ([#7284](https://github.com/MetaMask/core/pull/7284))
+- Add third generic type parameter `EncryptionResult` to `SeedlessOnboardingController` and `SeedlessOnboardingControllerOptions`, constrained by `EncryptionResultConstraint` and defaulting to `DefaultEncryptionResult`, so the vault `encryptor` matches the full `Encryptor` typing from `@metamask/keyring-controller` ([#8411](https://github.com/MetaMask/core/pull/8411))
 
 ### Changed
 
@@ -32,6 +33,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - Use `SecretMetadata.matchesType` for filtering
 - **BREAKING:** Change `SecretMetadata.fromRawMetadata` signature to require `storageMetadata` parameter ([#7284](https://github.com/MetaMask/core/pull/7284))
 - **BREAKING:** Remove `version` getter from `SecretMetadata`; use `storageVersion` instead ([#7284](https://github.com/MetaMask/core/pull/7284))
+- **BREAKING:** Remove `VaultEncryptor` type alias; use `Encryptor` from `@metamask/keyring-controller` with encryption key, key derivation params, and encryption result types ([#8411](https://github.com/MetaMask/core/pull/8411))
+- **BREAKING:** `SeedlessOnboardingControllerOptions` no longer supplies default type parameters for `EncryptionKey` and `SupportedKeyDerivationParams`; pass both explicitly when referencing the type ([#8411](https://github.com/MetaMask/core/pull/8411))
 
 ### Fixed
 

@@ -16,6 +16,10 @@ import {
   keyFromPassword as keyFromPasswordBrowserPassworder,
   encryptWithKey as encryptWithKeyBrowserPassworder,
 } from '@metamask/browser-passworder';
+import {
+  DefaultEncryptionResult,
+  Encryptor,
+} from '@metamask/keyring-controller';
 import {
   EncAccountDataType,
   TOPRFError,
@@ -59,10 +63,7 @@ import {
   getInitialSeedlessOnboardingControllerStateWithDefaults,
   SeedlessOnboardingController,
 } from './SeedlessOnboardingController';
-import type {
-  SeedlessOnboardingControllerState,
-  VaultEncryptor,
-} from './types';
+import type { SeedlessOnboardingControllerState } from './types';
 import type {
   MockKeyringControllerMessenger,
   RootMessenger,
@@ -132,9 +133,14 @@ type WithControllerCallback<ReturnValue, EKey, SupportedKeyDerivationOptions> =
   }: {
     controller: SeedlessOnboardingController<
       EKey,
-      SupportedKeyDerivationOptions
+      SupportedKeyDerivationOptions,
+      DefaultEncryptionResult<SupportedKeyDerivationOptions>
+    >;
+    encryptor: Encryptor<
+      EKey,
+      SupportedKeyDerivationOptions,
+      DefaultEncryptionResult<SupportedKeyDerivationOptions>
     >;
-    encryptor: VaultEncryptor<EKey, SupportedKeyDerivationOptions>;
     initialState: SeedlessOnboardingControllerState;
     messenger: SeedlessOnboardingControllerMessenger;
     baseMessenger: RootMessenger;
@@ -146,7 +152,11 @@ type WithControllerCallback<ReturnValue, EKey, SupportedKeyDerivationOptions> =
   }) => Promise<ReturnValue> | ReturnValue;
 
 type WithControllerOptions<EKey, SupportedKeyDerivationParams> = Partial<
-  SeedlessOnboardingControllerOptions<EKey, SupportedKeyDerivationParams>
+  SeedlessOnboardingControllerOptions<
+    EKey,
+    SupportedKeyDerivationParams,
+    DefaultEncryptionResult<SupportedKeyDerivationParams>
+  >
 >;
 
 type WithControllerArgs<ReturnValue, EKey, SupportedKeyDerivationParams> =
@@ -163,9 +173,10 @@ type WithControllerArgs<ReturnValue, EKey, SupportedKeyDerivationParams> =
  *
  * @returns The default vault encryptor for the Seedless Onboarding Controller.
  */
-function getDefaultSeedlessOnboardingVaultEncryptor(): VaultEncryptor<
+function getDefaultSeedlessOnboardingVaultEncryptor(): Encryptor<
   EncryptionKey | webcrypto.CryptoKey,
-  KeyDerivationOptions
+  KeyDerivationOptions,
+  DefaultEncryptionResult<KeyDerivationOptions>
 > {
   return {
     encrypt,

@@ -6,6 +6,11 @@ import type {
   StateMetadata,
 } from '@metamask/base-controller';
 import type * as encryptionUtils from '@metamask/browser-passworder';
+import type {
+  DefaultEncryptionResult,
+  EncryptionResultConstraint,
+  Encryptor,
+} from '@metamask/keyring-controller';
 import type { Messenger } from '@metamask/messenger';
 import type {
   AuthenticateResult,
@@ -60,7 +65,6 @@ import type {
   SeedlessOnboardingControllerState,
   AuthenticatedUserDetails,
   SocialBackupsMetadata,
-  VaultEncryptor,
   RefreshJWTToken,
   RevokeRefreshToken,
   RenewRefreshToken,
@@ -146,8 +150,10 @@ export type SeedlessOnboardingControllerMessenger = Messenger<
  * @param encryptor - The encryptor to use for encrypting and decrypting seedless onboarding vault.
  */
 export type SeedlessOnboardingControllerOptions<
-  EncryptionKey = encryptionUtils.EncryptionKey,
-  SupportedKeyDerivationParams = encryptionUtils.KeyDerivationOptions,
+  EncryptionKey,
+  SupportedKeyDerivationParams,
+  EncryptionResult extends
+    EncryptionResultConstraint<SupportedKeyDerivationParams> = DefaultEncryptionResult<SupportedKeyDerivationParams>,
 > = {
   messenger: SeedlessOnboardingControllerMessenger;
 
@@ -161,7 +167,11 @@ export type SeedlessOnboardingControllerOptions<
    *
    * @default browser-passworder @link https://github.com/MetaMask/browser-passworder
    */
-  encryptor: VaultEncryptor<EncryptionKey, SupportedKeyDerivationParams>;
+  encryptor: Encryptor<
+    EncryptionKey,
+    SupportedKeyDerivationParams,
+    EncryptionResult
+  >;
 
   /**
    * A function to get a new jwt token using refresh token.
@@ -377,14 +387,17 @@ const seedlessOnboardingMetadata: StateMetadata<SeedlessOnboardingControllerStat
 export class SeedlessOnboardingController<
   EncryptionKey = encryptionUtils.EncryptionKey,
   SupportedKeyDerivationOptions = encryptionUtils.KeyDerivationOptions,
+  EncryptionResult extends
+    EncryptionResultConstraint<SupportedKeyDerivationOptions> = DefaultEncryptionResult<SupportedKeyDerivationOptions>,
 > extends BaseController<
   typeof controllerName,
   SeedlessOnboardingControllerState,
   SeedlessOnboardingControllerMessenger
 > {
-  readonly #vaultEncryptor: VaultEncryptor<
+  readonly #vaultEncryptor: Encryptor<
     EncryptionKey,
-    SupportedKeyDerivationOptions
+    SupportedKeyDerivationOptions,
+    EncryptionResult
   >;
 
   readonly #controllerOperationMutex = new Mutex();
@@ -451,7 +464,8 @@ export class SeedlessOnboardingController<
     passwordOutdatedCacheTTL = PASSWORD_OUTDATED_CACHE_TTL_MS,
   }: SeedlessOnboardingControllerOptions<
     EncryptionKey,
-    SupportedKeyDerivationOptions
+    SupportedKeyDerivationOptions,
+    EncryptionResult
   >) {
     super({
       name: controllerName,

@@ -1,4 +1,3 @@
-import type { Encryptor } from '@metamask/keyring-controller';
 import type { KeyPair, NodeAuthTokens } from '@metamask/toprf-secure-backup';
 import type { MutexInterface } from 'async-mutex';
 
@@ -179,12 +178,6 @@ export type SeedlessOnboardingControllerState =
       migrationVersion: number;
     };
 
-/**
- * Encryptor interface for encrypting and decrypting seedless onboarding vault.
- */
-export type VaultEncryptor<EncryptionKey, SupportedKeyDerivationParams> =
-  Encryptor<EncryptionKey, SupportedKeyDerivationParams>;
-
 /**
  * Additional key deriver for the TOPRF client.
  *

@@ -1,16 +1,21 @@
 import type {
   EncryptionKey,
-  EncryptionResult,
   KeyDerivationOptions,
 } from '@metamask/browser-passworder';
+import {
+  DefaultEncryptionResult,
+  Encryptor,
+} from '@metamask/keyring-controller';
 import type { Json } from '@metamask/utils';
 import { webcrypto } from 'node:crypto';
 
-import type { VaultEncryptor } from '../../src/types';
-
 export default class MockVaultEncryptor
   implements
-    VaultEncryptor<EncryptionKey | webcrypto.CryptoKey, KeyDerivationOptions>
+    Encryptor<
+      EncryptionKey | webcrypto.CryptoKey,
+      KeyDerivationOptions,
+      DefaultEncryptionResult<KeyDerivationOptions>
+    >
 {
   defaultDerivationParams: KeyDerivationOptions = {
     algorithm: 'PBKDF2',
@@ -123,7 +128,7 @@ export default class MockVaultEncryptor
   async encryptWithKey(
     encryptionKey: EncryptionKey | webcrypto.CryptoKey,
     data: unknown,
-  ): Promise<EncryptionResult> {
+  ): Promise<DefaultEncryptionResult<KeyDerivationOptions>> {
     const dataString = JSON.stringify(data);
     const dataBuffer = Buffer.from(dataString);
     const vector = webcrypto.getRandomValues(new Uint8Array(16));
@@ -141,7 +146,7 @@ export default class MockVaultEncryptor
     const buffer = new Uint8Array(encBuff);
     const vectorStr = Buffer.from(vector).toString('base64');
     const vaultStr = Buffer.from(buffer).toString('base64');
-    const encryptionResult: EncryptionResult = {
+    const encryptionResult: DefaultEncryptionResult<KeyDerivationOptions> = {
       data: vaultStr,
       iv: vectorStr,
     };
@@ -155,9 +160,9 @@ export default class MockVaultEncryptor
 
   async decryptWithKey(
     encryptionKey: EncryptionKey | webcrypto.CryptoKey,
-    payload: EncryptionResult,
+    payload: DefaultEncryptionResult<KeyDerivationOptions>,
   ): Promise<unknown> {
-    let encData: EncryptionResult;
+    let encData: DefaultEncryptionResult<KeyDerivationOptions>;
     if (typeof payload === 'string') {
       encData = JSON.parse(payload);
     } else {