Adapted from Yubico's white paper on full disk encryption: user record: userid seqno encrypted blob: data: shared-secret payload sha1( shared-secret payload ) key: hmac-sha1: data: sha1( userid password seqno ) key: shared-secret