You don't store the key in the vault
How do you protect a secret? You put it in a vault. How do you get access the vault? You use the key. How do you protect the key? Well, you could put it in another vault, but you will end up with the same problem. How do you protect the key to that vault?
The protection of ownership comes with another secret to protect.
At the end of the day, you have to accept some kind of compromise between security and usability. You can make that decision explicit by measuring the risk. But you still made that decision when you decided to not store that key in another vault.
I hope you found this valuable
I send out an e-mail whenever I publish new content. It's free. No spam. Unsubscribe whenever you want.