Only the user may reconstitute the key

The encryption key will be split into shares between the user and the server

The user’s share will be derived solely from a passphrase of the user’s choosing

The server’s share will be derived from the user’s share and the encryption key

The encryption key can only be reconstituted from both the user and server shares together

Compromise of the passphrase will not compromise future encryptions of the passwords