Understanding sdk/helper/keysutil

:wave: hello all,

Documentation on the go vault sdk/helpers is sparse.

I would really like to see documentation on when it’s appropriate to leverage sdk/helper/keysutil in plugin development.
Specifically, keysutil.Policy and keysutil.NewEncryptedKeyStorageWrapper.

I’ve read through a lot of the transit and kv engines, and it’s a bit difficult to follow.
It’s unclear why the kv metadata storage uses NewEncryptedKeyStorageWrapper, but the versioned data doesn’t and only has a backend config annotation for SealWrapStorage.

I’ve also posted this on Github.