this.signKey = deriveKey(mk, C2S_SIGN_CONSTANT);
        this.verifyKey = deriveKey(mk, S2C_SIGN_CONSTANT);

        if (log.isDebugEnabled()) {
            log.debug("Sign key is " + Hexdump.toHexString(this.signKey));
            log.debug("Verify key is " + Hexdump.toHexString(this.verifyKey));
        }

        this.sealClientKey = deriveKey(mk, C2S_SEAL_CONSTANT);

        byte[] baseKey = new byte[16];
        new SecureRandom().nextBytes(baseKey);

        byte[] derived1 = keyManager.deriveKey(baseKey, "label1", null, 32);
        byte[] derived2 = keyManager.deriveKey(baseKey, "label2", null, 32);
        byte[] derived3 = keyManager.deriveKey(baseKey, "label1", new byte[] { 1, 2, 3 }, 32);

        assertEquals(32, derived1.length, "Derived key should have correct length");

        }

        // Generate salt for key derivation
        this.salt = new byte[SALT_SIZE];
        secureRandom.nextBytes(this.salt);

        // Derive master key from password
        this.masterKey = deriveKey(masterPassword, salt);

        // Clear the master password after use
        Arrays.fill(masterPassword, '\0');
    }

    /**
     * Initialize secure credential storage with existing salt and password
     *

     * @param context key derivation context
     * @param length desired key length in bytes
     * @return derived key
     * @throws GeneralSecurityException if key derivation fails
     */
    public byte[] deriveKey(byte[] baseKey, String label, byte[] context, int length) throws GeneralSecurityException {
        checkNotClosed();

        // Simple KDF implementation (should be replaced with proper KDF like HKDF)