- Issue 1: using uninitialised keys. - Issue 2: IV reuse in AES-GCM when a file is re-encrypted after an update. - Issue 3: a malicious server can place a chosen key in a victim user's encrypted keystore; the user then rotates everything to that key on next login/update.