The public key used to encrypt the key that can be used to decrypt the original secret.
The secret to encrypt.
The identity string that is bundled with the key, so that the recovery service know which person should be allowed to receive the decryption key for the original secret.
The final size of the encrypted secret. This limits the length of the secret to (encryptedSecretSize - 1). This is needed, so that you cannot retrieve the length of the original secret from the length of the encrypted payload.
The final size of the encrypted recovery information. This limits the length of identity to approx (bundledEncryptedRecoveryInformationSize - 50). This is needed, so that you cannot retrieve the length of the identity field from the length of the encrypted payload.
An encrypted secret that should be stored locally. The bundled recovery information that should be sent to the recovery server when the secret was forgotten.
Create the recovery Information.
This encrypts the secret with a newly generated symmetric key. This key is then encrypted along with identifying properties so that only the owner of the secret part matching the recoveryServicePublicKey can decrypt it.