Secure key store derivation and management from a single secure root key

What is claimed is: 1. Device comprising: at least one computer memory that is not a transitory signal or software per se and that comprises instructions executable by at least one processing circuitry to: access a root key of a computing device; use the root key of the computing device to establish at least one derived key selected from: a master key component SM, or a Transport Layer Security pre-shared key component ST, or a Wifi configuration key component SW, or an application verification key component SA; store the at least one derived key in a first region of a memory, the first region being less than 100% of a total storage area of the memory; and encrypt the first region using a random encryption code, wherein the random encryption code includes at least one of: advanced encryption standard (AES) XEX encryption mode; Liskov, Rivest, Wagner (LRW) encryption; cipher block chaining-mask-cipher block chaining (CMC) encryption; electronic codebook-mask-electronic codebook (EME) encryption. 2. The device of claim 1 , wherein the random encryption code includes advanced encryption standard (AES) XEX encryption mode. 3. The device of claim 2 , wherein the AES XEX encryption mode has tweak and ciphertext stealing (XTS) having a first tweak value equal to a key number of the derived key and a second tweak value equal to an AES block number. 4. The device of claim 1 , wherein the random encryption code includes Liskov, Rivest, Wagner (LRW) encryption. 5. The device of claim 1 , wherein the random encryption code includes cipher block chaining-mask-cipher block chaining (CMC) encryption. 6. The device of claim 1 , wherein the random encryption code includes electronic codebook-mask-electronic codebook (EME) encryption. 7. The device of claim 1 , wherein the instructions are executable to: upon first boot or derived key reset, generate a mask L; and establish an AES-XTS key using L, the AES-XTS key being used to encrypt the first region of the memory. 8. The device of claim 1 , comprising the at least one processing circuitry coupled to the at least one computer memory. 9. The device of claim 1 , wherein the first region has a memory size of thirty two kilobytes (32 kB). 10. The device of claim 1 , wherein the derived key includes at least two of: the master key component SM, the Transport Layer Security pre-shared key component ST, the Wifi configuration key component SW, the application verification key component SA. 11. The device of claim 1 , wherein the derived key includes the master key component SM. 12. The device of claim 1 , wherein the derived key includes the Transport Layer Security pre-shared key component ST. 13. The device of claim 1 , wherein the derived key includes the Wifi configuration key component SW. 14. The device of claim 1 , wherein the derived key includes the application verification key component SA. 15. Method comprising: accessing a root key H of a computing device, the root key H being permanently stored on a secure hardware storage of the computing device; using the root key H to establish a master key M by combining the root key H with a pseudorandom benign key split, represented as follows: M=kdf (H, SM), where kdf=key derivation function, H=root key, SM=master key component; using the master key to encrypt a Transport Layer Security pre-shared key (TLS_PSK) component ST; using the TLS_PSK component ST to establish an encrypted communication channel with at least one paired device; storing the master key component SM and the TLS_PSK component ST in an encrypted region of a memory; and encrypting the first region using a random encryption code, wherein the random encryption code includes at least one of: advanced encryption standard (AES) XEX encryption mode; Liskov, Rivest, Wagner (LRW) encryption; cipher block chaining-mask-cipher block chaining (CMC) encryption; electronic codebook-mask-electronic codebook (EME) encryption. 16. The method of claim 15 , wherein the random encryption code includes advanced encryption standard (AES) XEX encryption mode. 17. The method of claim 16 , comprising: upon first boot or derived key reset, generating a mask L; and establishing an AES-XTS key using the mask L, the AES-XTS key being used to encrypt the first region of the memory. 18. Apparatus comprising: at least one processing circuitry; and at least one memory accessible to the at least one processing circuitry and comprising instructions executable by the at least one processing circuitry for: deriving, from a hard-coded, unchangeable root key H, a master key M; encrypting at least one communication key component using the master key M but not storing the master key M in an encrypted region of memory; storing the communication key component encrypted by the master key M in the encrypted region of memory for use of the communication key component to establish a secure communication channel with a paired device; storing a component SM of the master key M in the encrypted region of memory, the component SM of the master key M defined by: M=kdf (H, SM), where kdf=key derivation function; encrypting the encrypted region of memory using a random encryption code wherein the random encryption code includes at least one of: advanced encryption standard (AES) XEX encryption mode; Liskov, Rivest, Wagner (LRW) encryption; cipher block chaining-mask-cipher block chaining (CMC) encryption; electronic codebook-mask-electronic codebook (EME) encryption.