...
/persist/vault - encrypted top-level directory for the parts needing encryption. This will be encrypted using a key sealed under the PCRs in the TPM, thus must not be used to store information which the device needs to access in order to be able to perform remote attestation with the controller.
TBD: Do we want a separate vault directory which where the key is not sealed under the PCRs so that we can put e.g., /persist/status/* in an encrypted location?
/persist/clear - alternative for the parts not needing encryption (currently this is only proposed for volumes where encryption incurs some overhead for running ECOs).
...