1.3.1.1 ServerWrap Subprotocol
In this subprotocol, the client submits a secret to the server for wrapping as specified in section 3.1.4.1.1. This is shown in figure 1.

Figure 1: Server-side secret wrapping
The client then stores the wrapped secret. At a later time, when the client needs access to the secret, the client makes a request to the server as specified in section 3.1.4.1.2. This is shown in figure 2. The server performs access checks to ensure that the client is authorized to receive the secret, and if the checks are successful, the server returns the unwrapped secret. This process, including the access checking performed, is specified in section 3.1.4.1.2.

Figure 2: Recovering a server-side wrapped secret