diff --git a/internal/cli/vault.go b/internal/cli/vault.go
index 47f9ba5..287b07a 100644
--- a/internal/cli/vault.go
+++ b/internal/cli/vault.go
@@ -219,7 +219,7 @@ func (cli *Instance) VaultImport(cmd *cobra.Command, vaultName string) error {
 	ltPublicKey := ltIdentity.Recipient().String()
 	secret.Debug("Storing long-term public key", "pubkey", ltPublicKey, "vault_dir", vaultDir)
 
-	if err := afero.WriteFile(cli.fs, pubKeyPath, []byte(ltPublicKey), 0o600); err != nil {
+	if err := afero.WriteFile(cli.fs, pubKeyPath, []byte(ltPublicKey), secret.FilePerms); err != nil {
 		return fmt.Errorf("failed to store long-term public key: %w", err)
 	}
 
diff --git a/pkg/agehd/agehd.go b/pkg/agehd/agehd.go
index 6290782..a7ee478 100644
--- a/pkg/agehd/agehd.go
+++ b/pkg/agehd/agehd.go
@@ -37,16 +37,16 @@ func clamp(k []byte) {
 // IdentityFromEntropy converts 32 deterministic bytes into an
 // *age.X25519Identity by round-tripping through Bech32.
 func IdentityFromEntropy(ent []byte) (*age.X25519Identity, error) {
-	if len(ent) != 32 {
+	if len(ent) != 32 { // 32 bytes = 256-bit key size for X25519
 		return nil, fmt.Errorf("need 32-byte scalar, got %d", len(ent))
 	}
 
 	// Make a copy to avoid modifying the original
-	key := make([]byte, 32)
+	key := make([]byte, 32) // 32 bytes = 256-bit key size for X25519 // 32 bytes = 256-bit key size for X25519
 	copy(key, ent)
 	clamp(key)
 
-	data, err := bech32.ConvertBits(key, 8, 5, true)
+	data, err := bech32.ConvertBits(key, 8, 5, true) // Convert from 8-bit to 5-bit encoding for bech32
 	if err != nil {
 		return nil, fmt.Errorf("bech32 convert: %w", err)
 	}
@@ -80,7 +80,7 @@ func DeriveEntropy(mnemonic string, n uint32) ([]byte, error) {
 
 	// Use BIP85 DRNG to generate deterministic 32 bytes for the age key
 	drng := bip85.NewBIP85DRNG(entropy)
-	key := make([]byte, 32)
+	key := make([]byte, 32) // 32 bytes = 256-bit key size for X25519
 	_, err = drng.Read(key)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read from DRNG: %w", err)
@@ -109,7 +109,7 @@ func DeriveEntropyFromXPRV(xprv string, n uint32) ([]byte, error) {
 
 	// Use BIP85 DRNG to generate deterministic 32 bytes for the age key
 	drng := bip85.NewBIP85DRNG(entropy)
-	key := make([]byte, 32)
+	key := make([]byte, 32) // 32 bytes = 256-bit key size for X25519
 	_, err = drng.Read(key)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read from DRNG: %w", err)