Devices and methods of managing data stored within a container. The container may be associated with at least one registered user. The data within the container may be encrypted by a data encryption key (DEK). A computing device includes: a security module including a crypto-processor, a main processor, and memory. The memory stores instructions that, when executed, configure a processor to: authenticate a user based on a user secret associated with the container and generate a soft key based on the user secret. The instructions cause a crypto-processor to generate a secure generator output including a crypto key component and generate a hardened user key based on a key agreement protocol using the soft key and the crypto key component. The instructions cause a processor to construct an unencrypted DEK associated with the hardened user key and decrypt the subset of data using the unencrypted DEK.