You have not explained how the token relates to decrypting the vault.
You have also not explained how the vault is encrypted (I'm assuming it is encrypted somehow, otherwise an attacker simply downloads the vault and has your credentials).
You can't expect us to give you anything but generic statements if you don't explain how your system works.
