fixes #64 by attempting to mount the more common "localhost", which is more likely to be excluded from proxy autoconfiguration scripts.

updated travis script (requires git release tags to be equal to maven version, so starting with this tag we drop the preceeding "v")

.travis.yml

@@ -1,4 +1,20 @@
 language: java
 jdk:
-  - oraclejdk8
+- oraclejdk8
 script: mvn -fmain/pom.xml clean package
+notifications:
+  webhooks:
+    urls:
+    - https://webhooks.gitter.im/e/7d429ab35361726e26f2
+    on_success: change
+    on_failure: always
+    on_start: false
+deploy:
+  provider: releases
+  api_key:
+    secure: ZjE1j93v3qbPIe2YbmhS319aCbMdLQw0HuymmluTurxXsZtn9D4t2+eTr99vBVxGRuB5lzzGezPR5zjk5W7iHF7xhwrawXrFzr2rPJWzWFt0aM+Ry2njU1ROTGGXGTbv4anWeBlgMxLEInTAy/9ytOGNJlec83yc0THpOY2wxnk=
+  file: main/target/Cryptomator-$TRAVIS_TAG.jar
+  skip_cleanup: true
+  on:
+    repo: cryptomator/cryptomator
+    tags: true

LICENSE

@@ -1,20 +0,0 @@
-The MIT License (MIT)
-
-Copyright (c) 2014 Sebastian Stenzel
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of
-this software and associated documentation files (the "Software"), to deal in
-the Software without restriction, including without limitation the rights to
-use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-the Software, and to permit persons to whom the Software is furnished to do so,
-subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

LICENSES/Apache-2.0-License.txt

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

LICENSES/BSD-License.txt

@@ -0,0 +1,12 @@
+Copyright (c) <YEAR>, <OWNER>
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

LICENSES/MIT-X-Consortium-License.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) <year> <copyright holders>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

NOTICE.md

@@ -0,0 +1,96 @@
+# CRYPTOMATOR
+Copyright (c) 2014, Sebastian Stenzel
+
+Cryptomator is licensed under the MIT license. The details can be found in the accompanying license file.
+
+## Third party softwares
+
+Cryptomator uses third party softwares that may be licensed under different licenses.
+
+
+### Jackson
+Jackson is a high-performance, Free/Open Source JSON processing library.
+It was originally written by Tatu Saloranta (tatu.saloranta@iki.fi), and has
+been in development since 2007.
+It is currently developed by a community of developers, as well as supported
+commercially by FasterXML.com.
+
+**Licensing:** Jackson core and extension components may licensed under different licenses.
+To find the details that apply to this artifact see the accompanying Apache 2.0 license file.
+For more information, including possible other licensing options, contact
+FasterXML.com (http://fasterxml.com).
+
+**Credits:** A list of contributors may be found from CREDITS file, which is included
+in some artifacts (usually source distributions); but is always available
+from the source code management (SCM) system project uses.
+
+
+### Jetty
+Copyright (c) 1995-2014 Mort Bay Consulting Pty. Ltd.
+
+All rights reserved. This program and the accompanying materials
+are made available under the terms of the Eclipse Public License v1.0
+and Apache License v2.0 which accompanies this distribution.
+
+The UnixCrypt.java code implements the one way cryptography used by
+Unix systems for simple password protection.  Copyright 1996 Aki Yoshida,
+modified April 2001  by Iris Van den Broeke, Daniel Deville.
+Permission to use, copy, modify and distribute UnixCrypt
+for non-commercial or commercial purposes and without fee is
+granted provided that the copyright notice appears in all copies.
+
+
+### Jackrabbit WebDAV Library
+Copyright 2004-2014 The Apache Software Foundation
+
+This product includes software developed at The Apache Software Foundation (http://www.apache.org/).
+
+Based on source code originally developed by Day Software (http://www.day.com/).
+
+### Apache Jakarta HttpClient
+Copyright 1999-2007 The Apache Software Foundation
+
+This product includes software developed by The Apache Software Foundation (http://www.apache.org/).
+
+### Apache Commons Collections
+Copyright 2001-2013 The Apache Software Foundation
+
+This product includes software developed at The Apache Software Foundation (http://www.apache.org/).
+
+### Apache Commons Codec
+Copyright 2002-2013 The Apache Software Foundation
+
+This product includes software developed at The Apache Software Foundation (http://www.apache.org/).
+
+src/test/org/apache/commons/codec/language/DoubleMetaphoneTest.java contains test data
+from http://aspell.net/test/orig/batch0.tab. Copyright (C) 2002 Kevin Atkinson (kevina@gnu.org)
+
+### Apache Commons IO
+Copyright 2002-2012 The Apache Software Foundation
+
+This product includes software developed by The Apache Software Foundation (http://www.apache.org/).
+
+### Apache Commons Lang
+Copyright 2001-2011 The Apache Software Foundation
+
+This product includes software developed by The Apache Software Foundation (http://www.apache.org/).
+
+This product includes software from the Spring Framework,
+under the Apache License 2.0 (see: StringUtils.containsWhitespace())
+
+### ControlsFX
+Copyright (c) 2013, ControlsFX
+
+Licensed under the accompanying BSD license file.
+
+### Apache Log4j
+Copyright 1999-2012 Apache Software Foundation
+
+This product includes software developed at The Apache Software Foundation (http://www.apache.org/).
+
+ResolverUtil.java Copyright 2005-2006 Tim Fennell
+
+### JUnit
+Copyright (c) 2000-2006, www.hamcrest.org
+
+Licensed under the accompanying BSD license file.

README.md

@@ -1,47 +1,55 @@
 Cryptomator
 ====================
 
-Multiplatform transparent client-side encryption of your files in the cloud. You need Java 8 in order to run the application. Get the runtime environment here: http://www.oracle.com/technetwork/java/javase/downloads/index.html
+[![Build Status](https://travis-ci.org/cryptomator/cryptomator.svg?branch=master)](https://travis-ci.org/cryptomator/cryptomator)
+[![Join the chat at https://gitter.im/totalvoidness/cryptomator](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/cryptomator/cryptomator?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
+[![Flattr Cryptomator](https://api.flattr.com/button/flattr-badge-large.png)](https://flattr.com/submit/auto?user_id=totalvoidness&url=https%3A%2F%2Fgithub.com%2Ftotalvoidness%2Fcryptomator&title=Cryptomator&language=en_GB&tags=github&category=software)
 
-If you want to take a look at the current beta version, go ahead and download [Cryptomator.dmg](https://github.com/totalvoidness/cryptomator/releases/download/v0.2.0/Cryptomator.dmg), [Cryptomator.exe](https://github.com/totalvoidness/cryptomator/releases/download/v0.2.0/Cryptomator.exe) or [Cryptomator.jar](https://github.com/totalvoidness/cryptomator/releases/download/v0.2.0/Cryptomator.jar).
+Multiplatform transparent client-side encryption of your files in the cloud.
+
+If you want to take a look at the current beta version, go ahead and get your copy of cryptomator on  [Cryptomator.org](https://cryptomator.org) or clone and build Cryptomator using Maven (instructions below).
 
 ## Features
-- Totally transparent: Just work on the encrypted volume, as if it was an USB drive
-- Works with Dropbox, OneDrive (Skydrive), Google Drive and any other cloud storage, that syncs with a local directory
+- Totally transparent: Just work on the encrypted volume, as if it was an USB flash drive
+- Works with Dropbox, OneDrive (Skydrive), Google Drive and any other cloud storage, that syncs with a local directory.
 - In fact it works with any directory. You can use it to encrypt as many folders as you like
-- AES encryption with up to 256 bit key length
+- AES encryption with 256 bit key length
 - Client-side. No accounts, no data shared with any online service
 - Filenames get encrypted too
 - No need to provide credentials for any 3rd party service
 - Open Source means: No backdoors. Control is better than trust
 - Use as many encrypted folders in your dropbox as you want. Each having individual passwords
+- No commerical interest, no government agency, no wasted taxpayers' money ;-)
 
-## Security
-- Default key length is 256 bit (falls back to 128 bit, if JCE isn't installed)
-- PBKDF2 key generation
+### Privacy
+- 256 bit keys (unlimited strength policy bundled with native binaries - 128 bit elsewhere)
+- Scrypt key derivation
 - Cryptographically secure random numbers for salts, IVs and the masterkey of course
 - Sensitive data is swiped from the heap asap
-- Lightweight: Complexity kills security
+- Lightweight: [Complexity kills security](https://www.schneier.com/essays/archives/1999/11/a_plea_for_simplicit.html)
 
-## Consistency
+### Consistency
+- HMAC over file contents to recognize changed ciphertext before decryption
 - I/O operations are transactional and atomic, if the file systems supports it
-- ~~Metadata is stored per-folder, so it's not a SPOF~~
-- *NEW:* No Metadata at all. Encrypted files can be decrypted even on completely shuffled file systems (if their contents are undamaged).
+- Each file contains all information needed for decryption (except for the key of course). No common metadata means no [SPOF](http://en.wikipedia.org/wiki/Single_point_of_failure)
 
-## Dependencies
-- Java 8
-- see pom.xml ;-)
+## Building
 
-## TODO
+#### Dependencies
+* Java 8
+* Maven 3
+* Optional: OS-dependent build tools for native packaging
+* Optional: JCE unlimited strength policy files (needed for 256 bit keys)
 
-### UI
-- Native L&F
-- Drive icons in WebDAV volumes
-- Change password functionality
-- Better explanations on UI
+#### Building on Debian-based OS
+```bash
+apt-get install oracle-java8-installer oracle-java8-unlimited-jce-policy fakeroot maven git
+git clone https://github.com/cryptomator/cryptomator.git
+cd cryptomator/main
+git checkout 0.7.1
+mvn clean install -Pdebian
+```
 
 ## License
 
-Distributed under the MIT license. See the LICENSE file for more info.
-
-[![Build Status](https://travis-ci.org/totalvoidness/cryptomator.svg?branch=master)](https://travis-ci.org/totalvoidness/cryptomator)
+Distributed under the MIT X Consortium license. See the LICENSE file for more info.

main/core/pom.xml

@@ -12,14 +12,14 @@
 	<parent>
 		<groupId>org.cryptomator</groupId>
 		<artifactId>main</artifactId>
-		<version>0.3.0-SNAPSHOT</version>
+		<version>0.7.2</version>
 	</parent>
 	<artifactId>core</artifactId>
-	<name>Cryptomator core I/O module</name>
+	<name>Cryptomator WebDAV and I/O module</name>
 
 	<properties>
-		<jetty.version>9.2.5.v20141112</jetty.version>
-		<jackrabbit.version>2.9.0</jackrabbit.version>
+		<jetty.version>9.2.10.v20150310</jetty.version>
+		<jackrabbit.version>2.10.1</jackrabbit.version>
 		<commons.transaction.version>1.2</commons.transaction.version>
 		<jta.version>1.1</jta.version>
 	</properties>
@@ -48,7 +48,13 @@
 			<artifactId>jackrabbit-webdav</artifactId>
 			<version>${jackrabbit.version}</version>
 		</dependency>
-
+	
+		<!-- Guava -->
+		<dependency>
+			<groupId>com.google.guava</groupId>
+			<artifactId>guava</artifactId>
+		</dependency>
+	
 		<!-- I/O -->
 		<dependency>
 			<groupId>commons-io</groupId>
@@ -58,9 +64,11 @@
 			<groupId>org.apache.commons</groupId>
 			<artifactId>commons-lang3</artifactId>
 		</dependency>
+		
+		<!-- JSON -->
 		<dependency>
-			<groupId>org.apache.commons</groupId>
-			<artifactId>commons-collections4</artifactId>
+			<groupId>com.fasterxml.jackson.core</groupId>
+			<artifactId>jackson-databind</artifactId>
 		</dependency>
 	</dependencies>
 </project>

main/core/src/main/java/org/cryptomator/files/EncryptingFileVisitor.java

@@ -1,83 +0,0 @@
-package org.cryptomator.files;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.nio.channels.SeekableByteChannel;
-import java.nio.file.FileVisitResult;
-import java.nio.file.Files;
-import java.nio.file.Path;
-import java.nio.file.SimpleFileVisitor;
-import java.nio.file.StandardCopyOption;
-import java.nio.file.StandardOpenOption;
-import java.nio.file.attribute.BasicFileAttributes;
-
-import org.cryptomator.crypto.Cryptor;
-import org.cryptomator.crypto.CryptorIOSupport;
-
-public class EncryptingFileVisitor extends SimpleFileVisitor<Path> implements CryptorIOSupport {
-
-	private final Path rootDir;
-	private final Cryptor cryptor;
-	private final EncryptionDecider encryptionDecider;
-	private Path currentDir;
-
-	public EncryptingFileVisitor(Path rootDir, Cryptor cryptor, EncryptionDecider encryptionDecider) {
-		this.rootDir = rootDir;
-		this.cryptor = cryptor;
-		this.encryptionDecider = encryptionDecider;
-	}
-
-	@Override
-	public FileVisitResult preVisitDirectory(Path dir, BasicFileAttributes attrs) throws IOException {
-		if (rootDir.equals(dir) || encryptionDecider.shouldEncrypt(dir)) {
-			this.currentDir = dir;
-			return FileVisitResult.CONTINUE;
-		} else {
-			return FileVisitResult.SKIP_SUBTREE;
-		}
-	}
-
-	@Override
-	public FileVisitResult visitFile(Path plaintextFile, BasicFileAttributes attrs) throws IOException {
-		if (encryptionDecider.shouldEncrypt(plaintextFile)) {
-			final String plaintextName = plaintextFile.getFileName().toString();
-			final String encryptedName = cryptor.encryptPath(plaintextName, '/', '/', this);
-			final Path encryptedPath = plaintextFile.resolveSibling(encryptedName);
-			final InputStream plaintextIn = Files.newInputStream(plaintextFile, StandardOpenOption.READ);
-			final SeekableByteChannel ciphertextOut = Files.newByteChannel(encryptedPath, StandardOpenOption.WRITE, StandardOpenOption.CREATE_NEW);
-			cryptor.encryptFile(plaintextIn, ciphertextOut);
-			Files.delete(plaintextFile);
-		}
-		return FileVisitResult.CONTINUE;
-	}
-
-	@Override
-	public FileVisitResult postVisitDirectory(Path dir, IOException exc) throws IOException {
-		if (encryptionDecider.shouldEncrypt(dir)) {
-			final String plaintext = dir.getFileName().toString();
-			final String encrypted = cryptor.encryptPath(plaintext, '/', '/', this);
-			final Path newPath = dir.resolveSibling(encrypted);
-			Files.move(dir, newPath, StandardCopyOption.ATOMIC_MOVE);
-		}
-		return FileVisitResult.CONTINUE;
-	}
-
-	@Override
-	public void writePathSpecificMetadata(String metadataFile, byte[] encryptedMetadata) throws IOException {
-		final Path path = currentDir.resolve(metadataFile);
-		Files.write(path, encryptedMetadata, StandardOpenOption.WRITE, StandardOpenOption.CREATE, StandardOpenOption.TRUNCATE_EXISTING, StandardOpenOption.DSYNC);
-	}
-
-	@Override
-	public byte[] readPathSpecificMetadata(String metadataFile) throws IOException {
-		final Path path = currentDir.resolve(metadataFile);
-		return Files.readAllBytes(path);
-	}
-
-	/* callback */
-
-	public interface EncryptionDecider {
-		boolean shouldEncrypt(Path path);
-	}
-
-}

main/core/src/main/java/org/cryptomator/webdav/WebDavServer.java

@@ -8,16 +8,25 @@
  ******************************************************************************/
 package org.cryptomator.webdav;
 
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.nio.file.Path;
+import java.util.Collection;
+import java.util.UUID;
 import java.util.concurrent.BlockingQueue;
 import java.util.concurrent.LinkedBlockingQueue;
 
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.lang3.SystemUtils;
 import org.cryptomator.crypto.Cryptor;
 import org.cryptomator.webdav.jackrabbit.WebDavServlet;
 import org.eclipse.jetty.server.Connector;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.ServerConnector;
+import org.eclipse.jetty.server.handler.ContextHandlerCollection;
 import org.eclipse.jetty.servlet.ServletContextHandler;
 import org.eclipse.jetty.servlet.ServletHolder;
+import org.eclipse.jetty.util.component.LifeCycle;
 import org.eclipse.jetty.util.thread.QueuedThreadPool;
 import org.eclipse.jetty.util.thread.ThreadPool;
 import org.slf4j.Logger;
@@ -26,45 +35,37 @@ import org.slf4j.LoggerFactory;
 public final class WebDavServer {
 
 	private static final Logger LOG = LoggerFactory.getLogger(WebDavServer.class);
-	private static final String LOCALHOST = "::1";
+	private static final String LOCALHOST = SystemUtils.IS_OS_WINDOWS ? "::1" : "localhost";
 	private static final int MAX_PENDING_REQUESTS = 200;
 	private static final int MAX_THREADS = 200;
 	private static final int MIN_THREADS = 4;
 	private static final int THREAD_IDLE_SECONDS = 20;
 	private final Server server;
-	private int port;
+	private final ServerConnector localConnector;
+	private final ContextHandlerCollection servletCollection;
 
 	public WebDavServer() {
 		final BlockingQueue<Runnable> queue = new LinkedBlockingQueue<>(MAX_PENDING_REQUESTS);
 		final ThreadPool tp = new QueuedThreadPool(MAX_THREADS, MIN_THREADS, THREAD_IDLE_SECONDS, queue);
 		server = new Server(tp);
+		localConnector = new ServerConnector(server);
+		localConnector.setHost(LOCALHOST);
+		servletCollection = new ContextHandlerCollection();
+
+		final ServletContextHandler servletContext = new ServletContextHandler(servletCollection, "/", ServletContextHandler.NO_SESSIONS);
+		final ServletHolder servlet = new ServletHolder(WindowsSucksServlet.class);
+		servletContext.addServlet(servlet, "/");
+
+		server.setConnectors(new Connector[] {localConnector});
+		server.setHandler(servletCollection);
 	}
 
-	/**
-	 * @param workDir Path of encrypted folder.
-	 * @param cryptor A fully initialized cryptor instance ready to en- or decrypt streams.
-	 * @return <code>true</code> upon success
-	 */
-	public synchronized boolean start(final String workDir, final Cryptor cryptor) {
-		final ServerConnector connector = new ServerConnector(server);
-		connector.setHost(LOCALHOST);
-
-		final String contextPath = "/";
-		final String servletPathSpec = "/*";
-
-		final ServletContextHandler context = new ServletContextHandler(ServletContextHandler.SESSIONS);
-		context.addServlet(getWebDavServletHolder(workDir, contextPath, cryptor), servletPathSpec);
-		context.setContextPath(contextPath);
-		server.setHandler(context);
-
+	public synchronized void start() {
 		try {
-			server.setConnectors(new Connector[] {connector});
 			server.start();
-			port = connector.getLocalPort();
-			return true;
+			LOG.info("Cryptomator is running on port {}", getPort());
 		} catch (Exception ex) {
-			LOG.error("Server couldn't be started", ex);
-			return false;
+			throw new RuntimeException("Server couldn't be started", ex);
 		}
 	}
 
@@ -72,25 +73,102 @@ public final class WebDavServer {
 		return server.isRunning();
 	}
 
-	public synchronized boolean stop() {
+	public synchronized void stop() {
 		try {
 			server.stop();
-			port = 0;
 		} catch (Exception ex) {
 			LOG.error("Server couldn't be stopped", ex);
 		}
-		return server.isStopped();
 	}
 
-	private ServletHolder getWebDavServletHolder(final String workDir, final String contextPath, final Cryptor cryptor) {
-		final ServletHolder result = new ServletHolder("Cryptomator-WebDAV-Servlet", new WebDavServlet(cryptor));
+	/**
+	 * @param workDir Path of encrypted folder.
+	 * @param cryptor A fully initialized cryptor instance ready to en- or decrypt streams.
+	 * @param failingMacCollection A (observable, thread-safe) collection, to which the names of resources are written, whose MAC
+	 *            authentication fails.
+	 * @param name The name of the folder. Must be non-empty and only contain any of
+	 *            _ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789
+	 * @return servlet
+	 */
+	public ServletLifeCycleAdapter createServlet(final Path workDir, final Cryptor cryptor, final Collection<String> failingMacCollection, final String name) {
+		try {
+			if (StringUtils.isEmpty(name)) {
+				throw new IllegalArgumentException("name empty");
+			}
+			if (!StringUtils.containsOnly(name, "_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789")) {
+				throw new IllegalArgumentException("name contains illegal characters: " + name);
+			}
+			final URI uri = new URI(null, null, localConnector.getHost(), localConnector.getLocalPort(), "/" + UUID.randomUUID().toString() + "/" + name, null, null);
+
+			final ServletContextHandler servletContext = new ServletContextHandler(servletCollection, uri.getRawPath(), ServletContextHandler.SESSIONS);
+			final ServletHolder servlet = getWebDavServletHolder(workDir.toString(), cryptor, failingMacCollection);
+			servletContext.addServlet(servlet, "/*");
+
+			servletCollection.mapContexts();
+
+			LOG.debug("{} available on http:{}", workDir, uri.getRawSchemeSpecificPart());
+			return new ServletLifeCycleAdapter(servletContext, uri);
+		} catch (URISyntaxException e) {
+			throw new IllegalStateException("Invalid hard-coded URI components.", e);
+		}
+	}
+
+	private ServletHolder getWebDavServletHolder(final String workDir, final Cryptor cryptor, final Collection<String> failingMacCollection) {
+		final ServletHolder result = new ServletHolder("Cryptomator-WebDAV-Servlet", new WebDavServlet(cryptor, failingMacCollection));
 		result.setInitParameter(WebDavServlet.CFG_FS_ROOT, workDir);
-		result.setInitParameter(WebDavServlet.CFG_HTTP_ROOT, contextPath);
 		return result;
 	}
 
 	public int getPort() {
-		return port;
+		return localConnector.getLocalPort();
+	}
+
+	/**
+	 * Exposes implementation-specific methods to other modules.
+	 */
+	public class ServletLifeCycleAdapter implements AutoCloseable {
+
+		private final LifeCycle lifecycle;
+		private final URI servletUri;
+
+		private ServletLifeCycleAdapter(LifeCycle lifecycle, URI servletUri) {
+			this.lifecycle = lifecycle;
+			this.servletUri = servletUri;
+		}
+
+		public boolean isRunning() {
+			return lifecycle.isRunning();
+		}
+
+		public boolean start() {
+			try {
+				lifecycle.start();
+				return true;
+			} catch (Exception e) {
+				LOG.error("Failed to start", e);
+				return false;
+			}
+		}
+
+		public boolean stop() {
+			try {
+				lifecycle.stop();
+				return true;
+			} catch (Exception e) {
+				LOG.error("Failed to stop", e);
+				return false;
+			}
+		}
+
+		public URI getServletUri() {
+			return servletUri;
+		}
+
+		@Override
+		public void close() throws Exception {
+			this.stop();
+		}
+
 	}
 
 }

main/core/src/main/java/org/cryptomator/webdav/WindowsSucksServlet.java

@@ -0,0 +1,31 @@
+/*******************************************************************************
+ * Copyright (c) 2014 Sebastian Stenzel
+ * This file is licensed under the terms of the MIT license.
+ * See the LICENSE.txt file for more info.
+ * 
+ * Contributors:
+ *     Sebastian Stenzel - initial API and implementation
+ ******************************************************************************/
+package org.cryptomator.webdav;
+
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * Windows mount attempts will fail, if not all requests on parent paths of a WebDAV resource get served. This servlet will respond to any
+ * request with status code 200, if the requested resource doesn't match a different servlet.
+ */
+public class WindowsSucksServlet extends HttpServlet {
+
+	private static final long serialVersionUID = -515280795196074354L;
+
+	@Override
+	protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+		resp.setStatus(HttpServletResponse.SC_OK);
+	}
+
+}

main/core/src/main/java/org/cryptomator/webdav/exceptions/DecryptFailedRuntimeException.java

@@ -0,0 +1,23 @@
+package org.cryptomator.webdav.exceptions;
+
+import org.cryptomator.crypto.exceptions.DecryptFailedException;
+
+public class DecryptFailedRuntimeException extends RuntimeException {
+
+	private static final long serialVersionUID = -2726689824823439865L;
+
+	public DecryptFailedRuntimeException(DecryptFailedException cause) {
+		super(cause);
+	}
+
+	@Override
+	public String getMessage() {
+		return getCause().getMessage();
+	}
+
+	@Override
+	public String getLocalizedMessage() {
+		return getCause().getLocalizedMessage();
+	}
+
+}

main/core/src/main/java/org/cryptomator/webdav/exceptions/IORuntimeException.java

@@ -14,8 +14,8 @@ public class IORuntimeException extends RuntimeException {
 
 	private static final long serialVersionUID = -4713080133052143303L;
 
-	public IORuntimeException(IOException ioException) {
-		super(ioException);
+	public IORuntimeException(IOException cause) {
+		super(cause);
 	}
 
 	@Override

main/core/src/main/java/org/cryptomator/webdav/jackrabbit/AbstractEncryptedNode.java

@@ -6,19 +6,21 @@
  * Contributors:
  *     Sebastian Stenzel - initial API and implementation
  ******************************************************************************/
-package org.cryptomator.webdav.jackrabbit.resources;
+package org.cryptomator.webdav.jackrabbit;
 
 import java.io.IOException;
-import java.nio.file.AtomicMoveNotSupportedException;
 import java.nio.file.Files;
+import java.nio.file.LinkOption;
 import java.nio.file.Path;
-import java.nio.file.StandardCopyOption;
+import java.nio.file.attribute.BasicFileAttributeView;
+import java.nio.file.attribute.BasicFileAttributes;
+import java.nio.file.attribute.FileTime;
+import java.util.Arrays;
 import java.util.List;
 
 import org.apache.commons.io.FilenameUtils;
 import org.apache.jackrabbit.webdav.DavException;
 import org.apache.jackrabbit.webdav.DavResource;
-import org.apache.jackrabbit.webdav.DavResourceFactory;
 import org.apache.jackrabbit.webdav.DavResourceLocator;
 import org.apache.jackrabbit.webdav.DavServletResponse;
 import org.apache.jackrabbit.webdav.DavSession;
@@ -32,6 +34,7 @@ import org.apache.jackrabbit.webdav.property.DavProperty;
 import org.apache.jackrabbit.webdav.property.DavPropertyName;
 import org.apache.jackrabbit.webdav.property.DavPropertyNameSet;
 import org.apache.jackrabbit.webdav.property.DavPropertySet;
+import org.apache.jackrabbit.webdav.property.DefaultDavProperty;
 import org.apache.jackrabbit.webdav.property.PropEntry;
 import org.cryptomator.crypto.Cryptor;
 import org.cryptomator.webdav.exceptions.IORuntimeException;
@@ -42,22 +45,34 @@ abstract class AbstractEncryptedNode implements DavResource {
 
 	private static final Logger LOG = LoggerFactory.getLogger(AbstractEncryptedNode.class);
 	private static final String DAV_COMPLIANCE_CLASSES = "1, 2";
+	private static final String[] DAV_CREATIONDATE_PROPNAMES = {DavPropertyName.CREATIONDATE.getName(), "Win32CreationTime"};
+	private static final String[] DAV_MODIFIEDDATE_PROPNAMES = {DavPropertyName.GETLASTMODIFIED.getName(), "Win32LastModifiedTime"};
 
-	protected final DavResourceFactory factory;
+	protected final CryptoResourceFactory factory;
 	protected final DavResourceLocator locator;
 	protected final DavSession session;
 	protected final LockManager lockManager;
 	protected final Cryptor cryptor;
+	protected final Path filePath;
 	protected final DavPropertySet properties;
 
-	protected AbstractEncryptedNode(DavResourceFactory factory, DavResourceLocator locator, DavSession session, LockManager lockManager, Cryptor cryptor) {
+	protected AbstractEncryptedNode(CryptoResourceFactory factory, DavResourceLocator locator, DavSession session, LockManager lockManager, Cryptor cryptor, Path filePath) {
 		this.factory = factory;
 		this.locator = locator;
 		this.session = session;
 		this.lockManager = lockManager;
 		this.cryptor = cryptor;
+		this.filePath = filePath;
 		this.properties = new DavPropertySet();
-		this.determineProperties();
+		if (filePath != null && Files.exists(filePath)) {
+			try {
+				final BasicFileAttributes attrs = Files.readAttributes(filePath, BasicFileAttributes.class);
+				properties.add(new DefaultDavProperty<String>(DavPropertyName.CREATIONDATE, FileTimeUtils.toRfc1123String(attrs.creationTime())));
+				properties.add(new DefaultDavProperty<String>(DavPropertyName.GETLASTMODIFIED, FileTimeUtils.toRfc1123String(attrs.lastModifiedTime())));
+			} catch (IOException e) {
+				LOG.error("Error determining metadata " + filePath.toString(), e);
+			}
+		}
 	}
 
 	@Override
@@ -72,8 +87,7 @@ abstract class AbstractEncryptedNode implements DavResource {
 
 	@Override
 	public boolean exists() {
-		final Path path = ResourcePathUtils.getPhysicalPath(this);
-		return Files.exists(path);
+		return Files.exists(filePath);
 	}
 
 	@Override
@@ -104,16 +118,13 @@ abstract class AbstractEncryptedNode implements DavResource {
 
 	@Override
 	public long getModificationTime() {
-		final Path path = ResourcePathUtils.getPhysicalPath(this);
 		try {
-			return Files.getLastModifiedTime(path).toMillis();
+			return Files.getLastModifiedTime(filePath).toMillis();
 		} catch (IOException e) {
 			return -1;
 		}
 	}
 
-	protected abstract void determineProperties();
-
 	@Override
 	public DavPropertyName[] getPropertyNames() {
 		return getProperties().getPropertyNames();
@@ -132,6 +143,29 @@ abstract class AbstractEncryptedNode implements DavResource {
 	@Override
 	public void setProperty(DavProperty<?> property) throws DavException {
 		getProperties().add(property);
+
+		LOG.trace("Set property {}", property.getName());
+		
+		final String namespacelessPropertyName = property.getName().getName();
+		if (Files.exists(filePath)) {
+			try {
+				if (Arrays.asList(DAV_CREATIONDATE_PROPNAMES).contains(namespacelessPropertyName) && property.getValue() instanceof String) {
+					final String createDateStr = (String) property.getValue();
+					final FileTime createTime = FileTimeUtils.fromRfc1123String(createDateStr);
+					final BasicFileAttributeView attrView = Files.getFileAttributeView(filePath, BasicFileAttributeView.class, LinkOption.NOFOLLOW_LINKS);
+					attrView.setTimes(null, null, createTime);
+					LOG.debug("Updating Creation Date: {}", createTime.toString());
+				} else if (Arrays.asList(DAV_MODIFIEDDATE_PROPNAMES).contains(namespacelessPropertyName) && property.getValue() instanceof String) {
+					final String lastModifiedTimeStr = (String) property.getValue();
+					final FileTime lastModifiedTime = FileTimeUtils.fromRfc1123String(lastModifiedTimeStr);
+					final BasicFileAttributeView attrView = Files.getFileAttributeView(filePath, BasicFileAttributeView.class, LinkOption.NOFOLLOW_LINKS);
+					attrView.setTimes(lastModifiedTime, null, null);
+					LOG.debug("Updating Last Modified Date: {}", lastModifiedTime.toString());
+				}
+			} catch (IOException e) {
+				throw new DavException(DavServletResponse.SC_INTERNAL_SERVER_ERROR);
+			}
+		}
 	}
 
 	@Override
@@ -162,7 +196,7 @@ abstract class AbstractEncryptedNode implements DavResource {
 			return null;
 		}
 
-		final String parentResource = FilenameUtils.getPath(locator.getResourcePath());
+		final String parentResource = FilenameUtils.getPathNoEndSeparator(locator.getResourcePath());
 		final DavResourceLocator parentLocator = locator.getFactory().createResourceLocator(locator.getPrefix(), locator.getWorkspacePath(), parentResource);
 		try {
 			return getFactory().createResource(parentLocator, session);
@@ -172,49 +206,37 @@ abstract class AbstractEncryptedNode implements DavResource {
 	}
 
 	@Override
-	public void move(DavResource dest) throws DavException {
-		final Path src = ResourcePathUtils.getPhysicalPath(this);
-		final Path dst = ResourcePathUtils.getPhysicalPath(dest);
-		try {
-			// check for conflicts:
-			if (Files.exists(dst) && Files.getLastModifiedTime(dst).toMillis() > Files.getLastModifiedTime(src).toMillis()) {
-				throw new DavException(DavServletResponse.SC_CONFLICT, "File at destination already exists: " + dst.toString());
-			}
-
-			// move:
+	public final void move(DavResource dest) throws DavException {
+		if (dest instanceof AbstractEncryptedNode) {
 			try {
-				Files.move(src, dst, StandardCopyOption.REPLACE_EXISTING, StandardCopyOption.ATOMIC_MOVE);
-			} catch (AtomicMoveNotSupportedException e) {
-				Files.move(src, dst, StandardCopyOption.REPLACE_EXISTING);
+				this.move((AbstractEncryptedNode) dest);
+			} catch (IOException e) {
+				LOG.error("Error moving file from " + this.getResourcePath() + " to " + dest.getResourcePath());
+				throw new IORuntimeException(e);
 			}
-		} catch (IOException e) {
-			LOG.error("Error moving file from " + src.toString() + " to " + dst.toString());
-			throw new IORuntimeException(e);
+		} else {
+			throw new IllegalArgumentException("Unsupported resource type: " + dest.getClass().getName());
 		}
 	}
 
+	public abstract void move(AbstractEncryptedNode dest) throws DavException, IOException;
+
 	@Override
-	public void copy(DavResource dest, boolean shallow) throws DavException {
-		final Path src = ResourcePathUtils.getPhysicalPath(this);
-		final Path dst = ResourcePathUtils.getPhysicalPath(dest);
-		try {
-			// check for conflicts:
-			if (Files.exists(dst) && Files.getLastModifiedTime(dst).toMillis() > Files.getLastModifiedTime(src).toMillis()) {
-				throw new DavException(DavServletResponse.SC_CONFLICT, "File at destination already exists: " + dst.toString());
-			}
-
-			// copy:
+	public final void copy(DavResource dest, boolean shallow) throws DavException {
+		if (dest instanceof AbstractEncryptedNode) {
 			try {
-				Files.copy(src, dst, StandardCopyOption.COPY_ATTRIBUTES, StandardCopyOption.REPLACE_EXISTING, StandardCopyOption.ATOMIC_MOVE);
-			} catch (AtomicMoveNotSupportedException e) {
-				Files.copy(src, dst, StandardCopyOption.COPY_ATTRIBUTES, StandardCopyOption.REPLACE_EXISTING);
+				this.copy((AbstractEncryptedNode) dest, shallow);
+			} catch (IOException e) {
+				LOG.error("Error copying file from " + this.getResourcePath() + " to " + dest.getResourcePath());
+				throw new IORuntimeException(e);
 			}
-		} catch (IOException e) {
-			LOG.error("Error copying file from " + src.toString() + " to " + dst.toString());
-			throw new IORuntimeException(e);
+		} else {
+			throw new IllegalArgumentException("Unsupported resource type: " + dest.getClass().getName());
 		}
 	}
 
+	public abstract void copy(AbstractEncryptedNode dest, boolean shallow) throws DavException, IOException;
+
 	@Override
 	public boolean isLockable(Type type, Scope scope) {
 		return true;
@@ -257,7 +279,7 @@ abstract class AbstractEncryptedNode implements DavResource {
 	}
 
 	@Override
-	public DavResourceFactory getFactory() {
+	public CryptoResourceFactory getFactory() {
 		return factory;
 	}
 

main/core/src/main/java/org/cryptomator/webdav/jackrabbit/AbstractSessionAwareWebDavResourceFactory.java

@@ -1,36 +0,0 @@
-package org.cryptomator.webdav.jackrabbit;
-
-import org.apache.jackrabbit.webdav.DavException;
-import org.apache.jackrabbit.webdav.DavResource;
-import org.apache.jackrabbit.webdav.DavResourceFactory;
-import org.apache.jackrabbit.webdav.DavResourceLocator;
-import org.apache.jackrabbit.webdav.DavServletRequest;
-import org.apache.jackrabbit.webdav.DavServletResponse;
-import org.apache.jackrabbit.webdav.DavSession;
-
-abstract class AbstractSessionAwareWebDavResourceFactory implements DavResourceFactory {
-
-	@Override
-	public DavResource createResource(DavResourceLocator locator, DavServletRequest request, DavServletResponse response) throws DavException {
-		final DavSession session = request.getDavSession();
-		if (session != null && session instanceof WebDavSession) {
-			return createDavResource(locator, (WebDavSession) session, request, response);
-		} else {
-			throw new DavException(DavServletResponse.SC_INTERNAL_SERVER_ERROR, "Unsupported session type.");
-		}
-	}
-
-	protected abstract DavResource createDavResource(DavResourceLocator locator, WebDavSession session, DavServletRequest request, DavServletResponse response) throws DavException;
-
-	@Override
-	public DavResource createResource(DavResourceLocator locator, DavSession session) throws DavException {
-		if (session != null && session instanceof WebDavSession) {
-			return createDavResource(locator, (WebDavSession) session);
-		} else {
-			throw new DavException(DavServletResponse.SC_INTERNAL_SERVER_ERROR, "Unsupported session type.");
-		}
-	}
-
-	protected abstract DavResource createDavResource(DavResourceLocator locator, WebDavSession session);
-
-}

main/core/src/main/java/org/cryptomator/webdav/jackrabbit/BidiLRUMap.java

@@ -1,24 +0,0 @@
-package org.cryptomator.webdav.jackrabbit;
-
-import java.util.Map;
-
-import org.apache.commons.collections4.BidiMap;
-import org.apache.commons.collections4.bidimap.AbstractDualBidiMap;
-import org.apache.commons.collections4.map.LRUMap;
-
-final class BidiLRUMap<K, V> extends AbstractDualBidiMap<K, V> {
-
-	BidiLRUMap(int maxSize) {
-		super(new LRUMap<K, V>(maxSize), new LRUMap<V, K>(maxSize));
-	}
-
-	protected BidiLRUMap(final Map<K, V> normalMap, final Map<V, K> reverseMap, final BidiMap<V, K> inverseBidiMap) {
-		super(normalMap, reverseMap, inverseBidiMap);
-	}
-
-	@Override
-	protected BidiMap<V, K> createBidiMap(Map<V, K> normalMap, Map<K, V> reverseMap, BidiMap<K, V> inverseMap) {
-		return new BidiLRUMap<V, K>(normalMap, reverseMap, inverseMap);
-	}
-
-}

main/core/src/main/java/org/cryptomator/webdav/jackrabbit/CleartextLocatorFactory.java

@@ -0,0 +1,126 @@
+package org.cryptomator.webdav.jackrabbit;
+
+import org.apache.commons.io.FilenameUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.jackrabbit.webdav.DavLocatorFactory;
+import org.apache.jackrabbit.webdav.DavResourceLocator;
+import org.apache.jackrabbit.webdav.util.EncodeUtil;
+import org.apache.logging.log4j.util.Strings;
+
+public class CleartextLocatorFactory implements DavLocatorFactory {
+
+	private final String pathPrefix;
+
+	public CleartextLocatorFactory(String pathPrefix) {
+		this.pathPrefix = pathPrefix;
+	}
+
+	// resourcePath == repositoryPath. No encryption here.
+
+	@Override
+	public DavResourceLocator createResourceLocator(String prefix, String href) {
+		final String fullPrefix = prefix.endsWith("/") ? prefix : prefix + "/";
+		final String relativeHref = StringUtils.removeStart(href, fullPrefix);
+
+		final String relativeCleartextPath = EncodeUtil.unescape(StringUtils.removeStart(relativeHref, "/"));
+		return new CleartextLocator(relativeCleartextPath);
+	}
+
+	@Override
+	public DavResourceLocator createResourceLocator(String prefix, String workspacePath, String resourcePath) {
+		return new CleartextLocator(resourcePath);
+	}
+
+	@Override
+	public DavResourceLocator createResourceLocator(String prefix, String workspacePath, String path, boolean isResourcePath) {
+		return new CleartextLocator(path);
+	}
+
+	private class CleartextLocator implements DavResourceLocator {
+
+		private final String relativeCleartextPath;
+
+		private CleartextLocator(String relativeCleartextPath) {
+			this.relativeCleartextPath = FilenameUtils.normalizeNoEndSeparator(relativeCleartextPath, true);
+		}
+
+		@Override
+		public String getPrefix() {
+			return pathPrefix;
+		}
+
+		@Override
+		public String getResourcePath() {
+			return relativeCleartextPath;
+		}
+
+		@Override
+		public String getWorkspacePath() {
+			return null;
+		}
+
+		@Override
+		public String getWorkspaceName() {
+			return null;
+		}
+
+		@Override
+		public boolean isSameWorkspace(DavResourceLocator locator) {
+			return false;
+		}
+
+		@Override
+		public boolean isSameWorkspace(String workspaceName) {
+			return false;
+		}
+
+		@Override
+		public String getHref(boolean isCollection) {
+			final String encodedResourcePath = EncodeUtil.escapePath(getResourcePath());
+			final String fullPrefix = pathPrefix.endsWith("/") ? pathPrefix : pathPrefix + "/";
+			final String href = fullPrefix.concat(encodedResourcePath);
+			assert !href.endsWith("/");
+			if (isCollection) {
+				return href.concat("/");
+			} else {
+				return href;
+			}
+		}
+
+		@Override
+		public boolean isRootLocation() {
+			return Strings.isEmpty(relativeCleartextPath);
+		}
+
+		@Override
+		public DavLocatorFactory getFactory() {
+			return CleartextLocatorFactory.this;
+		}
+
+		@Override
+		public String getRepositoryPath() {
+			return relativeCleartextPath;
+		}
+
+		@Override
+		public String toString() {
+			return "Locator: " + relativeCleartextPath + " (Prefix: " + pathPrefix + ")";
+		}
+
+		@Override
+		public int hashCode() {
+			return relativeCleartextPath.hashCode();
+		}
+
+		@Override
+		public boolean equals(Object obj) {
+			if (obj instanceof CleartextLocator) {
+				final CleartextLocator other = (CleartextLocator) obj;
+				return relativeCleartextPath == null && other.relativeCleartextPath == null || relativeCleartextPath.equals(other.relativeCleartextPath);
+			} else {
+				return false;
+			}
+		}
+	}
+
+}

main/core/src/main/java/org/cryptomator/webdav/jackrabbit/CryptoResourceFactory.java

@@ -0,0 +1,185 @@
+package org.cryptomator.webdav.jackrabbit;
+
+import java.io.IOException;
+import java.nio.file.FileAlreadyExistsException;
+import java.nio.file.FileSystems;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.util.concurrent.ExecutorService;
+
+import org.apache.commons.httpclient.HttpStatus;
+import org.apache.commons.io.FilenameUtils;
+import org.apache.jackrabbit.webdav.DavException;
+import org.apache.jackrabbit.webdav.DavMethods;
+import org.apache.jackrabbit.webdav.DavResource;
+import org.apache.jackrabbit.webdav.DavResourceFactory;
+import org.apache.jackrabbit.webdav.DavResourceLocator;
+import org.apache.jackrabbit.webdav.DavServletRequest;
+import org.apache.jackrabbit.webdav.DavServletResponse;
+import org.apache.jackrabbit.webdav.DavSession;
+import org.apache.jackrabbit.webdav.lock.LockManager;
+import org.apache.jackrabbit.webdav.lock.SimpleLockManager;
+import org.apache.logging.log4j.util.Strings;
+import org.cryptomator.crypto.Cryptor;
+import org.eclipse.jetty.http.HttpHeader;
+
+public class CryptoResourceFactory implements DavResourceFactory, FileConstants {
+
+	private final LockManager lockManager = new SimpleLockManager();
+	private final Cryptor cryptor;
+	private final CryptoWarningHandler cryptoWarningHandler;
+	private final ExecutorService backgroundTaskExecutor;
+	private final Path dataRoot;
+	private final FilenameTranslator filenameTranslator;
+
+	CryptoResourceFactory(Cryptor cryptor, CryptoWarningHandler cryptoWarningHandler, ExecutorService backgroundTaskExecutor, String vaultRoot) {
+		Path vaultRootPath = FileSystems.getDefault().getPath(vaultRoot);
+		this.cryptor = cryptor;
+		this.cryptoWarningHandler = cryptoWarningHandler;
+		this.backgroundTaskExecutor = backgroundTaskExecutor;
+		this.dataRoot = vaultRootPath.resolve("d");
+		this.filenameTranslator = new FilenameTranslator(cryptor, vaultRootPath);
+	}
+
+	@Override
+	public final DavResource createResource(DavResourceLocator locator, DavServletRequest request, DavServletResponse response) throws DavException {
+		if (locator.isRootLocation()) {
+			return createRootDirectory(locator, request.getDavSession());
+		}
+
+		final Path filePath = getEncryptedFilePath(locator.getResourcePath());
+		final Path dirFilePath = getEncryptedDirectoryFilePath(locator.getResourcePath());
+		final String rangeHeader = request.getHeader(HttpHeader.RANGE.asString());
+		if (Files.exists(dirFilePath) || DavMethods.METHOD_MKCOL.equals(request.getMethod())) {
+			return createDirectory(locator, request.getDavSession(), dirFilePath);
+		} else if (Files.exists(filePath) && DavMethods.METHOD_GET.equals(request.getMethod()) && rangeHeader != null) {
+			response.setStatus(HttpStatus.SC_PARTIAL_CONTENT);
+			return createFilePart(locator, request.getDavSession(), request, filePath);
+		} else if (Files.exists(filePath) || DavMethods.METHOD_PUT.equals(request.getMethod())) {
+			return createFile(locator, request.getDavSession(), filePath);
+		} else {
+			// e.g. for MOVE operations:
+			return createNonExisting(locator, request.getDavSession(), filePath, dirFilePath);
+		}
+	}
+
+	@Override
+	public final DavResource createResource(DavResourceLocator locator, DavSession session) throws DavException {
+		if (locator.isRootLocation()) {
+			return createRootDirectory(locator, session);
+		}
+
+		final Path filePath = getEncryptedFilePath(locator.getResourcePath());
+		final Path dirFilePath = getEncryptedDirectoryFilePath(locator.getResourcePath());
+		if (Files.exists(dirFilePath)) {
+			return createDirectory(locator, session, dirFilePath);
+		} else if (Files.exists(filePath)) {
+			return createFile(locator, session, filePath);
+		} else {
+			// e.g. for MOVE operations:
+			return createNonExisting(locator, session, filePath, dirFilePath);
+		}
+	}
+
+	DavResource createChildDirectoryResource(DavResourceLocator locator, DavSession session, Path existingDirectoryFile) throws DavException {
+		return createDirectory(locator, session, existingDirectoryFile);
+	}
+
+	DavResource createChildFileResource(DavResourceLocator locator, DavSession session, Path existingFile) throws DavException {
+		return createFile(locator, session, existingFile);
+	}
+
+	/**
+	 * @return Absolute file path for a given cleartext file resourcePath.
+	 * @throws IOException
+	 */
+	private Path getEncryptedFilePath(String relativeCleartextPath) throws DavException {
+		final String parentCleartextPath = FilenameUtils.getPathNoEndSeparator(relativeCleartextPath);
+		final Path parent = createEncryptedDirectoryPath(parentCleartextPath);
+		final String cleartextFilename = FilenameUtils.getName(relativeCleartextPath);
+		try {
+			final String encryptedFilename = filenameTranslator.getEncryptedFilename(cleartextFilename);
+			return parent.resolve(encryptedFilename);
+		} catch (IOException e) {
+			throw new DavException(DavServletResponse.SC_INTERNAL_SERVER_ERROR, e);
+		}
+	}
+
+	/**
+	 * @return Absolute file path for a given cleartext file resourcePath.
+	 * @throws IOException
+	 */
+	private Path getEncryptedDirectoryFilePath(String relativeCleartextPath) throws DavException {
+		final String parentCleartextPath = FilenameUtils.getPathNoEndSeparator(relativeCleartextPath);
+		final Path parent = createEncryptedDirectoryPath(parentCleartextPath);
+		final String cleartextFilename = FilenameUtils.getName(relativeCleartextPath);
+		try {
+			final String encryptedFilename = filenameTranslator.getEncryptedDirFileName(cleartextFilename);
+			return parent.resolve(encryptedFilename);
+		} catch (IOException e) {
+			throw new DavException(DavServletResponse.SC_INTERNAL_SERVER_ERROR, e);
+		}
+	}
+
+	/**
+	 * @return Absolute directory path for a given cleartext directory resourcePath.
+	 * @throws IOException
+	 */
+	private Path createEncryptedDirectoryPath(String relativeCleartextPath) throws DavException {
+		assert Strings.isEmpty(relativeCleartextPath) || !relativeCleartextPath.endsWith("/");
+		try {
+			final Path result;
+			if (Strings.isEmpty(relativeCleartextPath)) {
+				// root level
+				final String fixedRootDirectory = cryptor.encryptDirectoryPath("", FileSystems.getDefault().getSeparator());
+				result = dataRoot.resolve(fixedRootDirectory);
+			} else {
+				final String parentCleartextPath = FilenameUtils.getPathNoEndSeparator(relativeCleartextPath);
+				final Path parent = createEncryptedDirectoryPath(parentCleartextPath);
+				final String cleartextFilename = FilenameUtils.getName(relativeCleartextPath);
+				final String encryptedFilename = filenameTranslator.getEncryptedDirFileName(cleartextFilename);
+				final Path directoryFile = parent.resolve(encryptedFilename);
+				final String directoryId = filenameTranslator.getDirectoryId(directoryFile, true);
+				final String directory = cryptor.encryptDirectoryPath(directoryId, FileSystems.getDefault().getSeparator());
+				result = dataRoot.resolve(directory);
+			}
+			Files.createDirectories(result);
+			return result;
+		} catch (IOException e) {
+			throw new DavException(DavServletResponse.SC_INTERNAL_SERVER_ERROR, e);
+		}
+	}
+
+	private EncryptedFile createFilePart(DavResourceLocator locator, DavSession session, DavServletRequest request, Path filePath) {
+		return new EncryptedFilePart(this, locator, session, request, lockManager, cryptor, cryptoWarningHandler, backgroundTaskExecutor, filePath);
+	}
+
+	private EncryptedFile createFile(DavResourceLocator locator, DavSession session, Path filePath) {
+		return new EncryptedFile(this, locator, session, lockManager, cryptor, cryptoWarningHandler, filePath);
+	}
+
+	private EncryptedDir createRootDirectory(DavResourceLocator locator, DavSession session) throws DavException {
+		final Path rootFile = dataRoot.resolve(ROOT_FILE);
+		final Path rootDir = filenameTranslator.getEncryptedDirectoryPath("");
+		try {
+			// make sure, root dir always exists.
+			// create dir first (because it fails silently, if alreay existing)
+			Files.createDirectories(rootDir);
+			Files.createFile(rootFile);
+		} catch (FileAlreadyExistsException e) {
+			// no-op
+		} catch (IOException e) {
+			throw new DavException(DavServletResponse.SC_INTERNAL_SERVER_ERROR);
+		}
+		return createDirectory(locator, session, dataRoot.resolve(ROOT_FILE));
+	}
+
+	private EncryptedDir createDirectory(DavResourceLocator locator, DavSession session, Path filePath) {
+		return new EncryptedDir(this, locator, session, lockManager, cryptor, filenameTranslator, filePath);
+	}
+
+	private NonExistingNode createNonExisting(DavResourceLocator locator, DavSession session, Path filePath, Path dirFilePath) {
+		return new NonExistingNode(this, locator, session, lockManager, cryptor, filePath, dirFilePath);
+	}
+
+}

main/core/src/main/java/org/cryptomator/webdav/jackrabbit/CryptoWarningHandler.java

@@ -0,0 +1,19 @@
+package org.cryptomator.webdav.jackrabbit;
+
+import java.util.Collection;
+
+class CryptoWarningHandler {
+
+	private final Collection<String> resourcesWithInvalidMac;
+
+	public CryptoWarningHandler(Collection<String> resourcesWithInvalidMac) {
+		this.resourcesWithInvalidMac = resourcesWithInvalidMac;
+	}
+
+	public void macAuthFailed(String resourceName) {
+		if (!resourcesWithInvalidMac.contains(resourceName)) {
+			resourcesWithInvalidMac.add(resourceName);
+		}
+	}
+
+}

main/core/src/main/java/org/cryptomator/webdav/jackrabbit/DavSessionImpl.java

@@ -8,49 +8,38 @@
  ******************************************************************************/
 package org.cryptomator.webdav.jackrabbit;
 
+import java.util.HashSet;
+
 import org.apache.jackrabbit.webdav.DavSession;
-import org.apache.jackrabbit.webdav.WebdavRequest;
 
-class WebDavSession implements DavSession {
-
-	private final WebdavRequest request;
-
-	WebDavSession(WebdavRequest request) {
-		this.request = request;
-	}
+class DavSessionImpl implements DavSession {
+	
+	private final HashSet<String> lockTokens = new HashSet<String>();
+	private final HashSet<Object> references = new HashSet<Object>();
 
 	@Override
 	public void addReference(Object reference) {
-		// TODO Auto-generated method stub
-
+		references.add(reference);
 	}
 
 	@Override
 	public void removeReference(Object reference) {
-		// TODO Auto-generated method stub
-
+		references.remove(reference);
 	}
 
 	@Override
 	public void addLockToken(String token) {
-		// TODO Auto-generated method stub
-
+		lockTokens.add(token);
 	}
 
 	@Override
 	public String[] getLockTokens() {
-		// TODO Auto-generated method stub
-		return null;
+		return lockTokens.toArray(new String[lockTokens.size()]);
 	}
 
 	@Override
 	public void removeLockToken(String token) {
-		// TODO Auto-generated method stub
-
-	}
-
-	public WebdavRequest getRequest() {
-		return request;
+		lockTokens.remove(token);
 	}
 
 }

main/core/src/main/java/org/cryptomator/webdav/jackrabbit/DavSessionProviderImpl.java

@@ -9,21 +9,28 @@
 package org.cryptomator.webdav.jackrabbit;
 
 import org.apache.jackrabbit.webdav.DavException;
+import org.apache.jackrabbit.webdav.DavSession;
 import org.apache.jackrabbit.webdav.DavSessionProvider;
 import org.apache.jackrabbit.webdav.WebdavRequest;
 
-class WebDavSessionProvider implements DavSessionProvider {
+class DavSessionProviderImpl implements DavSessionProvider {
 
 	@Override
 	public boolean attachSession(WebdavRequest request) throws DavException {
 		// every request gets a session
-		request.setDavSession(new WebDavSession(request));
+		final DavSession session = new DavSessionImpl();
+		session.addReference(request);
+		request.setDavSession(session);
 		return true;
 	}
 
 	@Override
 	public void releaseSession(WebdavRequest request) {
-		// do nothing
+		final DavSession session = request.getDavSession();
+		if (session != null) {
+			session.removeReference(request);
+			request.setDavSession(null);
+		}
 	}
 
 }

main/core/src/main/java/org/cryptomator/webdav/jackrabbit/EncryptedDir.java

@@ -0,0 +1,332 @@
+/*******************************************************************************
+ * Copyright (c) 2014 Sebastian Stenzel
+ * This file is licensed under the terms of the MIT license.
+ * See the LICENSE.txt file for more info.
+ * 
+ * Contributors:
+ *     Sebastian Stenzel - initial API and implementation
+ ******************************************************************************/
+package org.cryptomator.webdav.jackrabbit;
+
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.nio.channels.FileChannel;
+import java.nio.channels.FileLock;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.AtomicMoveNotSupportedException;
+import java.nio.file.DirectoryStream;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.StandardCopyOption;
+import java.nio.file.StandardOpenOption;
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.List;
+import java.util.UUID;
+
+import org.apache.commons.io.FilenameUtils;
+import org.apache.commons.io.IOUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.jackrabbit.webdav.DavException;
+import org.apache.jackrabbit.webdav.DavResource;
+import org.apache.jackrabbit.webdav.DavResourceIterator;
+import org.apache.jackrabbit.webdav.DavResourceIteratorImpl;
+import org.apache.jackrabbit.webdav.DavResourceLocator;
+import org.apache.jackrabbit.webdav.DavServletResponse;
+import org.apache.jackrabbit.webdav.DavSession;
+import org.apache.jackrabbit.webdav.io.InputContext;
+import org.apache.jackrabbit.webdav.io.OutputContext;
+import org.apache.jackrabbit.webdav.lock.LockManager;
+import org.apache.jackrabbit.webdav.property.DavPropertyName;
+import org.apache.jackrabbit.webdav.property.DefaultDavProperty;
+import org.apache.jackrabbit.webdav.property.ResourceType;
+import org.cryptomator.crypto.Cryptor;
+import org.cryptomator.crypto.exceptions.CounterOverflowException;
+import org.cryptomator.crypto.exceptions.DecryptFailedException;
+import org.cryptomator.crypto.exceptions.EncryptFailedException;
+import org.cryptomator.webdav.exceptions.DavRuntimeException;
+import org.cryptomator.webdav.exceptions.IORuntimeException;
+import org.eclipse.jetty.util.StringUtil;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+class EncryptedDir extends AbstractEncryptedNode implements FileConstants {
+
+	private static final Logger LOG = LoggerFactory.getLogger(EncryptedDir.class);
+	private final FilenameTranslator filenameTranslator;
+	private String directoryId;
+	private Path directoryPath;
+
+	public EncryptedDir(CryptoResourceFactory factory, DavResourceLocator locator, DavSession session, LockManager lockManager, Cryptor cryptor, FilenameTranslator filenameTranslator, Path filePath) {
+		super(factory, locator, session, lockManager, cryptor, filePath);
+		this.filenameTranslator = filenameTranslator;
+		properties.add(new ResourceType(ResourceType.COLLECTION));
+		properties.add(new DefaultDavProperty<Integer>(DavPropertyName.ISCOLLECTION, 1));
+	}
+
+	/**
+	 * @return Path or <code>null</code>, if directory does not yet exist.
+	 */
+	protected synchronized String getDirectoryId() {
+		if (directoryId == null) {
+			try {
+				directoryId = filenameTranslator.getDirectoryId(filePath, false);
+			} catch (IOException e) {
+				throw new IORuntimeException(e);
+			}
+		}
+		return directoryId;
+	}
+
+	/**
+	 * @return Path or <code>null</code>, if directory does not yet exist.
+	 */
+	private synchronized Path getDirectoryPath() {
+		if (directoryPath == null) {
+			final String dirId = getDirectoryId();
+			if (dirId != null) {
+				directoryPath = filenameTranslator.getEncryptedDirectoryPath(directoryId);
+			}
+		}
+		return directoryPath;
+	}
+
+	@Override
+	public boolean isCollection() {
+		return true;
+	}
+
+	@Override
+	public long getModificationTime() {
+		try {
+			final Path dirPath = getDirectoryPath();
+			if (dirPath == null) {
+				return -1;
+			} else {
+				return Files.getLastModifiedTime(dirPath).toMillis();
+			}
+		} catch (IOException e) {
+			return -1;
+		}
+	}
+
+	@Override
+	public void addMember(DavResource resource, InputContext inputContext) throws DavException {
+		if (resource instanceof AbstractEncryptedNode) {
+			addMember((AbstractEncryptedNode) resource, inputContext);
+		} else {
+			throw new IllegalArgumentException("Unsupported resource type: " + resource.getClass().getName());
+		}
+	}
+
+	private void addMember(AbstractEncryptedNode childResource, InputContext inputContext) throws DavException {
+		if (childResource.isCollection()) {
+			this.addMemberDir(childResource.getLocator(), inputContext);
+		} else {
+			this.addMemberFile(childResource.getLocator(), inputContext);
+		}
+	}
+
+	private void addMemberDir(DavResourceLocator childLocator, InputContext inputContext) throws DavException {
+		final Path dirPath = getDirectoryPath();
+		if (dirPath == null) {
+			throw new DavException(DavServletResponse.SC_NOT_FOUND);
+		}
+		try {
+			final String cleartextDirName = FilenameUtils.getName(childLocator.getResourcePath());
+			final String ciphertextDirName = filenameTranslator.getEncryptedDirFileName(cleartextDirName);
+			final Path dirFilePath = dirPath.resolve(ciphertextDirName);
+			final String directoryId = filenameTranslator.getDirectoryId(dirFilePath, true);
+			final Path directoryPath = filenameTranslator.getEncryptedDirectoryPath(directoryId);
+			Files.createDirectories(directoryPath);
+		} catch (SecurityException e) {
+			throw new DavException(DavServletResponse.SC_FORBIDDEN, e);
+		} catch (IOException e) {
+			throw new DavException(DavServletResponse.SC_INTERNAL_SERVER_ERROR, e);
+		}
+	}
+
+	private void addMemberFile(DavResourceLocator childLocator, InputContext inputContext) throws DavException {
+		final Path dirPath = getDirectoryPath();
+		if (dirPath == null) {
+			throw new DavException(DavServletResponse.SC_NOT_FOUND);
+		}
+		try {
+			final String cleartextFilename = FilenameUtils.getName(childLocator.getResourcePath());
+			final String ciphertextFilename = filenameTranslator.getEncryptedFilename(cleartextFilename);
+			final Path filePath = dirPath.resolve(ciphertextFilename);
+			try (final FileChannel c = FileChannel.open(filePath, StandardOpenOption.WRITE, StandardOpenOption.CREATE, StandardOpenOption.TRUNCATE_EXISTING); final FileLock lock = c.lock(0L, FILE_HEADER_LENGTH, false)) {
+				cryptor.encryptFile(inputContext.getInputStream(), c);
+			} catch (SecurityException e) {
+				throw new DavException(DavServletResponse.SC_FORBIDDEN, e);
+			} catch (CounterOverflowException e) {
+				// lets indicate this to the client as a "file too big" error
+				throw new DavException(DavServletResponse.SC_INSUFFICIENT_SPACE_ON_RESOURCE, e);
+			} catch (EncryptFailedException e) {
+				LOG.error("Encryption failed for unknown reasons.", e);
+				throw new IllegalStateException("Encryption failed for unknown reasons.", e);
+			} finally {
+				IOUtils.closeQuietly(inputContext.getInputStream());
+			}
+		} catch (IOException e) {
+			LOG.error("Failed to create file.", e);
+			throw new IORuntimeException(e);
+		}
+	}
+
+	@Override
+	public DavResourceIterator getMembers() {
+		try {
+			final Path dirPath = getDirectoryPath();
+			if (dirPath == null) {
+				throw new DavException(DavServletResponse.SC_NOT_FOUND);
+			}
+			final DirectoryStream<Path> directoryStream = Files.newDirectoryStream(dirPath, DIRECTORY_CONTENT_FILTER);
+			final List<DavResource> result = new ArrayList<>();
+
+			for (final Path childPath : directoryStream) {
+				try {
+					final String cleartextFilename = filenameTranslator.getCleartextFilename(childPath.getFileName().toString());
+					final String cleartextFilepath = FilenameUtils.concat(getResourcePath(), cleartextFilename);
+					final DavResourceLocator childLocator = locator.getFactory().createResourceLocator(locator.getPrefix(), locator.getWorkspacePath(), cleartextFilepath);
+					final DavResource resource;
+					if (StringUtil.endsWithIgnoreCase(childPath.getFileName().toString(), DIR_EXT)) {
+						resource = factory.createChildDirectoryResource(childLocator, session, childPath);
+					} else {
+						assert StringUtil.endsWithIgnoreCase(childPath.getFileName().toString(), FILE_EXT);
+						resource = factory.createChildFileResource(childLocator, session, childPath);
+					}
+					result.add(resource);
+				} catch (DecryptFailedException e) {
+					LOG.warn("Decryption of resource failed: " + childPath);
+					continue;
+				}
+			}
+			return new DavResourceIteratorImpl(result);
+		} catch (IOException e) {
+			LOG.error("Exception during getMembers.", e);
+			throw new IORuntimeException(e);
+		} catch (DavException e) {
+			LOG.error("Exception during getMembers.", e);
+			throw new DavRuntimeException(e);
+		}
+	}
+
+	@Override
+	public void removeMember(DavResource member) throws DavException {
+		if (member instanceof AbstractEncryptedNode) {
+			removeMember((AbstractEncryptedNode) member);
+		} else {
+			throw new IllegalArgumentException("Unsupported resource type: " + member.getClass().getName());
+		}
+	}
+
+	private void removeMember(AbstractEncryptedNode member) throws DavException {
+		final Path dirPath = getDirectoryPath();
+		if (dirPath == null) {
+			throw new DavException(DavServletResponse.SC_NOT_FOUND);
+		}
+		try {
+			final String cleartextFilename = FilenameUtils.getName(member.getResourcePath());
+			final String ciphertextFilename;
+			if (member instanceof EncryptedDir) {
+				final EncryptedDir subDir = (EncryptedDir) member;
+				// remove sub-members recursively before deleting own directory
+				for (Iterator<DavResource> iterator = member.getMembers(); iterator.hasNext();) {
+					DavResource m = iterator.next();
+					member.removeMember(m);
+				}
+				final Path subDirPath = subDir.getDirectoryPath();
+				if (subDirPath != null) {
+					Files.deleteIfExists(subDirPath);
+				}
+				ciphertextFilename = filenameTranslator.getEncryptedDirFileName(cleartextFilename);
+			} else {
+				ciphertextFilename = filenameTranslator.getEncryptedFilename(cleartextFilename);
+			}
+			final Path memberPath = dirPath.resolve(ciphertextFilename);
+			Files.deleteIfExists(memberPath);
+		} catch (FileNotFoundException e) {
+			// no-op
+		} catch (IOException e) {
+			throw new IORuntimeException(e);
+		}
+	}
+
+	@Override
+	public void move(AbstractEncryptedNode dest) throws DavException, IOException {
+		// when moving a directory we only need to move the file (actual dir is ID-dependent and won't change)
+		final Path srcPath = filePath;
+		final Path dstPath;
+		if (dest instanceof NonExistingNode) {
+			dstPath = ((NonExistingNode) dest).getDirFilePath();
+		} else {
+			dstPath = dest.filePath;
+		}
+
+		// move:
+		Files.createDirectories(dstPath.getParent());
+		try {
+			Files.move(srcPath, dstPath, StandardCopyOption.REPLACE_EXISTING, StandardCopyOption.ATOMIC_MOVE);
+		} catch (AtomicMoveNotSupportedException e) {
+			Files.move(srcPath, dstPath, StandardCopyOption.REPLACE_EXISTING);
+		}
+	}
+
+	@Override
+	public void copy(AbstractEncryptedNode dest, boolean shallow) throws DavException, IOException {
+		final Path dstDirFilePath;
+		if (dest instanceof NonExistingNode) {
+			dstDirFilePath = ((NonExistingNode) dest).getDirFilePath();
+		} else {
+			dstDirFilePath = dest.filePath;
+		}
+
+		// copy dirFile:
+		final String srcDirId = getDirectoryId();
+		if (srcDirId == null) {
+			throw new DavException(DavServletResponse.SC_NOT_FOUND);
+		}
+		final String dstDirId = UUID.randomUUID().toString();
+		try (final FileChannel c = FileChannel.open(dstDirFilePath, StandardOpenOption.WRITE, StandardOpenOption.CREATE, StandardOpenOption.TRUNCATE_EXISTING, StandardOpenOption.DSYNC); final FileLock lock = c.lock()) {
+			c.write(ByteBuffer.wrap(dstDirId.getBytes(StandardCharsets.UTF_8)));
+		}
+
+		// copy actual dir:
+		if (!shallow) {
+			copyDirectoryContents(srcDirId, dstDirId);
+		} else {
+			final Path dstDirPath = filenameTranslator.getEncryptedDirectoryPath(dstDirId);
+			Files.createDirectories(dstDirPath);
+		}
+	}
+
+	private void copyDirectoryContents(String srcDirId, String dstDirId) throws IOException {
+		final Path srcDirPath = filenameTranslator.getEncryptedDirectoryPath(srcDirId);
+		final Path dstDirPath = filenameTranslator.getEncryptedDirectoryPath(dstDirId);
+		Files.createDirectories(dstDirPath);
+		final DirectoryStream<Path> directoryStream = Files.newDirectoryStream(srcDirPath, DIRECTORY_CONTENT_FILTER);
+		for (final Path srcChildPath : directoryStream) {
+			final String childName = srcChildPath.getFileName().toString();
+			final Path dstChildPath = dstDirPath.resolve(childName);
+			if (StringUtils.endsWithIgnoreCase(childName, FILE_EXT)) {
+				try {
+					Files.copy(srcChildPath, dstChildPath, StandardCopyOption.COPY_ATTRIBUTES, StandardCopyOption.REPLACE_EXISTING, StandardCopyOption.ATOMIC_MOVE);
+				} catch (AtomicMoveNotSupportedException e) {
+					Files.copy(srcChildPath, dstChildPath, StandardCopyOption.COPY_ATTRIBUTES, StandardCopyOption.REPLACE_EXISTING);
+				}
+			} else if (StringUtils.endsWithIgnoreCase(childName, DIR_EXT)) {
+				final String srcSubdirId = filenameTranslator.getDirectoryId(srcChildPath, false);
+				final String dstSubdirId = filenameTranslator.getDirectoryId(dstChildPath, true);
+				copyDirectoryContents(srcSubdirId, dstSubdirId);
+			}
+		}
+	}
+
+	@Override
+	public void spool(OutputContext outputContext) throws IOException {
+		// do nothing
+	}
+
+}

main/core/src/main/java/org/cryptomator/webdav/jackrabbit/EncryptedFile.java

@@ -0,0 +1,151 @@
+/*******************************************************************************
+ * Copyright (c) 2014 Sebastian Stenzel
+ * This file is licensed under the terms of the MIT license.
+ * See the LICENSE.txt file for more info.
+ * 
+ * Contributors:
+ *     Sebastian Stenzel - initial API and implementation
+ ******************************************************************************/
+package org.cryptomator.webdav.jackrabbit;
+
+import java.io.EOFException;
+import java.io.IOException;
+import java.nio.channels.FileChannel;
+import java.nio.channels.FileLock;
+import java.nio.channels.OverlappingFileLockException;
+import java.nio.channels.SeekableByteChannel;
+import java.nio.file.AtomicMoveNotSupportedException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.StandardCopyOption;
+import java.nio.file.StandardOpenOption;
+
+import org.apache.jackrabbit.webdav.DavException;
+import org.apache.jackrabbit.webdav.DavResource;
+import org.apache.jackrabbit.webdav.DavResourceIterator;
+import org.apache.jackrabbit.webdav.DavResourceLocator;
+import org.apache.jackrabbit.webdav.DavSession;
+import org.apache.jackrabbit.webdav.io.InputContext;
+import org.apache.jackrabbit.webdav.io.OutputContext;
+import org.apache.jackrabbit.webdav.lock.LockManager;
+import org.apache.jackrabbit.webdav.property.DavPropertyName;
+import org.apache.jackrabbit.webdav.property.DefaultDavProperty;
+import org.cryptomator.crypto.Cryptor;
+import org.cryptomator.crypto.exceptions.DecryptFailedException;
+import org.cryptomator.crypto.exceptions.MacAuthenticationFailedException;
+import org.cryptomator.webdav.exceptions.IORuntimeException;
+import org.eclipse.jetty.http.HttpHeader;
+import org.eclipse.jetty.http.HttpHeaderValue;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+class EncryptedFile extends AbstractEncryptedNode implements FileConstants {
+
+	private static final Logger LOG = LoggerFactory.getLogger(EncryptedFile.class);
+
+	protected final CryptoWarningHandler cryptoWarningHandler;
+
+	public EncryptedFile(CryptoResourceFactory factory, DavResourceLocator locator, DavSession session, LockManager lockManager, Cryptor cryptor, CryptoWarningHandler cryptoWarningHandler, Path filePath) {
+		super(factory, locator, session, lockManager, cryptor, filePath);
+		if (filePath == null) {
+			throw new IllegalArgumentException("filePath must not be null");
+		}
+		this.cryptoWarningHandler = cryptoWarningHandler;
+		if (Files.isRegularFile(filePath)) {
+			try (final FileChannel c = FileChannel.open(filePath, StandardOpenOption.READ, StandardOpenOption.DSYNC); final FileLock lock = c.tryLock(0L, FILE_HEADER_LENGTH, true)) {
+				final Long contentLength = cryptor.decryptedContentLength(c);
+				properties.add(new DefaultDavProperty<Long>(DavPropertyName.GETCONTENTLENGTH, contentLength));
+				if (contentLength > RANGE_REQUEST_LOWER_LIMIT) {
+					properties.add(new HttpHeaderProperty(HttpHeader.ACCEPT_RANGES.asString(), HttpHeaderValue.BYTES.asString()));
+				}
+			} catch (OverlappingFileLockException e) {
+				// file header currently locked, report -1 for unknown size.
+				properties.add(new DefaultDavProperty<Long>(DavPropertyName.GETCONTENTLENGTH, -1l));
+			} catch (IOException e) {
+				LOG.error("Error reading filesize " + filePath.toString(), e);
+				throw new IORuntimeException(e);
+			} catch (MacAuthenticationFailedException e) {
+				LOG.warn("Content length couldn't be determined due to MAC authentication violation.");
+				// don't add content length DAV property
+			}
+		}
+	}
+
+	@Override
+	public boolean isCollection() {
+		return false;
+	}
+
+	@Override
+	public void addMember(DavResource resource, InputContext inputContext) throws DavException {
+		throw new UnsupportedOperationException("Can not add member to file.");
+	}
+
+	@Override
+	public DavResourceIterator getMembers() {
+		throw new UnsupportedOperationException("Can not list members of file.");
+	}
+
+	@Override
+	public void removeMember(DavResource member) throws DavException {
+		throw new UnsupportedOperationException("Can not remove member to file.");
+	}
+
+	@Override
+	public void spool(OutputContext outputContext) throws IOException {
+		if (Files.isRegularFile(filePath)) {
+			outputContext.setModificationTime(Files.getLastModifiedTime(filePath).toMillis());
+			outputContext.setProperty(HttpHeader.ACCEPT_RANGES.asString(), HttpHeaderValue.BYTES.asString());
+			try (final SeekableByteChannel channel = Files.newByteChannel(filePath, StandardOpenOption.READ)) {
+				final Long contentLength = cryptor.decryptedContentLength(channel);
+				if (contentLength != null) {
+					outputContext.setContentLength(contentLength);
+				}
+				if (outputContext.hasStream()) {
+					cryptor.decryptFile(channel, outputContext.getOutputStream());
+				}
+			} catch (EOFException e) {
+				LOG.warn("Unexpected end of stream (possibly client hung up).");
+			} catch (MacAuthenticationFailedException e) {
+				cryptoWarningHandler.macAuthFailed(getLocator().getResourcePath());
+			} catch (DecryptFailedException e) {
+				throw new IOException("Error decrypting file " + filePath.toString(), e);
+			}
+		}
+	}
+
+	@Override
+	public void move(AbstractEncryptedNode dest) throws DavException, IOException {
+		final Path srcPath = filePath;
+		final Path dstPath;
+		if (dest instanceof NonExistingNode) {
+			dstPath = ((NonExistingNode) dest).getFilePath();
+		} else {
+			dstPath = dest.filePath;
+		}
+
+		try {
+			Files.move(srcPath, dstPath, StandardCopyOption.REPLACE_EXISTING, StandardCopyOption.ATOMIC_MOVE);
+		} catch (AtomicMoveNotSupportedException e) {
+			Files.move(srcPath, dstPath, StandardCopyOption.REPLACE_EXISTING);
+		}
+	}
+
+	@Override
+	public void copy(AbstractEncryptedNode dest, boolean shallow) throws DavException, IOException {
+		final Path srcPath = filePath;
+		final Path dstPath;
+		if (dest instanceof NonExistingNode) {
+			dstPath = ((NonExistingNode) dest).getFilePath();
+		} else {
+			dstPath = dest.filePath;
+		}
+
+		try {
+			Files.copy(srcPath, dstPath, StandardCopyOption.COPY_ATTRIBUTES, StandardCopyOption.REPLACE_EXISTING, StandardCopyOption.ATOMIC_MOVE);
+		} catch (AtomicMoveNotSupportedException e) {
+			Files.copy(srcPath, dstPath, StandardCopyOption.COPY_ATTRIBUTES, StandardCopyOption.REPLACE_EXISTING);
+		}
+	}
+
+}

main/core/src/main/java/org/cryptomator/webdav/jackrabbit/EncryptedFilePart.java

@@ -1,42 +1,47 @@
-package org.cryptomator.webdav.jackrabbit.resources;
+package org.cryptomator.webdav.jackrabbit;
 
 import java.io.EOFException;
 import java.io.IOException;
+import java.nio.channels.ClosedByInterruptException;
 import java.nio.channels.SeekableByteChannel;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.StandardOpenOption;
 import java.util.HashSet;
 import java.util.Set;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.TimeUnit;
 
-import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang3.tuple.ImmutablePair;
 import org.apache.commons.lang3.tuple.MutablePair;
 import org.apache.commons.lang3.tuple.Pair;
-import org.apache.jackrabbit.webdav.DavResourceFactory;
 import org.apache.jackrabbit.webdav.DavResourceLocator;
 import org.apache.jackrabbit.webdav.DavServletRequest;
 import org.apache.jackrabbit.webdav.DavSession;
 import org.apache.jackrabbit.webdav.io.OutputContext;
 import org.apache.jackrabbit.webdav.lock.LockManager;
 import org.cryptomator.crypto.Cryptor;
-import org.cryptomator.webdav.exceptions.IORuntimeException;
+import org.cryptomator.crypto.exceptions.DecryptFailedException;
 import org.eclipse.jetty.http.HttpHeader;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+
 /**
  * Delivers only the requested range of bytes from a file.
  * 
  * @see {@link https://tools.ietf.org/html/rfc7233#section-4}
  */
-public class EncryptedFilePart extends EncryptedFile {
+class EncryptedFilePart extends EncryptedFile {
 
 	private static final Logger LOG = LoggerFactory.getLogger(EncryptedFilePart.class);
 	private static final String BYTE_UNIT_PREFIX = "bytes=";
 	private static final char RANGE_SET_SEP = ',';
 	private static final char RANGE_SEP = '-';
+	private static final Cache<DavResourceLocator, MacAuthenticationJob> cachedMacAuthenticationJobs = CacheBuilder.newBuilder().expireAfterWrite(10, TimeUnit.MINUTES).build();
 
 	/**
 	 * e.g. range -500 (gets the last 500 bytes) -> (-1, 500)
@@ -50,13 +55,23 @@ public class EncryptedFilePart extends EncryptedFile {
 
 	private final Set<Pair<Long, Long>> requestedContentRanges = new HashSet<Pair<Long, Long>>();
 
-	public EncryptedFilePart(DavResourceFactory factory, DavResourceLocator locator, DavSession session, DavServletRequest request, LockManager lockManager, Cryptor cryptor) {
-		super(factory, locator, session, lockManager, cryptor);
+	public EncryptedFilePart(CryptoResourceFactory factory, DavResourceLocator locator, DavSession session, DavServletRequest request, LockManager lockManager, Cryptor cryptor, CryptoWarningHandler cryptoWarningHandler,
+			ExecutorService backgroundTaskExecutor, Path filePath) {
+		super(factory, locator, session, lockManager, cryptor, cryptoWarningHandler, filePath);
 		final String rangeHeader = request.getHeader(HttpHeader.RANGE.asString());
 		if (rangeHeader == null) {
 			throw new IllegalArgumentException("HTTP request doesn't contain a range header");
 		}
 		determineByteRanges(rangeHeader);
+
+		synchronized (cachedMacAuthenticationJobs) {
+			if (cachedMacAuthenticationJobs.getIfPresent(locator) == null) {
+				final MacAuthenticationJob macAuthJob = new MacAuthenticationJob(locator);
+				cachedMacAuthenticationJobs.put(locator, macAuthJob);
+				backgroundTaskExecutor.submit(macAuthJob);
+			}
+		}
+
 	}
 
 	private void determineByteRanges(String rangeHeader) {
@@ -110,30 +125,23 @@ public class EncryptedFilePart extends EncryptedFile {
 
 	@Override
 	public void spool(OutputContext outputContext) throws IOException {
-		final Path path = ResourcePathUtils.getPhysicalPath(this);
-		if (Files.exists(path)) {
-			outputContext.setModificationTime(Files.getLastModifiedTime(path).toMillis());
-			SeekableByteChannel channel = null;
-			try {
-				channel = Files.newByteChannel(path, StandardOpenOption.READ);
-				final Long fileSize = cryptor.decryptedContentLength(channel);
-				final Pair<Long, Long> range = getUnionRange(fileSize);
-				final Long rangeLength = range.getRight() - range.getLeft() + 1;
-				outputContext.setContentLength(rangeLength);
-				outputContext.setProperty(HttpHeader.CONTENT_RANGE.asString(), getContentRangeHeader(range.getLeft(), range.getRight(), fileSize));
-				if (outputContext.hasStream()) {
-					cryptor.decryptRange(channel, outputContext.getOutputStream(), range.getLeft(), rangeLength);
-				}
-			} catch (EOFException e) {
-				if (LOG.isDebugEnabled()) {
-					LOG.debug("Unexpected end of stream during delivery of partial content (client hung up).");
-				}
-			} catch (IOException e) {
-				LOG.error("Error reading file " + path.toString(), e);
-				throw new IORuntimeException(e);
-			} finally {
-				IOUtils.closeQuietly(channel);
+		assert Files.isRegularFile(filePath);
+		outputContext.setModificationTime(Files.getLastModifiedTime(filePath).toMillis());
+		try (final SeekableByteChannel channel = Files.newByteChannel(filePath, StandardOpenOption.READ)) {
+			final Long fileSize = cryptor.decryptedContentLength(channel);
+			final Pair<Long, Long> range = getUnionRange(fileSize);
+			final Long rangeLength = range.getRight() - range.getLeft() + 1;
+			outputContext.setContentLength(rangeLength);
+			outputContext.setProperty(HttpHeader.CONTENT_RANGE.asString(), getContentRangeHeader(range.getLeft(), range.getRight(), fileSize));
+			if (outputContext.hasStream()) {
+				cryptor.decryptRange(channel, outputContext.getOutputStream(), range.getLeft(), rangeLength);
 			}
+		} catch (EOFException e) {
+			if (LOG.isDebugEnabled()) {
+				LOG.trace("Unexpected end of stream during delivery of partial content (client hung up).");
+			}
+		} catch (DecryptFailedException e) {
+			throw new IOException("Error decrypting file " + filePath.toString(), e);
 		}
 	}
 
@@ -141,4 +149,46 @@ public class EncryptedFilePart extends EncryptedFile {
 		return String.format("%d-%d/%d", firstByte, lastByte, completeLength);
 	}
 
+	private class MacAuthenticationJob implements Runnable {
+
+		private final DavResourceLocator locator;
+
+		public MacAuthenticationJob(final DavResourceLocator locator) {
+			if (locator == null) {
+				throw new IllegalArgumentException("locator must not be null.");
+			}
+			this.locator = locator;
+		}
+
+		@Override
+		public void run() {
+			assert Files.isRegularFile(filePath);
+			try (final SeekableByteChannel channel = Files.newByteChannel(filePath, StandardOpenOption.READ)) {
+				final boolean authentic = cryptor.isAuthentic(channel);
+				if (!authentic) {
+					cryptoWarningHandler.macAuthFailed(locator.getResourcePath());
+				}
+			} catch (ClosedByInterruptException ex) {
+				LOG.debug("Couldn't finish MAC verification due to interruption of worker thread.");
+			} catch (IOException e) {
+				LOG.error("IOException during MAC verification of " + filePath.toString(), e);
+			}
+		}
+
+		@Override
+		public int hashCode() {
+			return locator.hashCode();
+		}
+
+		@Override
+		public boolean equals(Object obj) {
+			if (obj instanceof MacAuthenticationJob) {
+				final MacAuthenticationJob other = (MacAuthenticationJob) obj;
+				return this.locator.equals(other.locator);
+			} else {
+				return false;
+			}
+		}
+	}
+
 }

main/core/src/main/java/org/cryptomator/webdav/jackrabbit/FileConstants.java

@@ -0,0 +1,108 @@
+/*******************************************************************************
+ * Copyright (c) 2014 Sebastian Stenzel
+ * This file is licensed under the terms of the MIT license.
+ * See the LICENSE.txt file for more info.
+ * 
+ * Contributors:
+ *     Sebastian Stenzel - initial API and implementation
+ ******************************************************************************/
+package org.cryptomator.webdav.jackrabbit;
+
+import java.io.IOException;
+import java.nio.file.DirectoryStream.Filter;
+import java.nio.file.Path;
+import java.nio.file.PathMatcher;
+import java.util.regex.Pattern;
+
+import org.apache.commons.lang3.StringUtils;
+
+interface FileConstants {
+
+	/**
+	 * Number of bytes in the file header.
+	 */
+	long FILE_HEADER_LENGTH = 96;
+
+	/**
+	 * Allow range requests for files > 32MiB.
+	 */
+	long RANGE_REQUEST_LOWER_LIMIT = 32 * 1024 * 1024;
+
+	/**
+	 * Maximum path length on some file systems or cloud storage providers is restricted.<br/>
+	 * Parent folder path uses up to 58 chars (sha256 -&gt; 32 bytes base32 encoded to 56 bytes + two slashes). That in mind we don't want the total path to be longer than 255 chars.<br/>
+	 * 128 chars would be enought for up to 80 plaintext chars. Also we need up to 9 chars for our file extension. So lets use {@value #ENCRYPTED_FILENAME_LENGTH_LIMIT}.
+	 */
+	int ENCRYPTED_FILENAME_LENGTH_LIMIT = 137;
+
+	/**
+	 * Dummy file, on which file attributes can be stored for the root directory.
+	 */
+	String ROOT_FILE = "root";
+
+	/**
+	 * For encrypted directory names <= {@value #ENCRYPTED_FILENAME_LENGTH_LIMIT} chars.
+	 */
+	String DIR_EXT = ".dir";
+
+	/**
+	 * For encrypted direcotry names > {@value #ENCRYPTED_FILENAME_LENGTH_LIMIT} chars.
+	 */
+	String LONG_DIR_EXT = ".lng.dir";
+
+	/**
+	 * For encrypted file names <= {@value #ENCRYPTED_FILENAME_LENGTH_LIMIT} chars.
+	 */
+	String FILE_EXT = ".file";
+
+	/**
+	 * For encrypted file names > {@value #ENCRYPTED_FILENAME_LENGTH_LIMIT} chars.
+	 */
+	String LONG_FILE_EXT = ".lng.file";
+
+	/**
+	 * Length of prefix in file names > {@value #ENCRYPTED_FILENAME_LENGTH_LIMIT} chars used to determine the corresponding metadata file.
+	 */
+	int LONG_NAME_PREFIX_LENGTH = 8;
+
+	/**
+	 * Matches valid encrypted filenames (both normal and long filenames - see {@link #ENCRYPTED_FILENAME_LENGTH_LIMIT}).
+	 */
+	PathMatcher ENCRYPTED_FILE_MATCHER = new PathMatcher() {
+
+		private final Pattern BASIC_NAME_PATTERN = Pattern.compile("^[a-z2-7]+=*$", Pattern.CASE_INSENSITIVE);
+		private final Pattern LONG_NAME_PATTERN = Pattern.compile("^[a-z2-7]{8}[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", Pattern.CASE_INSENSITIVE);
+
+		@Override
+		public boolean matches(Path path) {
+			final String filename = path.getFileName().toString();
+			if (StringUtils.endsWithIgnoreCase(filename, LONG_FILE_EXT)) {
+				final String basename = StringUtils.removeEndIgnoreCase(filename, LONG_FILE_EXT);
+				return LONG_NAME_PATTERN.matcher(basename).matches();
+			} else if (StringUtils.endsWithIgnoreCase(filename, FILE_EXT)) {
+				final String basename = StringUtils.removeEndIgnoreCase(filename, FILE_EXT);
+				return BASIC_NAME_PATTERN.matcher(basename).matches();
+			} else if (StringUtils.endsWithIgnoreCase(filename, LONG_DIR_EXT)) {
+				final String basename = StringUtils.removeEndIgnoreCase(filename, LONG_DIR_EXT);
+				return LONG_NAME_PATTERN.matcher(basename).matches();
+			} else if (StringUtils.endsWithIgnoreCase(filename, DIR_EXT)) {
+				final String basename = StringUtils.removeEndIgnoreCase(filename, DIR_EXT);
+				return BASIC_NAME_PATTERN.matcher(basename).matches();
+			} else {
+				return false;
+			}
+		}
+
+	};
+
+	/**
+	 * Filter to determine files of interest in encrypted directory. Based on {@link #ENCRYPTED_FILE_MATCHER}.
+	 */
+	Filter<Path> DIRECTORY_CONTENT_FILTER = new Filter<Path>() {
+		@Override
+		public boolean accept(Path entry) throws IOException {
+			return ENCRYPTED_FILE_MATCHER.matches(entry);
+		}
+	};
+
+}

main/core/src/main/java/org/cryptomator/webdav/jackrabbit/FileTimeUtils.java

@@ -6,9 +6,10 @@
  * Contributors:
  *     Sebastian Stenzel - initial API and implementation
  ******************************************************************************/
-package org.cryptomator.webdav.jackrabbit.resources;
+package org.cryptomator.webdav.jackrabbit;
 
 import java.nio.file.attribute.FileTime;
+import java.time.Instant;
 import java.time.OffsetDateTime;
 import java.time.ZoneOffset;
 import java.time.format.DateTimeFormatter;
@@ -25,4 +26,9 @@ final class FileTimeUtils {
 		return DateTimeFormatter.RFC_1123_DATE_TIME.format(date);
 	}
 
+	static FileTime fromRfc1123String(String string) {
+		final Instant instant = Instant.from(DateTimeFormatter.RFC_1123_DATE_TIME.parse(string));
+		return FileTime.from(instant);
+	}
+
 }

main/core/src/main/java/org/cryptomator/webdav/jackrabbit/FilenameTranslator.java

@@ -0,0 +1,226 @@
+package org.cryptomator.webdav.jackrabbit;
+
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.io.Serializable;
+import java.nio.ByteBuffer;
+import java.nio.channels.FileChannel;
+import java.nio.channels.FileLock;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.FileSystems;
+import java.nio.file.Files;
+import java.nio.file.NoSuchFileException;
+import java.nio.file.Path;
+import java.nio.file.StandardOpenOption;
+import java.nio.file.attribute.FileTime;
+import java.util.Map;
+import java.util.UUID;
+
+import org.apache.commons.collections4.BidiMap;
+import org.apache.commons.collections4.bidimap.DualHashBidiMap;
+import org.apache.commons.collections4.map.LRUMap;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.lang3.tuple.ImmutablePair;
+import org.apache.commons.lang3.tuple.Pair;
+import org.cryptomator.crypto.Cryptor;
+import org.cryptomator.crypto.exceptions.DecryptFailedException;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+
+class FilenameTranslator implements FileConstants {
+
+	private static final int MAX_CACHED_DIRECTORY_IDS = 5000;
+	private static final int MAX_CACHED_METADATA_FILES = 1000;
+
+	private final Cryptor cryptor;
+	private final Path dataRoot;
+	private final Path metadataRoot;
+	private final ObjectMapper objectMapper = new ObjectMapper();
+	private final Map<Pair<Path, FileTime>, String> directoryIdCache = new LRUMap<>(MAX_CACHED_DIRECTORY_IDS); // <directoryFile, directoryId>
+	private final Map<Pair<Path, FileTime>, LongFilenameMetadata> metadataCache = new LRUMap<>(MAX_CACHED_METADATA_FILES); // <metadataFile, metadata>
+
+	public FilenameTranslator(Cryptor cryptor, Path vaultRoot) {
+		this.cryptor = cryptor;
+		this.dataRoot = vaultRoot.resolve("d");
+		this.metadataRoot = vaultRoot.resolve("m");
+	}
+
+	/* file and directory name en/decryption */
+
+	public String getDirectoryId(Path directoryFile, boolean createIfNonexisting) throws IOException {
+		try {
+			final Pair<Path, FileTime> key = ImmutablePair.of(directoryFile, Files.getLastModifiedTime(directoryFile));
+			String directoryId = directoryIdCache.get(key);
+			if (directoryId == null) {
+				directoryId = new String(readAllBytesAtomically(directoryFile), StandardCharsets.UTF_8);
+				directoryIdCache.put(key, directoryId);
+			}
+			return directoryId;
+		} catch (FileNotFoundException | NoSuchFileException e) {
+			if (createIfNonexisting) {
+				final String directoryId = UUID.randomUUID().toString();
+				writeAllBytesAtomically(directoryFile, directoryId.getBytes(StandardCharsets.UTF_8));
+				final Pair<Path, FileTime> key = ImmutablePair.of(directoryFile, Files.getLastModifiedTime(directoryFile));
+				directoryIdCache.put(key, directoryId);
+				return directoryId;
+			} else {
+				return null;
+			}
+		}
+	}
+
+	public Path getEncryptedDirectoryPath(String directoryId) {
+		final String encrypted = cryptor.encryptDirectoryPath(directoryId, FileSystems.getDefault().getSeparator());
+		return dataRoot.resolve(encrypted);
+	}
+
+	public String getEncryptedFilename(String cleartextFilename) throws IOException {
+		return getEncryptedFilename(cleartextFilename, FILE_EXT, LONG_FILE_EXT);
+	}
+
+	public String getEncryptedDirFileName(String cleartextDirName) throws IOException {
+		return getEncryptedFilename(cleartextDirName, DIR_EXT, LONG_DIR_EXT);
+	}
+
+	/**
+	 * Encryption will blow up the filename length due to aes block sizes, IVs and base32 encoding. The result may be too long for some old file systems.<br/>
+	 * This means that we need a workaround for filenames longer than the limit defined in {@link FileConstants#ENCRYPTED_FILENAME_LENGTH_LIMIT}.<br/>
+	 * <br/>
+	 * For filenames longer than this limit we use a metadata file containing the full encrypted paths. For the actual filename a unique alternative is created by concatenating the metadata filename
+	 * and a unique id.
+	 */
+	private String getEncryptedFilename(String cleartextFilename, String basicExt, String longExt) throws IOException {
+		final String ivAndCiphertext = cryptor.encryptFilename(cleartextFilename);
+		if (ivAndCiphertext.length() + basicExt.length() > ENCRYPTED_FILENAME_LENGTH_LIMIT) {
+			final String metadataGroup = ivAndCiphertext.substring(0, LONG_NAME_PREFIX_LENGTH);
+			final LongFilenameMetadata metadata = readMetadata(metadataGroup);
+			final String longFilename = metadataGroup + metadata.getOrCreateUuidForEncryptedFilename(ivAndCiphertext).toString() + longExt;
+			this.writeMetadata(metadataGroup, metadata);
+			return longFilename;
+		} else {
+			return ivAndCiphertext + basicExt;
+		}
+	}
+
+	public String getCleartextFilename(String encryptedFilename) throws DecryptFailedException, IOException {
+		final String ciphertext;
+		if (StringUtils.endsWithIgnoreCase(encryptedFilename, LONG_FILE_EXT)) {
+			final String basename = StringUtils.removeEndIgnoreCase(encryptedFilename, LONG_FILE_EXT);
+			final String metadataGroup = basename.substring(0, LONG_NAME_PREFIX_LENGTH);
+			final String uuid = basename.substring(LONG_NAME_PREFIX_LENGTH);
+			final LongFilenameMetadata metadata = readMetadata(metadataGroup);
+			ciphertext = metadata.getEncryptedFilenameForUUID(UUID.fromString(uuid));
+		} else if (StringUtils.endsWithIgnoreCase(encryptedFilename, FILE_EXT)) {
+			ciphertext = StringUtils.removeEndIgnoreCase(encryptedFilename, FILE_EXT);
+		} else if (StringUtils.endsWithIgnoreCase(encryptedFilename, LONG_DIR_EXT)) {
+			final String basename = StringUtils.removeEndIgnoreCase(encryptedFilename, LONG_DIR_EXT);
+			final String metadataGroup = basename.substring(0, LONG_NAME_PREFIX_LENGTH);
+			final String uuid = basename.substring(LONG_NAME_PREFIX_LENGTH);
+			final LongFilenameMetadata metadata = readMetadata(metadataGroup);
+			ciphertext = metadata.getEncryptedFilenameForUUID(UUID.fromString(uuid));
+		} else if (StringUtils.endsWithIgnoreCase(encryptedFilename, DIR_EXT)) {
+			ciphertext = StringUtils.removeEndIgnoreCase(encryptedFilename, DIR_EXT);
+		} else {
+			throw new IllegalArgumentException("Unsupported path component: " + encryptedFilename);
+		}
+		return cryptor.decryptFilename(ciphertext);
+	}
+
+	/* Locked I/O */
+
+	private void writeAllBytesAtomically(Path path, byte[] bytes) throws IOException {
+		try (final FileChannel c = FileChannel.open(path, StandardOpenOption.WRITE, StandardOpenOption.CREATE, StandardOpenOption.TRUNCATE_EXISTING, StandardOpenOption.DSYNC); final FileLock lock = c.lock()) {
+			c.write(ByteBuffer.wrap(bytes));
+		}
+	}
+
+	private byte[] readAllBytesAtomically(Path path) throws IOException {
+		try (final FileChannel c = FileChannel.open(path, StandardOpenOption.READ, StandardOpenOption.DSYNC); final FileLock lock = c.lock(0L, Long.MAX_VALUE, true)) {
+			final ByteBuffer buffer = ByteBuffer.allocate((int) c.size());
+			c.read(buffer);
+			return buffer.array();
+		}
+	}
+
+	/* Long name metadata files */
+
+	private void writeMetadata(String metadataGroup, LongFilenameMetadata metadata) throws IOException {
+		final Path metadataDir = metadataRoot.resolve(metadataGroup.substring(0, 2));
+		Files.createDirectories(metadataDir);
+		final Path metadataFile = metadataDir.resolve(metadataGroup.substring(2));
+
+		// evict previously cached entries:
+		try {
+			final Pair<Path, FileTime> key = ImmutablePair.of(metadataFile, Files.getLastModifiedTime(metadataFile));
+			metadataCache.remove(key);
+		} catch (FileNotFoundException | NoSuchFileException e) {
+			// didn't exist yet? then we don't need to do anything anyway.
+		}
+
+		// write:
+		final byte[] metadataContent = objectMapper.writeValueAsBytes(metadata);
+		writeAllBytesAtomically(metadataFile, metadataContent);
+
+		// add to cache:
+		final Pair<Path, FileTime> key = ImmutablePair.of(metadataFile, Files.getLastModifiedTime(metadataFile));
+		metadataCache.put(key, metadata);
+	}
+
+	private LongFilenameMetadata readMetadata(String metadataGroup) throws IOException {
+		final Path metadataDir = metadataRoot.resolve(metadataGroup.substring(0, 2));
+		final Path metadataFile = metadataDir.resolve(metadataGroup.substring(2));
+		try {
+			// use cached metadata, if possible:
+			final Pair<Path, FileTime> key = ImmutablePair.of(metadataFile, Files.getLastModifiedTime(metadataFile));
+			LongFilenameMetadata metadata = metadataCache.get(key);
+			// else read from filesystem:
+			if (metadata == null) {
+				final byte[] metadataContent = readAllBytesAtomically(metadataFile);
+				metadata = objectMapper.readValue(metadataContent, LongFilenameMetadata.class);
+				metadataCache.put(key, metadata);
+			}
+			return metadata;
+		} catch (FileNotFoundException | NoSuchFileException e) {
+			// not yet existing:
+			return new LongFilenameMetadata();
+		}
+	}
+
+	private static class LongFilenameMetadata implements Serializable {
+
+		private static final long serialVersionUID = 6214509403824421320L;
+
+		@JsonDeserialize(as = DualHashBidiMap.class)
+		private BidiMap<UUID, String> encryptedFilenames = new DualHashBidiMap<>();
+
+		/* Getter/Setter */
+
+		public synchronized String getEncryptedFilenameForUUID(final UUID uuid) {
+			return encryptedFilenames.get(uuid);
+		}
+
+		public synchronized UUID getOrCreateUuidForEncryptedFilename(String encryptedFilename) {
+			UUID uuid = encryptedFilenames.getKey(encryptedFilename);
+			if (uuid == null) {
+				uuid = UUID.randomUUID();
+				encryptedFilenames.put(uuid, encryptedFilename);
+			}
+			return uuid;
+		}
+
+		// used by jackson
+		@SuppressWarnings("unused")
+		public BidiMap<UUID, String> getEncryptedFilenames() {
+			return encryptedFilenames;
+		}
+
+		// used by jackson
+		@SuppressWarnings("unused")
+		public void setEncryptedFilenames(BidiMap<UUID, String> encryptedFilenames) {
+			this.encryptedFilenames = encryptedFilenames;
+		}
+
+	}
+
+}

main/core/src/main/java/org/cryptomator/webdav/jackrabbit/HttpHeaderProperty.java

@@ -1,4 +1,4 @@
-package org.cryptomator.webdav.jackrabbit.resources;
+package org.cryptomator.webdav.jackrabbit;
 
 import org.apache.jackrabbit.webdav.property.AbstractDavProperty;
 import org.apache.jackrabbit.webdav.property.DavPropertyName;

main/core/src/main/java/org/cryptomator/webdav/jackrabbit/NonExistingNode.java

@@ -6,25 +6,31 @@
  * Contributors:
  *     Sebastian Stenzel - initial API and implementation
  ******************************************************************************/
-package org.cryptomator.webdav.jackrabbit.resources;
+package org.cryptomator.webdav.jackrabbit;
 
 import java.io.IOException;
+import java.nio.file.Path;
 
 import org.apache.jackrabbit.webdav.DavException;
 import org.apache.jackrabbit.webdav.DavResource;
-import org.apache.jackrabbit.webdav.DavResourceFactory;
 import org.apache.jackrabbit.webdav.DavResourceIterator;
 import org.apache.jackrabbit.webdav.DavResourceLocator;
 import org.apache.jackrabbit.webdav.DavSession;
 import org.apache.jackrabbit.webdav.io.InputContext;
 import org.apache.jackrabbit.webdav.io.OutputContext;
 import org.apache.jackrabbit.webdav.lock.LockManager;
+import org.apache.jackrabbit.webdav.property.DavProperty;
 import org.cryptomator.crypto.Cryptor;
 
-public class NonExistingNode extends AbstractEncryptedNode {
+class NonExistingNode extends AbstractEncryptedNode {
 
-	public NonExistingNode(DavResourceFactory factory, DavResourceLocator locator, DavSession session, LockManager lockManager, Cryptor cryptor) {
-		super(factory, locator, session, lockManager, cryptor);
+	private final Path filePath;
+	private final Path dirFilePath;
+
+	public NonExistingNode(CryptoResourceFactory factory, DavResourceLocator locator, DavSession session, LockManager lockManager, Cryptor cryptor, Path filePath, Path dirFilePath) {
+		super(factory, locator, session, lockManager, cryptor, null);
+		this.filePath = filePath;
+		this.dirFilePath = dirFilePath;
 	}
 
 	@Override
@@ -34,7 +40,12 @@ public class NonExistingNode extends AbstractEncryptedNode {
 
 	@Override
 	public boolean isCollection() {
-		throw new UnsupportedOperationException("Resource doesn't exist.");
+		return false;
+	}
+
+	@Override
+	public long getModificationTime() {
+		return -1;
 	}
 
 	@Override
@@ -58,8 +69,26 @@ public class NonExistingNode extends AbstractEncryptedNode {
 	}
 
 	@Override
-	protected void determineProperties() {
-		// do nothing.
+	public void move(AbstractEncryptedNode destination) throws DavException {
+		throw new UnsupportedOperationException("Resource doesn't exist.");
+	}
+
+	@Override
+	public void copy(AbstractEncryptedNode destination, boolean shallow) throws DavException {
+		throw new UnsupportedOperationException("Resource doesn't exist.");
+	}
+
+	@Override
+	public void setProperty(DavProperty<?> property) throws DavException {
+		throw new UnsupportedOperationException("Resource doesn't exist.");
+	}
+
+	public Path getFilePath() {
+		return filePath;
+	}
+
+	public Path getDirFilePath() {
+		return dirFilePath;
 	}
 
 }

main/core/src/main/java/org/cryptomator/webdav/jackrabbit/WebDavLocatorFactory.java

@@ -1,118 +0,0 @@
-/*******************************************************************************
- * Copyright (c) 2014 Sebastian Stenzel
- * This file is licensed under the terms of the MIT license.
- * See the LICENSE.txt file for more info.
- * 
- * Contributors:
- *     Sebastian Stenzel - initial API and implementation
- ******************************************************************************/
-package org.cryptomator.webdav.jackrabbit;
-
-import java.io.IOException;
-import java.nio.file.FileSystems;
-import java.nio.file.Files;
-import java.nio.file.Path;
-import java.nio.file.StandardOpenOption;
-
-import org.apache.commons.collections4.BidiMap;
-import org.apache.jackrabbit.webdav.AbstractLocatorFactory;
-import org.apache.jackrabbit.webdav.DavResourceLocator;
-import org.cryptomator.crypto.Cryptor;
-import org.cryptomator.crypto.CryptorIOSupport;
-import org.cryptomator.crypto.SensitiveDataSwipeListener;
-
-class WebDavLocatorFactory extends AbstractLocatorFactory implements SensitiveDataSwipeListener, CryptorIOSupport {
-
-	private static final int MAX_CACHED_PATHS = 10000;
-	private final Path fsRoot;
-	private final Cryptor cryptor;
-	private final BidiMap<String, String> pathCache = new BidiLRUMap<>(MAX_CACHED_PATHS); // <decryptedPath, encryptedPath>
-
-	WebDavLocatorFactory(String fsRoot, String httpRoot, Cryptor cryptor) {
-		super(httpRoot);
-		this.fsRoot = FileSystems.getDefault().getPath(fsRoot);
-		this.cryptor = cryptor;
-		cryptor.addSensitiveDataSwipeListener(this);
-	}
-
-	/**
-	 * @return Encrypted absolute paths on the file system.
-	 */
-	@Override
-	protected String getRepositoryPath(String resourcePath, String wspPath) {
-		String encryptedPath = pathCache.get(resourcePath);
-		if (encryptedPath == null) {
-			encryptedPath = encryptRepositoryPath(resourcePath);
-			pathCache.put(resourcePath, encryptedPath);
-		}
-		return encryptedPath;
-	}
-
-	private String encryptRepositoryPath(String resourcePath) {
-		if (resourcePath == null) {
-			return fsRoot.toString();
-		}
-		final String encryptedRepoPath = cryptor.encryptPath(resourcePath, FileSystems.getDefault().getSeparator().charAt(0), '/', this);
-		return fsRoot.resolve(encryptedRepoPath).toString();
-	}
-
-	/**
-	 * @return Decrypted path for use in URIs.
-	 */
-	@Override
-	protected String getResourcePath(String repositoryPath, String wspPath) {
-		String decryptedPath = pathCache.getKey(repositoryPath);
-		if (decryptedPath == null) {
-			decryptedPath = decryptResourcePath(repositoryPath);
-			pathCache.put(decryptedPath, repositoryPath);
-		}
-		return decryptedPath;
-	}
-
-	private String decryptResourcePath(String repositoryPath) {
-		final Path absRepoPath = FileSystems.getDefault().getPath(repositoryPath);
-		if (fsRoot.equals(absRepoPath)) {
-			return null;
-		} else {
-			final Path relativeRepositoryPath = fsRoot.relativize(absRepoPath);
-			final String resourcePath = cryptor.decryptPath(relativeRepositoryPath.toString(), FileSystems.getDefault().getSeparator().charAt(0), '/', this);
-			return resourcePath;
-		}
-	}
-
-	@Override
-	public DavResourceLocator createResourceLocator(String prefix, String workspacePath, String path, boolean isResourcePath) {
-		// we don't support workspaces
-		return super.createResourceLocator(prefix, "", path, isResourcePath);
-	}
-
-	@Override
-	public DavResourceLocator createResourceLocator(String prefix, String workspacePath, String resourcePath) {
-		// we don't support workspaces
-		return super.createResourceLocator(prefix, "", resourcePath);
-	}
-
-	@Override
-	public void swipeSensitiveData() {
-		pathCache.clear();
-	}
-
-	/* Cryptor I/O Support */
-
-	@Override
-	public void writePathSpecificMetadata(String encryptedPath, byte[] encryptedMetadata) throws IOException {
-		final Path metaDataFile = fsRoot.resolve(encryptedPath);
-		Files.write(metaDataFile, encryptedMetadata, StandardOpenOption.WRITE, StandardOpenOption.CREATE, StandardOpenOption.TRUNCATE_EXISTING, StandardOpenOption.DSYNC);
-	}
-
-	@Override
-	public byte[] readPathSpecificMetadata(String encryptedPath) throws IOException {
-		final Path metaDataFile = fsRoot.resolve(encryptedPath);
-		if (!Files.isReadable(metaDataFile)) {
-			return null;
-		} else {
-			return Files.readAllBytes(metaDataFile);
-		}
-	}
-
-}

main/core/src/main/java/org/cryptomator/webdav/jackrabbit/WebDavResourceFactory.java

@@ -1,88 +0,0 @@
-/*******************************************************************************
- * Copyright (c) 2014 Sebastian Stenzel
- * This file is licensed under the terms of the MIT license.
- * See the LICENSE.txt file for more info.
- * 
- * Contributors:
- *     Sebastian Stenzel - initial API and implementation
- ******************************************************************************/
-package org.cryptomator.webdav.jackrabbit;
-
-import java.nio.file.Files;
-import java.nio.file.Path;
-
-import org.apache.commons.httpclient.HttpStatus;
-import org.apache.jackrabbit.webdav.DavException;
-import org.apache.jackrabbit.webdav.DavMethods;
-import org.apache.jackrabbit.webdav.DavResource;
-import org.apache.jackrabbit.webdav.DavResourceFactory;
-import org.apache.jackrabbit.webdav.DavResourceLocator;
-import org.apache.jackrabbit.webdav.DavServletRequest;
-import org.apache.jackrabbit.webdav.DavServletResponse;
-import org.apache.jackrabbit.webdav.DavSession;
-import org.apache.jackrabbit.webdav.lock.LockManager;
-import org.apache.jackrabbit.webdav.lock.SimpleLockManager;
-import org.cryptomator.crypto.Cryptor;
-import org.cryptomator.webdav.jackrabbit.resources.EncryptedDir;
-import org.cryptomator.webdav.jackrabbit.resources.EncryptedFile;
-import org.cryptomator.webdav.jackrabbit.resources.EncryptedFilePart;
-import org.cryptomator.webdav.jackrabbit.resources.NonExistingNode;
-import org.cryptomator.webdav.jackrabbit.resources.ResourcePathUtils;
-import org.eclipse.jetty.http.HttpHeader;
-
-class WebDavResourceFactory implements DavResourceFactory {
-
-	private final LockManager lockManager = new SimpleLockManager();
-	private final Cryptor cryptor;
-
-	WebDavResourceFactory(Cryptor cryptor) {
-		this.cryptor = cryptor;
-	}
-
-	@Override
-	public DavResource createResource(DavResourceLocator locator, DavServletRequest request, DavServletResponse response) throws DavException {
-		final Path path = ResourcePathUtils.getPhysicalPath(locator);
-		final String rangeHeader = request.getHeader(HttpHeader.RANGE.asString());
-
-		if (Files.isRegularFile(path) && DavMethods.METHOD_GET.equals(request.getMethod()) && rangeHeader != null) {
-			response.setStatus(HttpStatus.SC_PARTIAL_CONTENT);
-			return createFilePart(locator, request.getDavSession(), request);
-		} else if (Files.isRegularFile(path) || DavMethods.METHOD_PUT.equals(request.getMethod())) {
-			return createFile(locator, request.getDavSession());
-		} else if (Files.isDirectory(path) || DavMethods.METHOD_MKCOL.equals(request.getMethod())) {
-			return createDirectory(locator, request.getDavSession());
-		} else {
-			return createNonExisting(locator, request.getDavSession());
-		}
-	}
-
-	@Override
-	public DavResource createResource(DavResourceLocator locator, DavSession session) throws DavException {
-		final Path path = ResourcePathUtils.getPhysicalPath(locator);
-
-		if (Files.isRegularFile(path)) {
-			return createFile(locator, session);
-		} else if (Files.isDirectory(path)) {
-			return createDirectory(locator, session);
-		} else {
-			return createNonExisting(locator, session);
-		}
-	}
-
-	private EncryptedFile createFilePart(DavResourceLocator locator, DavSession session, DavServletRequest request) {
-		return new EncryptedFilePart(this, locator, session, request, lockManager, cryptor);
-	}
-
-	private EncryptedFile createFile(DavResourceLocator locator, DavSession session) {
-		return new EncryptedFile(this, locator, session, lockManager, cryptor);
-	}
-
-	private EncryptedDir createDirectory(DavResourceLocator locator, DavSession session) {
-		return new EncryptedDir(this, locator, session, lockManager, cryptor);
-	}
-
-	private NonExistingNode createNonExisting(DavResourceLocator locator, DavSession session) {
-		return new NonExistingNode(this, locator, session, lockManager, cryptor);
-	}
-
-}

main/core/src/main/java/org/cryptomator/webdav/jackrabbit/WebDavServlet.java

@@ -8,6 +8,11 @@
  ******************************************************************************/
 package org.cryptomator.webdav.jackrabbit;
 
+import java.util.Collection;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.TimeUnit;
+
 import javax.servlet.ServletConfig;
 import javax.servlet.ServletException;
 
@@ -22,29 +27,44 @@ import org.cryptomator.crypto.Cryptor;
 public class WebDavServlet extends AbstractWebdavServlet {
 
 	private static final long serialVersionUID = 7965170007048673022L;
-	public static final String CFG_FS_ROOT = "oce.fs.root";
-	public static final String CFG_HTTP_ROOT = "oce.http.root";
+	public static final String CFG_FS_ROOT = "cfg.fs.root";
 	private DavSessionProvider davSessionProvider;
 	private DavLocatorFactory davLocatorFactory;
 	private DavResourceFactory davResourceFactory;
 	private final Cryptor cryptor;
+	private final CryptoWarningHandler cryptoWarningHandler;
+	private ExecutorService backgroundTaskExecutor;
 
-	public WebDavServlet(final Cryptor cryptor) {
+	public WebDavServlet(final Cryptor cryptor, final Collection<String> failingMacCollection) {
 		super();
 		this.cryptor = cryptor;
+		this.cryptoWarningHandler = new CryptoWarningHandler(failingMacCollection);
 	}
 
 	@Override
 	public void init(ServletConfig config) throws ServletException {
 		super.init(config);
-
-		davSessionProvider = new WebDavSessionProvider();
-
 		final String fsRoot = config.getInitParameter(CFG_FS_ROOT);
-		final String httpRoot = config.getInitParameter(CFG_HTTP_ROOT);
-		this.davLocatorFactory = new WebDavLocatorFactory(fsRoot, httpRoot, cryptor);
+		backgroundTaskExecutor = Executors.newCachedThreadPool();
+		davSessionProvider = new DavSessionProviderImpl();
+		davLocatorFactory = new CleartextLocatorFactory(config.getServletContext().getContextPath());
+		davResourceFactory = new CryptoResourceFactory(cryptor, cryptoWarningHandler, backgroundTaskExecutor, fsRoot);
+	}
 
-		this.davResourceFactory = new WebDavResourceFactory(cryptor);
+	@Override
+	public void destroy() {
+		backgroundTaskExecutor.shutdown();
+		try {
+			final boolean tasksFinished = backgroundTaskExecutor.awaitTermination(2, TimeUnit.SECONDS);
+			if (!tasksFinished) {
+				backgroundTaskExecutor.shutdownNow();
+			}
+		} catch (InterruptedException e) {
+			backgroundTaskExecutor.shutdownNow();
+			Thread.currentThread().interrupt();
+		} finally {
+			super.destroy();
+		}
 	}
 
 	@Override

main/core/src/main/java/org/cryptomator/webdav/jackrabbit/resources/EncryptedDir.java

@@ -1,178 +0,0 @@
-/*******************************************************************************
- * Copyright (c) 2014 Sebastian Stenzel
- * This file is licensed under the terms of the MIT license.
- * See the LICENSE.txt file for more info.
- * 
- * Contributors:
- *     Sebastian Stenzel - initial API and implementation
- ******************************************************************************/
-package org.cryptomator.webdav.jackrabbit.resources;
-
-import java.io.IOException;
-import java.nio.channels.SeekableByteChannel;
-import java.nio.file.DirectoryStream;
-import java.nio.file.FileVisitResult;
-import java.nio.file.Files;
-import java.nio.file.Path;
-import java.nio.file.SimpleFileVisitor;
-import java.nio.file.StandardOpenOption;
-import java.nio.file.attribute.BasicFileAttributes;
-import java.util.ArrayList;
-import java.util.List;
-
-import org.apache.commons.io.IOUtils;
-import org.apache.jackrabbit.webdav.DavException;
-import org.apache.jackrabbit.webdav.DavResource;
-import org.apache.jackrabbit.webdav.DavResourceFactory;
-import org.apache.jackrabbit.webdav.DavResourceIterator;
-import org.apache.jackrabbit.webdav.DavResourceIteratorImpl;
-import org.apache.jackrabbit.webdav.DavResourceLocator;
-import org.apache.jackrabbit.webdav.DavServletResponse;
-import org.apache.jackrabbit.webdav.DavSession;
-import org.apache.jackrabbit.webdav.io.InputContext;
-import org.apache.jackrabbit.webdav.io.OutputContext;
-import org.apache.jackrabbit.webdav.lock.LockManager;
-import org.apache.jackrabbit.webdav.property.DavPropertyName;
-import org.apache.jackrabbit.webdav.property.DefaultDavProperty;
-import org.apache.jackrabbit.webdav.property.ResourceType;
-import org.cryptomator.crypto.Cryptor;
-import org.cryptomator.webdav.exceptions.DavRuntimeException;
-import org.cryptomator.webdav.exceptions.IORuntimeException;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-public class EncryptedDir extends AbstractEncryptedNode {
-
-	private static final Logger LOG = LoggerFactory.getLogger(EncryptedDir.class);
-
-	public EncryptedDir(DavResourceFactory factory, DavResourceLocator locator, DavSession session, LockManager lockManager, Cryptor cryptor) {
-		super(factory, locator, session, lockManager, cryptor);
-	}
-
-	@Override
-	public boolean isCollection() {
-		return true;
-	}
-
-	@Override
-	public void addMember(DavResource resource, InputContext inputContext) throws DavException {
-		if (resource.isCollection()) {
-			this.addMemberDir(resource, inputContext);
-		} else {
-			this.addMemberFile(resource, inputContext);
-		}
-	}
-
-	private void addMemberDir(DavResource resource, InputContext inputContext) throws DavException {
-		final Path childPath = ResourcePathUtils.getPhysicalPath(resource);
-		try {
-			Files.createDirectories(childPath);
-		} catch (SecurityException e) {
-			throw new DavException(DavServletResponse.SC_FORBIDDEN, e);
-		} catch (IOException e) {
-			LOG.error("Failed to create subdirectory.", e);
-			throw new IORuntimeException(e);
-		}
-	}
-
-	private void addMemberFile(DavResource resource, InputContext inputContext) throws DavException {
-		final Path childPath = ResourcePathUtils.getPhysicalPath(resource);
-		SeekableByteChannel channel = null;
-		try {
-			channel = Files.newByteChannel(childPath, StandardOpenOption.WRITE, StandardOpenOption.CREATE);
-			cryptor.encryptFile(inputContext.getInputStream(), channel);
-		} catch (SecurityException e) {
-			throw new DavException(DavServletResponse.SC_FORBIDDEN, e);
-		} catch (IOException e) {
-			LOG.error("Failed to create file.", e);
-			throw new IORuntimeException(e);
-		} finally {
-			IOUtils.closeQuietly(channel);
-			IOUtils.closeQuietly(inputContext.getInputStream());
-		}
-	}
-
-	@Override
-	public DavResourceIterator getMembers() {
-		final Path dir = ResourcePathUtils.getPhysicalPath(this);
-		try {
-			final DirectoryStream<Path> directoryStream = Files.newDirectoryStream(dir, cryptor.getPayloadFilesFilter());
-			final List<DavResource> result = new ArrayList<>();
-
-			for (final Path childPath : directoryStream) {
-				final DavResourceLocator childLocator = locator.getFactory().createResourceLocator(locator.getPrefix(), locator.getWorkspacePath(), childPath.toString(), false);
-				final DavResource resource = factory.createResource(childLocator, session);
-				result.add(resource);
-			}
-			return new DavResourceIteratorImpl(result);
-		} catch (IOException e) {
-			LOG.error("Exception during getMembers.", e);
-			throw new IORuntimeException(e);
-		} catch (DavException e) {
-			LOG.error("Exception during getMembers.", e);
-			throw new DavRuntimeException(e);
-		}
-	}
-
-	@Override
-	public void removeMember(DavResource member) throws DavException {
-		final Path memberPath = ResourcePathUtils.getPhysicalPath(member);
-		try {
-			Files.walkFileTree(memberPath, new DeletingFileVisitor());
-		} catch (SecurityException e) {
-			throw new DavException(DavServletResponse.SC_FORBIDDEN, e);
-		} catch (IOException e) {
-			throw new IORuntimeException(e);
-		}
-	}
-
-	@Override
-	public void spool(OutputContext outputContext) throws IOException {
-		// do nothing
-	}
-
-	@Override
-	protected void determineProperties() {
-		final Path path = ResourcePathUtils.getPhysicalPath(this);
-		properties.add(new ResourceType(ResourceType.COLLECTION));
-		properties.add(new DefaultDavProperty<Integer>(DavPropertyName.ISCOLLECTION, 1));
-		if (Files.exists(path)) {
-			try {
-				final BasicFileAttributes attrs = Files.readAttributes(path, BasicFileAttributes.class);
-				properties.add(new DefaultDavProperty<String>(DavPropertyName.CREATIONDATE, FileTimeUtils.toRfc1123String(attrs.creationTime())));
-				properties.add(new DefaultDavProperty<String>(DavPropertyName.GETLASTMODIFIED, FileTimeUtils.toRfc1123String(attrs.lastModifiedTime())));
-			} catch (IOException e) {
-				LOG.error("Error determining metadata " + path.toString(), e);
-				// don't add any further properties
-			}
-		}
-	}
-
-	/**
-	 * Deletes all files and folders, it visits.
-	 */
-	private static class DeletingFileVisitor extends SimpleFileVisitor<Path> {
-
-		@Override
-		public FileVisitResult visitFile(Path file, BasicFileAttributes attributes) throws IOException {
-			if (attributes.isRegularFile()) {
-				Files.delete(file);
-			}
-			return FileVisitResult.CONTINUE;
-		}
-
-		@Override
-		public FileVisitResult postVisitDirectory(Path dir, IOException exc) throws IOException {
-			Files.delete(dir);
-			return FileVisitResult.CONTINUE;
-		}
-
-		@Override
-		public FileVisitResult visitFileFailed(Path file, IOException exc) throws IOException {
-			LOG.error("Failed to delete file " + file.toString(), exc);
-			return FileVisitResult.TERMINATE;
-		}
-
-	}
-
-}

main/core/src/main/java/org/cryptomator/webdav/jackrabbit/resources/EncryptedFile.java

@@ -1,113 +0,0 @@
-/*******************************************************************************
- * Copyright (c) 2014 Sebastian Stenzel
- * This file is licensed under the terms of the MIT license.
- * See the LICENSE.txt file for more info.
- * 
- * Contributors:
- *     Sebastian Stenzel - initial API and implementation
- ******************************************************************************/
-package org.cryptomator.webdav.jackrabbit.resources;
-
-import java.io.EOFException;
-import java.io.IOException;
-import java.nio.channels.SeekableByteChannel;
-import java.nio.file.Files;
-import java.nio.file.Path;
-import java.nio.file.StandardOpenOption;
-import java.nio.file.attribute.BasicFileAttributes;
-
-import org.apache.commons.io.IOUtils;
-import org.apache.jackrabbit.webdav.DavException;
-import org.apache.jackrabbit.webdav.DavResource;
-import org.apache.jackrabbit.webdav.DavResourceFactory;
-import org.apache.jackrabbit.webdav.DavResourceIterator;
-import org.apache.jackrabbit.webdav.DavResourceLocator;
-import org.apache.jackrabbit.webdav.DavSession;
-import org.apache.jackrabbit.webdav.io.InputContext;
-import org.apache.jackrabbit.webdav.io.OutputContext;
-import org.apache.jackrabbit.webdav.lock.LockManager;
-import org.apache.jackrabbit.webdav.property.DavPropertyName;
-import org.apache.jackrabbit.webdav.property.DefaultDavProperty;
-import org.cryptomator.crypto.Cryptor;
-import org.cryptomator.webdav.exceptions.IORuntimeException;
-import org.eclipse.jetty.http.HttpHeader;
-import org.eclipse.jetty.http.HttpHeaderValue;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-public class EncryptedFile extends AbstractEncryptedNode {
-
-	private static final Logger LOG = LoggerFactory.getLogger(EncryptedFile.class);
-
-	public EncryptedFile(DavResourceFactory factory, DavResourceLocator locator, DavSession session, LockManager lockManager, Cryptor cryptor) {
-		super(factory, locator, session, lockManager, cryptor);
-	}
-
-	@Override
-	public boolean isCollection() {
-		return false;
-	}
-
-	@Override
-	public void addMember(DavResource resource, InputContext inputContext) throws DavException {
-		throw new UnsupportedOperationException("Can not add member to file.");
-	}
-
-	@Override
-	public DavResourceIterator getMembers() {
-		throw new UnsupportedOperationException("Can not list members of file.");
-	}
-
-	@Override
-	public void removeMember(DavResource member) throws DavException {
-		throw new UnsupportedOperationException("Can not remove member to file.");
-	}
-
-	@Override
-	public void spool(OutputContext outputContext) throws IOException {
-		final Path path = ResourcePathUtils.getPhysicalPath(this);
-		if (Files.exists(path)) {
-			outputContext.setModificationTime(Files.getLastModifiedTime(path).toMillis());
-			outputContext.setProperty(HttpHeader.ACCEPT_RANGES.asString(), HttpHeaderValue.BYTES.asString());
-			SeekableByteChannel channel = null;
-			try {
-				channel = Files.newByteChannel(path, StandardOpenOption.READ);
-				outputContext.setContentLength(cryptor.decryptedContentLength(channel));
-				if (outputContext.hasStream()) {
-					cryptor.decryptedFile(channel, outputContext.getOutputStream());
-				}
-			} catch (EOFException e) {
-				LOG.warn("Unexpected end of stream (possibly client hung up).");
-			} catch (IOException e) {
-				LOG.error("Error reading file " + path.toString(), e);
-				throw new IORuntimeException(e);
-			} finally {
-				IOUtils.closeQuietly(channel);
-			}
-		}
-	}
-
-	@Override
-	protected void determineProperties() {
-		final Path path = ResourcePathUtils.getPhysicalPath(this);
-		if (Files.exists(path)) {
-			SeekableByteChannel channel = null;
-			try {
-				channel = Files.newByteChannel(path, StandardOpenOption.READ);
-				final Long contentLength = cryptor.decryptedContentLength(channel);
-				properties.add(new DefaultDavProperty<Long>(DavPropertyName.GETCONTENTLENGTH, contentLength));
-
-				final BasicFileAttributes attrs = Files.readAttributes(path, BasicFileAttributes.class);
-				properties.add(new DefaultDavProperty<String>(DavPropertyName.CREATIONDATE, FileTimeUtils.toRfc1123String(attrs.creationTime())));
-				properties.add(new DefaultDavProperty<String>(DavPropertyName.GETLASTMODIFIED, FileTimeUtils.toRfc1123String(attrs.lastModifiedTime())));
-				properties.add(new HttpHeaderProperty(HttpHeader.ACCEPT_RANGES.asString(), HttpHeaderValue.BYTES.asString()));
-			} catch (IOException e) {
-				LOG.error("Error determining metadata " + path.toString(), e);
-				throw new IORuntimeException(e);
-			} finally {
-				IOUtils.closeQuietly(channel);
-			}
-		}
-	}
-
-}

main/core/src/main/java/org/cryptomator/webdav/jackrabbit/resources/ResourcePathUtils.java

@@ -1,31 +0,0 @@
-/*******************************************************************************
- * Copyright (c) 2014 Sebastian Stenzel
- * This file is licensed under the terms of the MIT license.
- * See the LICENSE.txt file for more info.
- * 
- * Contributors:
- *     Sebastian Stenzel - initial API and implementation
- ******************************************************************************/
-package org.cryptomator.webdav.jackrabbit.resources;
-
-import java.nio.file.FileSystems;
-import java.nio.file.Path;
-
-import org.apache.jackrabbit.webdav.DavResource;
-import org.apache.jackrabbit.webdav.DavResourceLocator;
-
-public final class ResourcePathUtils {
-
-	private ResourcePathUtils() {
-		throw new IllegalStateException("not instantiable");
-	}
-
-	public static Path getPhysicalPath(DavResource resource) {
-		return getPhysicalPath(resource.getLocator());
-	}
-
-	public static Path getPhysicalPath(DavResourceLocator locator) {
-		return FileSystems.getDefault().getPath(locator.getRepositoryPath());
-	}
-
-}

main/crypto-aes/pom.xml

@@ -12,17 +12,28 @@
 	<parent>
 		<groupId>org.cryptomator</groupId>
 		<artifactId>main</artifactId>
-		<version>0.3.0-SNAPSHOT</version>
+		<version>0.7.2</version>
 	</parent>
 	<artifactId>crypto-aes</artifactId>
 	<name>Cryptomator cryptographic module (AES)</name>
 	<description>Provides stream ciphers and filename pseudonymization functions.</description>
+	
+	<properties>
+		<bouncycastle.version>1.51</bouncycastle.version>
+	</properties>
 
 	<dependencies>
 		<dependency>
 			<groupId>org.cryptomator</groupId>
 			<artifactId>crypto-api</artifactId>
 		</dependency>
+		
+		<!-- Bouncycastle -->
+		<dependency>
+			<groupId>org.bouncycastle</groupId>
+			<artifactId>bcprov-jdk15on</artifactId>
+			<version>${bouncycastle.version}</version>
+		</dependency>
 
 		<!-- Commons -->
 		<dependency>

main/crypto-aes/src/main/java/org/cryptomator/crypto/aes256/Aes256Cryptor.java

@@ -8,76 +8,64 @@
  ******************************************************************************/
 package org.cryptomator.crypto.aes256;
 
+import java.io.BufferedOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
-import java.nio.BufferOverflowException;
 import java.nio.ByteBuffer;
-import java.nio.CharBuffer;
 import java.nio.channels.SeekableByteChannel;
-import java.nio.file.DirectoryStream.Filter;
-import java.nio.file.Path;
+import java.nio.charset.StandardCharsets;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.InvalidKeyException;
+import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
-import java.security.spec.InvalidKeySpecException;
-import java.security.spec.KeySpec;
-import java.util.ArrayList;
 import java.util.Arrays;
-import java.util.List;
-import java.util.Random;
-import java.util.UUID;
-import java.util.zip.CRC32;
 
 import javax.crypto.BadPaddingException;
 import javax.crypto.Cipher;
 import javax.crypto.CipherInputStream;
 import javax.crypto.CipherOutputStream;
 import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.Mac;
 import javax.crypto.NoSuchPaddingException;
 import javax.crypto.SecretKey;
-import javax.crypto.SecretKeyFactory;
 import javax.crypto.spec.IvParameterSpec;
-import javax.crypto.spec.PBEKeySpec;
 import javax.crypto.spec.SecretKeySpec;
+import javax.security.auth.DestroyFailedException;
+import javax.security.auth.Destroyable;
 
-import org.apache.commons.io.Charsets;
 import org.apache.commons.io.IOUtils;
-import org.apache.commons.lang3.StringUtils;
-import org.cryptomator.crypto.AbstractCryptor;
-import org.cryptomator.crypto.CryptorIOSupport;
+import org.apache.commons.io.output.NullOutputStream;
+import org.bouncycastle.crypto.generators.SCrypt;
+import org.cryptomator.crypto.Cryptor;
+import org.cryptomator.crypto.aes256.CounterAwareInputStream.CounterAwareInputLimitReachedException;
+import org.cryptomator.crypto.exceptions.CounterOverflowException;
 import org.cryptomator.crypto.exceptions.DecryptFailedException;
+import org.cryptomator.crypto.exceptions.EncryptFailedException;
+import org.cryptomator.crypto.exceptions.MacAuthenticationFailedException;
 import org.cryptomator.crypto.exceptions.UnsupportedKeyLengthException;
+import org.cryptomator.crypto.exceptions.UnsupportedVaultException;
 import org.cryptomator.crypto.exceptions.WrongPasswordException;
 import org.cryptomator.crypto.io.SeekableByteChannelInputStream;
 import org.cryptomator.crypto.io.SeekableByteChannelOutputStream;
 
-import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
 
-public class Aes256Cryptor extends AbstractCryptor implements AesCryptographicConfiguration, FileNamingConventions {
+public class Aes256Cryptor implements Cryptor, AesCryptographicConfiguration {
+
+	/**
+	 * Defined in static initializer. Defaults to 256, but falls back to maximum value possible, if JCE Unlimited Strength Jurisdiction Policy Files isn't installed. Those files can be downloaded
+	 * here: http://www.oracle.com/technetwork/java/javase/downloads/.
+	 */
+	private static final int AES_KEY_LENGTH_IN_BITS;
 
 	/**
 	 * PRNG for cryptographically secure random numbers. Defaults to SHA1-based number generator.
 	 * 
 	 * @see http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SecureRandom
 	 */
-	private static final SecureRandom SECURE_PRNG;
-
-	/**
-	 * Factory for deriveing keys. Defaults to PBKDF2/HMAC-SHA1.
-	 * 
-	 * @see PKCS #5, defined in RFC 2898
-	 * @see http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SecretKeyFactory
-	 */
-	private static final SecretKeyFactory PBKDF2_FACTORY;
-
-	/**
-	 * Defined in static initializer. Defaults to 256, but falls back to maximum value possible, if JCE isn't installed. JCE can be
-	 * installed from here: http://www.oracle.com/technetwork/java/javase/downloads/.
-	 */
-	private static final int AES_KEY_LENGTH;
+	private final SecureRandom securePrng;
 
 	/**
 	 * Jackson JSON-Mapper.
@@ -85,19 +73,20 @@ public class Aes256Cryptor extends AbstractCryptor implements AesCryptographicCo
 	private final ObjectMapper objectMapper = new ObjectMapper();
 
 	/**
-	 * The decrypted master key. Its lifecycle starts with {@link #randomData(int)} or {@link #encryptMasterKey(Path, CharSequence)}. Its
-	 * lifecycle ends with {@link #swipeSensitiveData()}.
+	 * The decrypted master key. Its lifecycle starts with the construction of an Aes256Cryptor instance or {@link #decryptMasterKey(InputStream, CharSequence)}. Its lifecycle ends with
+	 * {@link #swipeSensitiveData()}.
 	 */
-	private final byte[] masterKey = new byte[MASTER_KEY_LENGTH];
+	private SecretKey primaryMasterKey;
 
-	private static final int SIZE_OF_LONG = Long.BYTES;
+	/**
+	 * Decrypted secondary key used for hmac operations.
+	 */
+	private SecretKey hMacMasterKey;
 
 	static {
 		try {
-			PBKDF2_FACTORY = SecretKeyFactory.getInstance(KEY_FACTORY_ALGORITHM);
-			SECURE_PRNG = SecureRandom.getInstance(PRNG_ALGORITHM);
-			final int maxKeyLen = Cipher.getMaxAllowedKeyLength(CRYPTO_ALGORITHM);
-			AES_KEY_LENGTH = (maxKeyLen >= 256) ? 256 : maxKeyLen;
+			final int maxKeyLength = Cipher.getMaxAllowedKeyLength(AES_KEY_ALGORITHM);
+			AES_KEY_LENGTH_IN_BITS = (maxKeyLength >= PREF_MASTER_KEY_LENGTH_IN_BITS) ? PREF_MASTER_KEY_LENGTH_IN_BITS : maxKeyLength;
 		} catch (NoSuchAlgorithmException e) {
 			throw new IllegalStateException("Algorithm should exist.", e);
 		}
@@ -107,18 +96,19 @@ public class Aes256Cryptor extends AbstractCryptor implements AesCryptographicCo
 	 * Creates a new Cryptor with a newly initialized PRNG.
 	 */
 	public Aes256Cryptor() {
-		SECURE_PRNG.setSeed(SECURE_PRNG.generateSeed(PRNG_SEED_LENGTH));
-		SECURE_PRNG.nextBytes(this.masterKey);
-	}
-
-	/**
-	 * Creates a new Cryptor with the given PRNG.<br/>
-	 * <strong>DO NOT USE IN PRODUCTION</strong>. This constructor must only be used in in unit tests. Do not change method visibility.
-	 * 
-	 * @param prng Fast, possibly insecure PRNG.
-	 */
-	Aes256Cryptor(Random prng) {
-		prng.nextBytes(this.masterKey);
+		byte[] bytes = new byte[AES_KEY_LENGTH_IN_BITS / Byte.SIZE];
+		try {
+			securePrng = SecureRandom.getInstance(PRNG_ALGORITHM);
+			securePrng.setSeed(securePrng.generateSeed(PRNG_SEED_LENGTH));
+			securePrng.nextBytes(bytes);
+			this.primaryMasterKey = new SecretKeySpec(bytes, AES_KEY_ALGORITHM);
+			securePrng.nextBytes(bytes);
+			this.hMacMasterKey = new SecretKeySpec(bytes, HMAC_KEY_ALGORITHM);
+		} catch (NoSuchAlgorithmException e) {
+			throw new IllegalStateException("PRNG algorithm should exist.", e);
+		} finally {
+			Arrays.fill(bytes, (byte) 0);
+		}
 	}
 
 	/**
@@ -128,26 +118,26 @@ public class Aes256Cryptor extends AbstractCryptor implements AesCryptographicCo
 	public void encryptMasterKey(OutputStream out, CharSequence password) throws IOException {
 		try {
 			// derive key:
-			final byte[] userSalt = randomData(SALT_LENGTH);
-			final SecretKey userKey = pbkdf2(password, userSalt, PBKDF2_PW_ITERATIONS, AES_KEY_LENGTH);
+			final byte[] kekSalt = randomData(SCRYPT_SALT_LENGTH);
+			final SecretKey kek = scrypt(password, kekSalt, SCRYPT_COST_PARAM, SCRYPT_BLOCK_SIZE, AES_KEY_LENGTH_IN_BITS);
 
 			// encrypt:
-			final byte[] iv = randomData(AES_BLOCK_LENGTH);
-			final Cipher encCipher = this.cipher(MASTERKEY_CIPHER, userKey, iv, Cipher.ENCRYPT_MODE);
-			byte[] encryptedUserKey = encCipher.doFinal(userKey.getEncoded());
-			byte[] encryptedMasterKey = encCipher.doFinal(this.masterKey);
+			final Cipher encCipher = aesKeyWrapCipher(kek, Cipher.WRAP_MODE);
+			byte[] wrappedPrimaryKey = encCipher.wrap(primaryMasterKey);
+			byte[] wrappedSecondaryKey = encCipher.wrap(hMacMasterKey);
 
 			// save encrypted masterkey:
-			final Key key = new Key();
-			key.setIterations(PBKDF2_PW_ITERATIONS);
-			key.setIv(iv);
-			key.setKeyLength(AES_KEY_LENGTH);
-			key.setMasterkey(encryptedMasterKey);
-			key.setSalt(userSalt);
-			key.setPwVerification(encryptedUserKey);
-			objectMapper.writeValue(out, key);
-		} catch (IllegalBlockSizeException | BadPaddingException ex) {
-			throw new IllegalStateException("Block size hard coded. Padding irrelevant in ENCRYPT_MODE. IV must exist in CBC mode.", ex);
+			final KeyFile keyfile = new KeyFile();
+			keyfile.setVersion(KeyFile.CURRENT_VERSION);
+			keyfile.setScryptSalt(kekSalt);
+			keyfile.setScryptCostParam(SCRYPT_COST_PARAM);
+			keyfile.setScryptBlockSize(SCRYPT_BLOCK_SIZE);
+			keyfile.setKeyLength(AES_KEY_LENGTH_IN_BITS);
+			keyfile.setPrimaryMasterKey(wrappedPrimaryKey);
+			keyfile.setHMacMasterKey(wrappedSecondaryKey);
+			objectMapper.writeValue(out, keyfile);
+		} catch (InvalidKeyException | IllegalBlockSizeException ex) {
+			throw new IllegalStateException("Invalid hard coded configuration.", ex);
 		}
 	}
 
@@ -155,62 +145,79 @@ public class Aes256Cryptor extends AbstractCryptor implements AesCryptographicCo
 	 * Reads the encrypted masterkey from the given input stream and decrypts it with the given password.
 	 * 
 	 * @throws DecryptFailedException If the decryption failed for various reasons (including wrong password).
-	 * @throws WrongPasswordException If the provided password was wrong. Note: Sometimes the algorithm itself fails due to a wrong
-	 *             password. In this case a DecryptFailedException will be thrown.
-	 * @throws UnsupportedKeyLengthException If the masterkey has been encrypted with a higher key length than supported by the system. In
-	 *             this case Java JCE needs to be installed.
+	 * @throws WrongPasswordException If the provided password was wrong. Note: Sometimes the algorithm itself fails due to a wrong password. In this case a DecryptFailedException will be thrown.
+	 * @throws UnsupportedKeyLengthException If the masterkey has been encrypted with a higher key length than supported by the system. In this case Java JCE needs to be installed.
+	 * @throws UnsupportedVaultException If the masterkey file is too old or too modern.
 	 */
 	@Override
-	public void decryptMasterKey(InputStream in, CharSequence password) throws DecryptFailedException, WrongPasswordException, UnsupportedKeyLengthException, IOException {
-		byte[] decrypted = new byte[0];
+	public void decryptMasterKey(InputStream in, CharSequence password) throws DecryptFailedException, WrongPasswordException, UnsupportedKeyLengthException, IOException, UnsupportedVaultException {
 		try {
 			// load encrypted masterkey:
-			final Key key = objectMapper.readValue(in, Key.class);
+			final KeyFile keyfile = objectMapper.readValue(in, KeyFile.class);
+
+			// check version
+			if (keyfile.getVersion() != KeyFile.CURRENT_VERSION) {
+				throw new UnsupportedVaultException(keyfile.getVersion(), KeyFile.CURRENT_VERSION);
+			}
 
 			// check, whether the key length is supported:
-			final int maxKeyLen = Cipher.getMaxAllowedKeyLength(CRYPTO_ALGORITHM);
-			if (key.getKeyLength() > maxKeyLen) {
-				throw new UnsupportedKeyLengthException(key.getKeyLength(), maxKeyLen);
+			final int maxKeyLen = Cipher.getMaxAllowedKeyLength(AES_KEY_ALGORITHM);
+			if (keyfile.getKeyLength() > maxKeyLen) {
+				throw new UnsupportedKeyLengthException(keyfile.getKeyLength(), maxKeyLen);
 			}
 
 			// derive key:
-			final SecretKey userKey = pbkdf2(password, key.getSalt(), key.getIterations(), key.getKeyLength());
+			final SecretKey kek = scrypt(password, keyfile.getScryptSalt(), keyfile.getScryptCostParam(), keyfile.getScryptBlockSize(), keyfile.getKeyLength());
 
-			// check password:
-			final Cipher encCipher = this.cipher(MASTERKEY_CIPHER, userKey, key.getIv(), Cipher.ENCRYPT_MODE);
-			byte[] encryptedUserKey = encCipher.doFinal(userKey.getEncoded());
-			if (!Arrays.equals(key.getPwVerification(), encryptedUserKey)) {
-				throw new WrongPasswordException();
-			}
+			// decrypt and check password by catching AEAD exception
+			final Cipher decCipher = aesKeyWrapCipher(kek, Cipher.UNWRAP_MODE);
+			SecretKey primary = (SecretKey) decCipher.unwrap(keyfile.getPrimaryMasterKey(), AES_KEY_ALGORITHM, Cipher.SECRET_KEY);
+			SecretKey secondary = (SecretKey) decCipher.unwrap(keyfile.getHMacMasterKey(), HMAC_KEY_ALGORITHM, Cipher.SECRET_KEY);
 
-			// decrypt:
-			final Cipher decCipher = this.cipher(MASTERKEY_CIPHER, userKey, key.getIv(), Cipher.DECRYPT_MODE);
-			decrypted = decCipher.doFinal(key.getMasterkey());
-
-			// everything ok, move decrypted data to masterkey:
-			final ByteBuffer masterKeyBuffer = ByteBuffer.wrap(this.masterKey);
-			masterKeyBuffer.put(decrypted);
-		} catch (IllegalBlockSizeException | BadPaddingException | BufferOverflowException ex) {
-			throw new DecryptFailedException(ex);
+			// everything ok, assign decrypted keys:
+			this.primaryMasterKey = primary;
+			this.hMacMasterKey = secondary;
 		} catch (NoSuchAlgorithmException ex) {
 			throw new IllegalStateException("Algorithm should exist.", ex);
-		} finally {
-			Arrays.fill(decrypted, (byte) 0);
+		} catch (InvalidKeyException e) {
+			throw new WrongPasswordException();
 		}
 	}
 
-	/**
-	 * Overwrites the {@link #masterKey} with zeros. As masterKey is a final field, this operation is ensured to work on its actual data.
-	 * Otherwise developers could accidentally just assign a new object to the variable.
-	 */
 	@Override
-	public void swipeSensitiveDataInternal() {
-		Arrays.fill(this.masterKey, (byte) 0);
+	public boolean isDestroyed() {
+		return primaryMasterKey.isDestroyed() && hMacMasterKey.isDestroyed();
 	}
 
-	private Cipher cipher(String cipherTransformation, SecretKey key, byte[] iv, int cipherMode) {
+	@Override
+	public void destroy() {
+		destroyQuietly(primaryMasterKey);
+		destroyQuietly(hMacMasterKey);
+	}
+
+	private void destroyQuietly(Destroyable d) {
 		try {
-			final Cipher cipher = Cipher.getInstance(cipherTransformation);
+			d.destroy();
+		} catch (DestroyFailedException e) {
+			// ignore
+		}
+	}
+
+	private Cipher aesKeyWrapCipher(SecretKey key, int cipherMode) {
+		try {
+			final Cipher cipher = Cipher.getInstance(AES_KEYWRAP_CIPHER);
+			cipher.init(cipherMode, key);
+			return cipher;
+		} catch (InvalidKeyException ex) {
+			throw new IllegalArgumentException("Invalid key.", ex);
+		} catch (NoSuchAlgorithmException | NoSuchPaddingException ex) {
+			throw new IllegalStateException("Algorithm/Padding should exist and accept GCM specs.", ex);
+		}
+	}
+
+	private Cipher aesCtrCipher(SecretKey key, byte[] iv, int cipherMode) {
+		try {
+			final Cipher cipher = Cipher.getInstance(AES_CTR_CIPHER);
 			cipher.init(cipherMode, key, new IvParameterSpec(iv));
 			return cipher;
 		} catch (InvalidKeyException ex) {
@@ -220,213 +227,263 @@ public class Aes256Cryptor extends AbstractCryptor implements AesCryptographicCo
 		}
 	}
 
+	private Cipher aesCbcCipher(SecretKey key, byte[] iv, int cipherMode) {
+		try {
+			final Cipher cipher = Cipher.getInstance(AES_CBC_CIPHER);
+			cipher.init(cipherMode, key, new IvParameterSpec(iv));
+			return cipher;
+		} catch (InvalidKeyException ex) {
+			throw new IllegalArgumentException("Invalid key.", ex);
+		} catch (NoSuchAlgorithmException | NoSuchPaddingException | InvalidAlgorithmParameterException ex) {
+			throw new AssertionError("Every implementation of the Java platform is required to support AES/CBC/PKCS5Padding, which accepts an IV", ex);
+		}
+	}
+
+	private Mac hmacSha256(SecretKey key) {
+		try {
+			final Mac mac = Mac.getInstance(HMAC_KEY_ALGORITHM);
+			mac.init(key);
+			return mac;
+		} catch (NoSuchAlgorithmException e) {
+			throw new AssertionError("Every implementation of the Java platform is required to support HmacSHA256.", e);
+		} catch (InvalidKeyException e) {
+			throw new IllegalArgumentException("Invalid key", e);
+		}
+	}
+
+	private MessageDigest sha256() {
+		try {
+			return MessageDigest.getInstance("SHA-256");
+		} catch (NoSuchAlgorithmException e) {
+			throw new AssertionError("Every implementation of the Java platform is required to support Sha-256");
+		}
+	}
+
 	private byte[] randomData(int length) {
 		final byte[] result = new byte[length];
-		SECURE_PRNG.setSeed(SECURE_PRNG.generateSeed(PRNG_SEED_LENGTH));
-		SECURE_PRNG.nextBytes(result);
+		securePrng.nextBytes(result);
 		return result;
 	}
 
-	private SecretKey pbkdf2(byte[] password, byte[] salt, int iterations, int keyLength) {
-		final char[] pw = new char[password.length];
+	private SecretKey scrypt(CharSequence password, byte[] salt, int costParam, int blockSize, int keyLengthInBits) {
+		// use sb, as password.toString's implementation is unknown
+		final StringBuilder sb = new StringBuilder(password);
+		final byte[] pw = sb.toString().getBytes();
 		try {
-			byteToChar(password, pw);
-			return pbkdf2(CharBuffer.wrap(pw), salt, iterations, keyLength);
+			final byte[] key = SCrypt.generate(pw, salt, costParam, blockSize, 1, keyLengthInBits / Byte.SIZE);
+			return new SecretKeySpec(key, AES_KEY_ALGORITHM);
 		} finally {
-			Arrays.fill(pw, (char) 0);
-		}
-	}
-
-	private SecretKey pbkdf2(CharSequence password, byte[] salt, int iterations, int keyLength) {
-		final int pwLen = password.length();
-		final char[] pw = new char[pwLen];
-		CharBuffer.wrap(password).get(pw, 0, pwLen);
-		try {
-			final KeySpec specs = new PBEKeySpec(pw, salt, iterations, keyLength);
-			final SecretKey pbkdf2Key = PBKDF2_FACTORY.generateSecret(specs);
-			final SecretKey aesKey = new SecretKeySpec(pbkdf2Key.getEncoded(), CRYPTO_ALGORITHM);
-			return aesKey;
-		} catch (InvalidKeySpecException ex) {
-			throw new IllegalStateException("Specs are hard-coded.", ex);
-		} finally {
-			Arrays.fill(pw, (char) 0);
-		}
-	}
-
-	private void byteToChar(byte[] source, char[] destination) {
-		if (source.length != destination.length) {
-			throw new IllegalArgumentException("char[] needs to be the same length as byte[]");
-		}
-		for (int i = 0; i < source.length; i++) {
-			destination[i] = (char) (source[i] & 0xFF);
-		}
-	}
-
-	private long crc32Sum(byte[] source) {
-		final CRC32 crc32 = new CRC32();
-		crc32.update(source);
-		return crc32.getValue();
-	}
-
-	@Override
-	public String encryptPath(String cleartextPath, char encryptedPathSep, char cleartextPathSep, CryptorIOSupport ioSupport) {
-		try {
-			final SecretKey key = this.pbkdf2(masterKey, EMPTY_SALT, PBKDF2_MASTERKEY_ITERATIONS, AES_KEY_LENGTH);
-			final String[] cleartextPathComps = StringUtils.split(cleartextPath, cleartextPathSep);
-			final List<String> encryptedPathComps = new ArrayList<>(cleartextPathComps.length);
-			for (final String cleartext : cleartextPathComps) {
-				final String encrypted = encryptPathComponent(cleartext, key, ioSupport);
-				encryptedPathComps.add(encrypted);
+			// destroy copied bytes of the plaintext password:
+			Arrays.fill(pw, (byte) 0);
+			for (int i = 0; i < password.length(); i++) {
+				sb.setCharAt(i, (char) 0);
 			}
-			return StringUtils.join(encryptedPathComps, encryptedPathSep);
-		} catch (IllegalBlockSizeException | BadPaddingException | IOException e) {
-			throw new IllegalStateException("Unable to encrypt path: " + cleartextPath, e);
-		}
-	}
-
-	/**
-	 * Each path component, i.e. file or directory name separated by path separators, gets encrypted for its own.<br/>
-	 * Encryption will blow up the filename length due to aes block sizes and base32 encoding. The result may be too long for some old file
-	 * systems.<br/>
-	 * This means that we need a workaround for filenames longer than the limit defined in
-	 * {@link FileNamingConventions#ENCRYPTED_FILENAME_LENGTH_LIMIT}.<br/>
-	 * <br/>
-	 * In any case we will create the encrypted filename normally. For those, that are too long, we calculate a checksum. No
-	 * cryptographically secure hash is needed here. We just want an uniform distribution for better load balancing. All encrypted filenames
-	 * with the same checksum will then share a metadata file, in which a lookup map between encrypted filenames and short unique
-	 * alternative names are stored.<br/>
-	 * <br/>
-	 * These alternative names consist of the checksum, a unique id and a special file extension defined in
-	 * {@link FileNamingConventions#LONG_NAME_FILE_EXT}.
-	 */
-	private String encryptPathComponent(final String cleartext, final SecretKey key, CryptorIOSupport ioSupport) throws IllegalBlockSizeException, BadPaddingException, IOException {
-		final Cipher cipher = this.cipher(FILE_NAME_CIPHER, key, EMPTY_IV, Cipher.ENCRYPT_MODE);
-		final byte[] cleartextBytes = cleartext.getBytes(Charsets.UTF_8);
-		final byte[] encryptedBytes = cipher.doFinal(cleartextBytes);
-		final String encrypted = ENCRYPTED_FILENAME_CODEC.encodeAsString(encryptedBytes) + BASIC_FILE_EXT;
-
-		if (encrypted.length() > ENCRYPTED_FILENAME_LENGTH_LIMIT) {
-			final String crc32 = Long.toHexString(crc32Sum(encrypted.getBytes()));
-			final String metadataFilename = crc32 + METADATA_FILE_EXT;
-			final LongFilenameMetadata metadata = this.getMetadata(ioSupport, metadataFilename);
-			final String alternativeFileName = crc32 + LONG_NAME_PREFIX_SEPARATOR + metadata.getOrCreateUuidForEncryptedFilename(encrypted).toString() + LONG_NAME_FILE_EXT;
-			this.storeMetadata(ioSupport, metadataFilename, metadata);
-			return alternativeFileName;
-		} else {
-			return encrypted;
 		}
 	}
 
 	@Override
-	public String decryptPath(String encryptedPath, char encryptedPathSep, char cleartextPathSep, CryptorIOSupport ioSupport) {
-		try {
-			final SecretKey key = this.pbkdf2(masterKey, EMPTY_SALT, PBKDF2_MASTERKEY_ITERATIONS, AES_KEY_LENGTH);
-			final String[] encryptedPathComps = StringUtils.split(encryptedPath, encryptedPathSep);
-			final List<String> cleartextPathComps = new ArrayList<>(encryptedPathComps.length);
-			for (final String encrypted : encryptedPathComps) {
-				final String cleartext = decryptPathComponent(encrypted, key, ioSupport);
-				cleartextPathComps.add(new String(cleartext));
-			}
-			return StringUtils.join(cleartextPathComps, cleartextPathSep);
-		} catch (IllegalBlockSizeException | BadPaddingException | IOException e) {
-			throw new IllegalStateException("Unable to decrypt path: " + encryptedPath, e);
-		}
-	}
-
-	/**
-	 * @see #encryptPathComponent(String, SecretKey, CryptorIOSupport)
-	 */
-	private String decryptPathComponent(final String encrypted, final SecretKey key, CryptorIOSupport ioSupport) throws IllegalBlockSizeException, BadPaddingException, IOException {
-		final String ciphertext;
-		if (encrypted.endsWith(LONG_NAME_FILE_EXT)) {
-			final String basename = StringUtils.removeEnd(encrypted, LONG_NAME_FILE_EXT);
-			final String crc32 = StringUtils.substringBefore(basename, LONG_NAME_PREFIX_SEPARATOR);
-			final String uuid = StringUtils.substringAfter(basename, LONG_NAME_PREFIX_SEPARATOR);
-			final String metadataFilename = crc32 + METADATA_FILE_EXT;
-			final LongFilenameMetadata metadata = this.getMetadata(ioSupport, metadataFilename);
-			ciphertext = metadata.getEncryptedFilenameForUUID(UUID.fromString(uuid));
-		} else if (encrypted.endsWith(BASIC_FILE_EXT)) {
-			ciphertext = StringUtils.removeEndIgnoreCase(encrypted, BASIC_FILE_EXT);
-		} else {
-			throw new IllegalArgumentException("Unsupported path component: " + encrypted);
-		}
-
-		final Cipher cipher = this.cipher(FILE_NAME_CIPHER, key, EMPTY_IV, Cipher.DECRYPT_MODE);
-		final byte[] encryptedBytes = ENCRYPTED_FILENAME_CODEC.decode(ciphertext);
-		final byte[] cleartextBytes = cipher.doFinal(encryptedBytes);
-		return new String(cleartextBytes, Charsets.UTF_8);
-	}
-
-	private LongFilenameMetadata getMetadata(CryptorIOSupport ioSupport, String metadataFile) throws IOException {
-		final byte[] fileContent = ioSupport.readPathSpecificMetadata(metadataFile);
-		if (fileContent == null) {
-			return new LongFilenameMetadata();
-		} else {
-			return objectMapper.readValue(fileContent, LongFilenameMetadata.class);
-		}
-	}
-
-	private void storeMetadata(CryptorIOSupport ioSupport, String metadataFile, LongFilenameMetadata metadata) throws JsonProcessingException, IOException {
-		ioSupport.writePathSpecificMetadata(metadataFile, objectMapper.writeValueAsBytes(metadata));
+	public String encryptDirectoryPath(String cleartextDirectoryId, String nativePathSep) {
+		final byte[] cleartextBytes = cleartextDirectoryId.getBytes(StandardCharsets.UTF_8);
+		byte[] encryptedBytes = AesSivCipherUtil.sivEncrypt(primaryMasterKey, hMacMasterKey, cleartextBytes);
+		final byte[] hashed = sha256().digest(encryptedBytes);
+		final String encryptedThenHashedPath = ENCRYPTED_FILENAME_CODEC.encodeAsString(hashed);
+		return encryptedThenHashedPath.substring(0, 2) + nativePathSep + encryptedThenHashedPath.substring(2);
 	}
 
 	@Override
-	public Long decryptedContentLength(SeekableByteChannel encryptedFile) throws IOException {
-		final ByteBuffer sizeBuffer = ByteBuffer.allocate(SIZE_OF_LONG);
-		final int read = encryptedFile.read(sizeBuffer);
-		if (read == SIZE_OF_LONG) {
-			return sizeBuffer.getLong(0);
-		} else {
+	public String encryptFilename(String cleartextName) {
+		final byte[] cleartextBytes = cleartextName.getBytes(StandardCharsets.UTF_8);
+		final byte[] encryptedBytes = AesSivCipherUtil.sivEncrypt(primaryMasterKey, hMacMasterKey, cleartextBytes);
+		return ENCRYPTED_FILENAME_CODEC.encodeAsString(encryptedBytes);
+	}
+
+	@Override
+	public String decryptFilename(String ciphertextName) throws DecryptFailedException {
+		final byte[] encryptedBytes = ENCRYPTED_FILENAME_CODEC.decode(ciphertextName);
+		final byte[] cleartextBytes = AesSivCipherUtil.sivDecrypt(primaryMasterKey, hMacMasterKey, encryptedBytes);
+		return new String(cleartextBytes, StandardCharsets.UTF_8);
+	}
+
+	@Override
+	public Long decryptedContentLength(SeekableByteChannel encryptedFile) throws IOException, MacAuthenticationFailedException {
+		// read header:
+		encryptedFile.position(0);
+		final ByteBuffer headerBuf = ByteBuffer.allocate(64);
+		final int headerBytesRead = encryptedFile.read(headerBuf);
+		if (headerBytesRead != headerBuf.capacity()) {
 			return null;
 		}
-	}
-
-	@Override
-	public Long decryptedFile(SeekableByteChannel encryptedFile, OutputStream plaintextFile) throws IOException {
-		// skip content size:
-		encryptedFile.position(SIZE_OF_LONG);
 
 		// read iv:
-		final ByteBuffer countingIv = ByteBuffer.allocate(AES_BLOCK_LENGTH);
-		final int read = encryptedFile.read(countingIv);
-		if (read != AES_BLOCK_LENGTH) {
-			throw new IOException("Failed to read encrypted file header.");
+		final byte[] iv = new byte[AES_BLOCK_LENGTH];
+		headerBuf.position(0);
+		headerBuf.get(iv);
+
+		// read content length:
+		final byte[] encryptedContentLengthBytes = new byte[AES_BLOCK_LENGTH];
+		headerBuf.position(16);
+		headerBuf.get(encryptedContentLengthBytes);
+
+		// read stored header mac:
+		final byte[] storedHeaderMac = new byte[32];
+		headerBuf.position(32);
+		headerBuf.get(storedHeaderMac);
+
+		// calculate mac over first 32 bytes of header:
+		final Mac headerMac = this.hmacSha256(hMacMasterKey);
+		headerBuf.rewind();
+		headerBuf.limit(32);
+		headerMac.update(headerBuf);
+
+		final boolean macMatches = MessageDigest.isEqual(storedHeaderMac, headerMac.doFinal());
+		if (!macMatches) {
+			throw new MacAuthenticationFailedException("MAC authentication failed.");
 		}
 
-		// derive secret key and generate cipher:
-		final SecretKey key = this.pbkdf2(masterKey, EMPTY_SALT, PBKDF2_MASTERKEY_ITERATIONS, AES_KEY_LENGTH);
-		final Cipher cipher = this.cipher(FILE_CONTENT_CIPHER, key, countingIv.array(), Cipher.DECRYPT_MODE);
+		return decryptContentLength(encryptedContentLengthBytes, iv);
+	}
 
-		// read content
-		final InputStream in = new SeekableByteChannelInputStream(encryptedFile);
-		final InputStream cipheredIn = new CipherInputStream(in, cipher);
-		return IOUtils.copyLarge(cipheredIn, plaintextFile);
+	private long decryptContentLength(byte[] encryptedContentLengthBytes, byte[] iv) {
+		try {
+			final Cipher sizeCipher = aesCbcCipher(primaryMasterKey, iv, Cipher.DECRYPT_MODE);
+			final byte[] decryptedFileSize = sizeCipher.doFinal(encryptedContentLengthBytes);
+			final ByteBuffer fileSizeBuffer = ByteBuffer.wrap(decryptedFileSize);
+			return fileSizeBuffer.getLong();
+		} catch (IllegalBlockSizeException | BadPaddingException e) {
+			throw new IllegalStateException(e);
+		}
+	}
+
+	private byte[] encryptContentLength(long contentLength, byte[] iv) {
+		try {
+			final ByteBuffer fileSizeBuffer = ByteBuffer.allocate(Long.BYTES);
+			fileSizeBuffer.putLong(contentLength);
+			final Cipher sizeCipher = aesCbcCipher(primaryMasterKey, iv, Cipher.ENCRYPT_MODE);
+			return sizeCipher.doFinal(fileSizeBuffer.array());
+		} catch (IllegalBlockSizeException | BadPaddingException e) {
+			throw new IllegalStateException("Block size must be valid, as padding is requested. BadPaddingException not possible in encrypt mode.", e);
+		}
 	}
 
 	@Override
-	public Long decryptRange(SeekableByteChannel encryptedFile, OutputStream plaintextFile, long pos, long length) throws IOException {
-		// skip content size:
-		encryptedFile.position(SIZE_OF_LONG);
+	public boolean isAuthentic(SeekableByteChannel encryptedFile) throws IOException {
+		// read header:
+		encryptedFile.position(0l);
+		final ByteBuffer headerBuf = ByteBuffer.allocate(96);
+		final int headerBytesRead = encryptedFile.read(headerBuf);
+		if (headerBytesRead != headerBuf.capacity()) {
+			throw new IOException("Failed to read file header.");
+		}
+
+		// read header mac:
+		final byte[] storedHeaderMac = new byte[32];
+		headerBuf.position(32);
+		headerBuf.get(storedHeaderMac);
+
+		// read content mac:
+		final byte[] storedContentMac = new byte[32];
+		headerBuf.position(64);
+		headerBuf.get(storedContentMac);
+
+		// calculate mac over first 32 bytes of header:
+		final Mac headerMac = this.hmacSha256(hMacMasterKey);
+		headerBuf.position(0);
+		headerBuf.limit(32);
+		headerMac.update(headerBuf);
+
+		// calculate mac over content:
+		encryptedFile.position(96l);
+		final Mac contentMac = this.hmacSha256(hMacMasterKey);
+		final InputStream in = new SeekableByteChannelInputStream(encryptedFile);
+		final InputStream macIn = new MacInputStream(in, contentMac);
+		IOUtils.copyLarge(macIn, new NullOutputStream());
+
+		// compare (in constant time):
+		final boolean headerMacMatches = MessageDigest.isEqual(storedHeaderMac, headerMac.doFinal());
+		final boolean contentMacMatches = MessageDigest.isEqual(storedContentMac, contentMac.doFinal());
+		return headerMacMatches && contentMacMatches;
+	}
+
+	@Override
+	public Long decryptFile(SeekableByteChannel encryptedFile, OutputStream plaintextFile) throws IOException, DecryptFailedException {
+		// read header:
+		encryptedFile.position(0l);
+		final ByteBuffer headerBuf = ByteBuffer.allocate(96);
+		final int headerBytesRead = encryptedFile.read(headerBuf);
+		if (headerBytesRead != headerBuf.capacity()) {
+			throw new IOException("Failed to read file header.");
+		}
 
 		// read iv:
+		final byte[] iv = new byte[AES_BLOCK_LENGTH];
+		headerBuf.position(0);
+		headerBuf.get(iv);
+
+		// read content length:
+		final byte[] encryptedContentLengthBytes = new byte[AES_BLOCK_LENGTH];
+		headerBuf.position(16);
+		headerBuf.get(encryptedContentLengthBytes);
+		final Long fileSize = decryptContentLength(encryptedContentLengthBytes, iv);
+
+		// read header mac:
+		final byte[] headerMac = new byte[32];
+		headerBuf.position(32);
+		headerBuf.get(headerMac);
+
+		// read content mac:
+		final byte[] contentMac = new byte[32];
+		headerBuf.position(64);
+		headerBuf.get(contentMac);
+
+		// decrypt content
+		encryptedFile.position(96l);
+		final Mac calculatedContentMac = this.hmacSha256(hMacMasterKey);
+		final Cipher cipher = this.aesCtrCipher(primaryMasterKey, iv, Cipher.DECRYPT_MODE);
+		final InputStream in = new SeekableByteChannelInputStream(encryptedFile);
+		final InputStream macIn = new MacInputStream(in, calculatedContentMac);
+		final InputStream cipheredIn = new CipherInputStream(macIn, cipher);
+		final long bytesDecrypted = IOUtils.copyLarge(cipheredIn, plaintextFile, 0, fileSize);
+
+		// drain remaining bytes to /dev/null to complete MAC calculation:
+		IOUtils.copyLarge(macIn, new NullOutputStream());
+
+		// compare (in constant time):
+		final boolean macMatches = MessageDigest.isEqual(contentMac, calculatedContentMac.doFinal());
+		if (!macMatches) {
+			// This exception will be thrown AFTER we sent the decrypted content to the user.
+			// This has two advantages:
+			// - we don't need to read files twice
+			// - we can still restore files suffering from non-malicious bit rotting
+			// Anyway me MUST make sure to warn the user. This will be done by the UI when catching this exception.
+			throw new MacAuthenticationFailedException("MAC authentication failed.");
+		}
+
+		return bytesDecrypted;
+	}
+
+	@Override
+	public Long decryptRange(SeekableByteChannel encryptedFile, OutputStream plaintextFile, long pos, long length) throws IOException, DecryptFailedException {
+		// read iv:
+		encryptedFile.position(0l);
 		final ByteBuffer countingIv = ByteBuffer.allocate(AES_BLOCK_LENGTH);
-		final int read = encryptedFile.read(countingIv);
-		if (read != AES_BLOCK_LENGTH) {
-			throw new IOException("Failed to read encrypted file header.");
+		final int numIvBytesRead = encryptedFile.read(countingIv);
+
+		// check validity of header:
+		if (numIvBytesRead != AES_BLOCK_LENGTH) {
+			throw new IOException("Failed to read file header.");
 		}
 
 		// seek relevant position and update iv:
 		long firstRelevantBlock = pos / AES_BLOCK_LENGTH; // cut of fraction!
 		long beginOfFirstRelevantBlock = firstRelevantBlock * AES_BLOCK_LENGTH;
 		long offsetInsideFirstRelevantBlock = pos - beginOfFirstRelevantBlock;
-		countingIv.putLong(AES_BLOCK_LENGTH - SIZE_OF_LONG, firstRelevantBlock);
+		countingIv.putInt(AES_BLOCK_LENGTH - Integer.BYTES, (int) firstRelevantBlock); // int-cast is possible, as max file size is 64GiB
 
 		// fast forward stream:
-		encryptedFile.position(SIZE_OF_LONG + AES_BLOCK_LENGTH + beginOfFirstRelevantBlock);
+		encryptedFile.position(96l + beginOfFirstRelevantBlock);
 
-		// derive secret key and generate cipher:
-		final SecretKey key = this.pbkdf2(masterKey, EMPTY_SALT, PBKDF2_MASTERKEY_ITERATIONS, AES_KEY_LENGTH);
-		final Cipher cipher = this.cipher(FILE_CONTENT_CIPHER, key, countingIv.array(), Cipher.DECRYPT_MODE);
+		// generate cipher:
+		final Cipher cipher = this.aesCtrCipher(primaryMasterKey, countingIv.array(), Cipher.DECRYPT_MODE);
 
 		// read content
 		final InputStream in = new SeekableByteChannelInputStream(encryptedFile);
@@ -434,52 +491,67 @@ public class Aes256Cryptor extends AbstractCryptor implements AesCryptographicCo
 		return IOUtils.copyLarge(cipheredIn, plaintextFile, offsetInsideFirstRelevantBlock, length);
 	}
 
+	/**
+	 * header = {16 byte iv, 16 byte filesize, 32 byte headerMac, 32 byte contentMac}
+	 */
 	@Override
-	public Long encryptFile(InputStream plaintextFile, SeekableByteChannel encryptedFile) throws IOException {
+	public Long encryptFile(InputStream plaintextFile, SeekableByteChannel encryptedFile) throws IOException, EncryptFailedException {
 		// truncate file
-		encryptedFile.truncate(0);
+		encryptedFile.truncate(0l);
 
 		// use an IV, whose last 8 bytes store a long used in counter mode and write initial value to file.
-		final ByteBuffer countingIv = ByteBuffer.wrap(randomData(AES_BLOCK_LENGTH));
-		countingIv.putLong(AES_BLOCK_LENGTH - SIZE_OF_LONG, 0l);
-		countingIv.position(0);
+		final ByteBuffer ivBuf = ByteBuffer.wrap(randomData(AES_BLOCK_LENGTH));
+		ivBuf.putInt(AES_BLOCK_LENGTH - Integer.BYTES, 0);
+		final byte[] iv = ivBuf.array();
 
-		// derive secret key and generate cipher:
-		final SecretKey key = this.pbkdf2(masterKey, EMPTY_SALT, PBKDF2_MASTERKEY_ITERATIONS, AES_KEY_LENGTH);
-		final Cipher cipher = this.cipher(FILE_CONTENT_CIPHER, key, countingIv.array(), Cipher.ENCRYPT_MODE);
+		// 96 byte header buffer (16 IV, 16 size, 32 headerMac, 32 contentMac), filled after writing the content
+		final ByteBuffer headerBuf = ByteBuffer.allocate(96);
+		headerBuf.limit(96);
+		encryptedFile.write(headerBuf);
 
-		// 8 bytes (file size: temporarily -1):
-		final ByteBuffer fileSize = ByteBuffer.allocate(SIZE_OF_LONG);
-		fileSize.putLong(-1L);
-		fileSize.position(0);
-		encryptedFile.write(fileSize);
-
-		// 16 bytes (iv):
-		encryptedFile.write(countingIv);
-
-		// write content:
+		// content encryption:
+		final Cipher cipher = this.aesCtrCipher(primaryMasterKey, iv, Cipher.ENCRYPT_MODE);
+		final Mac contentMac = this.hmacSha256(hMacMasterKey);
 		final OutputStream out = new SeekableByteChannelOutputStream(encryptedFile);
-		final OutputStream cipheredOut = new CipherOutputStream(out, cipher);
-		final Long actualSize = IOUtils.copyLarge(plaintextFile, cipheredOut);
+		final OutputStream macOut = new MacOutputStream(out, contentMac);
+		final OutputStream cipheredOut = new CipherOutputStream(macOut, cipher);
+		final OutputStream blockSizeBufferedOut = new BufferedOutputStream(cipheredOut, AES_BLOCK_LENGTH);
+		final InputStream lengthLimitingIn = new CounterAwareInputStream(plaintextFile);
+		final Long plaintextSize;
+		try {
+			plaintextSize = IOUtils.copyLarge(lengthLimitingIn, blockSizeBufferedOut);
+		} catch (CounterAwareInputLimitReachedException ex) {
+			encryptedFile.truncate(0l);
+			throw new CounterOverflowException("File size exceeds limit (64Gib). Aborting to prevent counter overflow.");
+		}
 
-		// write filesize
-		fileSize.position(0);
-		fileSize.putLong(actualSize);
-		fileSize.position(0);
+		// add random length padding to obfuscate file length:
+		final long numberOfPlaintextBlocks = (int) Math.ceil(plaintextSize / AES_BLOCK_LENGTH);
+		final long minAdditionalBlocks = 4;
+		final long maxAdditionalBlocks = Math.min(numberOfPlaintextBlocks >> 3, 1024 * 1024); // 12,5% of original blocks, but not more than 1M blocks (16MiBs)
+		final long availableBlocks = (1l << 32) - numberOfPlaintextBlocks; // before reaching limit of 2^32 blocks
+		final long additionalBlocks = (long) Math.min(Math.random() * Math.max(minAdditionalBlocks, maxAdditionalBlocks), availableBlocks);
+		final byte[] randomPadding = this.randomData(AES_BLOCK_LENGTH);
+		for (int i = 0; i < additionalBlocks; i += AES_BLOCK_LENGTH) {
+			blockSizeBufferedOut.write(randomPadding);
+		}
+		blockSizeBufferedOut.flush();
+
+		// create and write header:
+		headerBuf.clear();
+		headerBuf.put(iv);
+		headerBuf.put(encryptContentLength(plaintextSize, iv));
+		headerBuf.flip();
+		final Mac headerMac = this.hmacSha256(hMacMasterKey);
+		headerMac.update(headerBuf);
+		headerBuf.limit(96);
+		headerBuf.put(headerMac.doFinal());
+		headerBuf.put(contentMac.doFinal());
+		headerBuf.flip();
 		encryptedFile.position(0);
-		encryptedFile.write(fileSize);
+		encryptedFile.write(headerBuf);
 
-		return actualSize;
-	}
-
-	@Override
-	public Filter<Path> getPayloadFilesFilter() {
-		return new Filter<Path>() {
-			@Override
-			public boolean accept(Path entry) throws IOException {
-				return ENCRYPTED_FILE_GLOB_MATCHER.matches(entry);
-			}
-		};
+		return plaintextSize;
 	}
 
 }

main/crypto-aes/src/main/java/org/cryptomator/crypto/aes256/AesCryptographicConfiguration.java

@@ -8,33 +8,36 @@
  ******************************************************************************/
 package org.cryptomator.crypto.aes256;
 
+import org.apache.commons.codec.binary.Base32;
+import org.apache.commons.codec.binary.BaseNCodec;
+
 interface AesCryptographicConfiguration {
 
+	/**
+	 * Number of bytes used as salt, where needed.
+	 */
+	int SCRYPT_SALT_LENGTH = 8;
+
+	/**
+	 * Scrypt CPU/Memory cost parameter.
+	 */
+	int SCRYPT_COST_PARAM = 1 << 14;
+
+	/**
+	 * Scrypt block size (affects memory consumption)
+	 */
+	int SCRYPT_BLOCK_SIZE = 8;
+
+	/**
+	 * Preferred number of bytes of the master key.
+	 */
+	int PREF_MASTER_KEY_LENGTH_IN_BITS = 256;
+
 	/**
 	 * Number of bytes used as seed for the PRNG.
 	 */
 	int PRNG_SEED_LENGTH = 16;
 
-	/**
-	 * Number of bytes of the master key. Should be the maximum possible AES key length to provide best security.
-	 */
-	int MASTER_KEY_LENGTH = 256;
-
-	/**
-	 * Number of bytes used as salt, where needed.
-	 */
-	int SALT_LENGTH = 8;
-
-	/**
-	 * 0-filled salt.
-	 */
-	byte[] EMPTY_SALT = new byte[SALT_LENGTH];
-
-	/**
-	 * Algorithm used for key derivation.
-	 */
-	String KEY_FACTORY_ALGORITHM = "PBKDF2WithHmacSHA1";
-
 	/**
 	 * Algorithm used for random number generation.
 	 */
@@ -45,28 +48,33 @@ interface AesCryptographicConfiguration {
 	 * 
 	 * @see http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#AlgorithmParameters
 	 */
-	String CRYPTO_ALGORITHM = "AES";
+	String AES_KEY_ALGORITHM = "AES";
 
 	/**
-	 * Cipher specs for masterkey encryption.
+	 * Key algorithm for keyed MAC.
+	 */
+	String HMAC_KEY_ALGORITHM = "HmacSHA256";
+
+	/**
+	 * Cipher specs for RFC 3394 masterkey encryption.
 	 * 
 	 * @see http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#Cipher
 	 */
-	String MASTERKEY_CIPHER = "AES/CBC/PKCS5Padding";
+	String AES_KEYWRAP_CIPHER = "AESWrap";
 
 	/**
-	 * Cipher specs for file name encryption.
+	 * Cipher specs for file content encryption. Using CTR-mode for random access.<br/>
 	 * 
 	 * @see http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#Cipher
 	 */
-	String FILE_NAME_CIPHER = "AES/CBC/PKCS5Padding";
+	String AES_CTR_CIPHER = "AES/CTR/NoPadding";
 
 	/**
-	 * Cipher specs for content encryption. Using CTR-mode for random access.
+	 * Cipher specs for file header encryption (fixed-length block cipher).<br/>
 	 * 
-	 * @see http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#Cipher
+	 * @see http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#impl
 	 */
-	String FILE_CONTENT_CIPHER = "AES/CTR/NoPadding";
+	String AES_CBC_CIPHER = "AES/CBC/PKCS5Padding";
 
 	/**
 	 * AES block size is 128 bit or 16 bytes.
@@ -74,19 +82,8 @@ interface AesCryptographicConfiguration {
 	int AES_BLOCK_LENGTH = 16;
 
 	/**
-	 * 0-filled initialization vector.
+	 * How to encode the encrypted file names safely. Base32 uses only alphanumeric characters and is case-insensitive.
 	 */
-	byte[] EMPTY_IV = new byte[AES_BLOCK_LENGTH];
-
-	/**
-	 * Number of iterations for key derived from user pw. High iteration count for better resistance to bruteforcing.
-	 */
-	int PBKDF2_PW_ITERATIONS = 1000;
-
-	/**
-	 * Number of iterations for key derived from masterkey. Low iteration count for better performance. No additional security is added by
-	 * high values.
-	 */
-	int PBKDF2_MASTERKEY_ITERATIONS = 1;
+	BaseNCodec ENCRYPTED_FILENAME_CODEC = new Base32();
 
 }

main/crypto-aes/src/main/java/org/cryptomator/crypto/aes256/AesSivCipherUtil.java

@@ -0,0 +1,230 @@
+/*******************************************************************************
+ * Copyright (c) 2014 Sebastian Stenzel
+ * This file is licensed under the terms of the MIT license.
+ * See the LICENSE.txt file for more info.
+ * 
+ * Contributors:
+ *     Sebastian Stenzel - initial API and implementation
+ ******************************************************************************/
+package org.cryptomator.crypto.aes256;
+
+import java.nio.ByteBuffer;
+import java.security.InvalidKeyException;
+import java.security.MessageDigest;
+import java.util.Arrays;
+
+import javax.crypto.SecretKey;
+
+import org.apache.commons.lang3.ArrayUtils;
+import org.bouncycastle.crypto.BlockCipher;
+import org.bouncycastle.crypto.CipherParameters;
+import org.bouncycastle.crypto.Mac;
+import org.bouncycastle.crypto.engines.AESFastEngine;
+import org.bouncycastle.crypto.macs.CMac;
+import org.bouncycastle.crypto.paddings.ISO7816d4Padding;
+import org.bouncycastle.crypto.params.KeyParameter;
+import org.cryptomator.crypto.exceptions.DecryptFailedException;
+
+/**
+ * Implements the RFC 5297 SIV mode.
+ */
+final class AesSivCipherUtil {
+
+	private static final byte[] BYTES_ZERO = new byte[16];
+	private static final byte DOUBLING_CONST = (byte) 0x87;
+
+	static byte[] sivEncrypt(SecretKey aesKey, SecretKey macKey, byte[] plaintext, byte[]... additionalData) {
+		final byte[] aesKeyBytes = aesKey.getEncoded();
+		final byte[] macKeyBytes = macKey.getEncoded();
+		if (aesKeyBytes == null || macKeyBytes == null) {
+			throw new IllegalArgumentException("Can't get bytes of given key.");
+		}
+		try {
+			return sivEncrypt(aesKeyBytes, macKeyBytes, plaintext, additionalData);
+		} catch (InvalidKeyException ex) {
+			throw new IllegalArgumentException(ex);
+		} finally {
+			Arrays.fill(aesKeyBytes, (byte) 0);
+			Arrays.fill(macKeyBytes, (byte) 0);
+		}
+	}
+
+	static byte[] sivEncrypt(byte[] aesKey, byte[] macKey, byte[] plaintext, byte[]... additionalData) throws InvalidKeyException {
+		if (aesKey.length != 16 && aesKey.length != 24 && aesKey.length != 32) {
+			throw new InvalidKeyException("Invalid aesKey length " + aesKey.length);
+		}
+
+		final byte[] iv = s2v(macKey, plaintext, additionalData);
+
+		final int numBlocks = (plaintext.length + 15) / 16;
+
+		// clear out the 31st and 63rd (rightmost) bit:
+		final byte[] ctr = Arrays.copyOf(iv, 16);
+		ctr[8] = (byte) (ctr[8] & 0x7F);
+		ctr[12] = (byte) (ctr[12] & 0x7F);
+		final ByteBuffer ctrBuf = ByteBuffer.wrap(ctr);
+		final long initialCtrVal = ctrBuf.getLong(8);
+
+		final byte[] x = new byte[numBlocks * 16];
+		final BlockCipher aes = new AESFastEngine();
+		aes.init(true, new KeyParameter(aesKey));
+		for (int i = 0; i < numBlocks; i++) {
+			final long ctrVal = initialCtrVal + i;
+			ctrBuf.putLong(8, ctrVal);
+			aes.processBlock(ctrBuf.array(), 0, x, i * 16);
+			aes.reset();
+		}
+
+		final byte[] ciphertext = xor(plaintext, x);
+
+		return ArrayUtils.addAll(iv, ciphertext);
+	}
+
+	static byte[] sivDecrypt(SecretKey aesKey, SecretKey macKey, byte[] plaintext, byte[]... additionalData) throws DecryptFailedException {
+		final byte[] aesKeyBytes = aesKey.getEncoded();
+		final byte[] macKeyBytes = macKey.getEncoded();
+		if (aesKeyBytes == null || macKeyBytes == null) {
+			throw new IllegalArgumentException("Can't get bytes of given key.");
+		}
+		try {
+			return sivDecrypt(aesKeyBytes, macKeyBytes, plaintext, additionalData);
+		} catch (InvalidKeyException ex) {
+			throw new IllegalArgumentException(ex);
+		} finally {
+			Arrays.fill(aesKeyBytes, (byte) 0);
+			Arrays.fill(macKeyBytes, (byte) 0);
+		}
+	}
+
+	static byte[] sivDecrypt(byte[] aesKey, byte[] macKey, byte[] ciphertext, byte[]... additionalData) throws DecryptFailedException, InvalidKeyException {
+		if (aesKey.length != 16 && aesKey.length != 24 && aesKey.length != 32) {
+			throw new InvalidKeyException("Invalid aesKey length " + aesKey.length);
+		}
+
+		final byte[] iv = Arrays.copyOf(ciphertext, 16);
+
+		final byte[] actualCiphertext = Arrays.copyOfRange(ciphertext, 16, ciphertext.length);
+		final int numBlocks = (actualCiphertext.length + 15) / 16;
+
+		// clear out the 31st and 63rd (rightmost) bit:
+		final byte[] ctr = Arrays.copyOf(iv, 16);
+		ctr[8] = (byte) (ctr[8] & 0x7F);
+		ctr[12] = (byte) (ctr[12] & 0x7F);
+		final ByteBuffer ctrBuf = ByteBuffer.wrap(ctr);
+		final long initialCtrVal = ctrBuf.getLong(8);
+
+		final byte[] x = new byte[numBlocks * 16];
+		final BlockCipher aes = new AESFastEngine();
+		aes.init(true, new KeyParameter(aesKey));
+		for (int i = 0; i < numBlocks; i++) {
+			final long ctrVal = initialCtrVal + i;
+			ctrBuf.putLong(8, ctrVal);
+			aes.processBlock(ctrBuf.array(), 0, x, i * 16);
+			aes.reset();
+		}
+
+		final byte[] plaintext = xor(actualCiphertext, x);
+
+		final byte[] control = s2v(macKey, plaintext, additionalData);
+
+		if (MessageDigest.isEqual(control, iv)) {
+			return plaintext;
+		} else {
+			throw new DecryptFailedException("Authentication failed");
+		}
+	}
+
+	static byte[] s2v(byte[] macKey, byte[] plaintext, byte[]... additionalData) {
+		final CipherParameters params = new KeyParameter(macKey);
+		final BlockCipher aes = new AESFastEngine();
+		final CMac mac = new CMac(aes);
+		mac.init(params);
+
+		byte[] d = mac(mac, BYTES_ZERO);
+
+		for (byte[] s : additionalData) {
+			d = xor(dbl(d), mac(mac, s));
+		}
+
+		final byte[] t;
+		if (plaintext.length >= 16) {
+			t = xorend(plaintext, d);
+		} else {
+			t = xor(dbl(d), pad(plaintext));
+		}
+
+		return mac(mac, t);
+	}
+
+	private static byte[] mac(Mac mac, byte[] in) {
+		byte[] result = new byte[mac.getMacSize()];
+		mac.update(in, 0, in.length);
+		mac.doFinal(result, 0);
+		return result;
+	}
+
+	/**
+	 * First bit 1, following bits 0.
+	 */
+	private static byte[] pad(byte[] in) {
+		final byte[] result = Arrays.copyOf(in, 16);
+		new ISO7816d4Padding().addPadding(result, in.length);
+		return result;
+	}
+
+	/**
+	 * Code taken from {@link org.bouncycastle.crypto.macs.CMac}
+	 */
+	private static int shiftLeft(byte[] block, byte[] output) {
+		int i = block.length;
+		int bit = 0;
+		while (--i >= 0) {
+			int b = block[i] & 0xff;
+			output[i] = (byte) ((b << 1) | bit);
+			bit = (b >>> 7) & 1;
+		}
+		return bit;
+	}
+
+	/**
+	 * Code taken from {@link org.bouncycastle.crypto.macs.CMac}
+	 */
+	private static byte[] dbl(byte[] in) {
+		byte[] ret = new byte[in.length];
+		int carry = shiftLeft(in, ret);
+		int xor = 0xff & DOUBLING_CONST;
+
+		/*
+		 * NOTE: This construction is an attempt at a constant-time implementation.
+		 */
+		ret[in.length - 1] ^= (xor >>> ((1 - carry) << 3));
+
+		return ret;
+	}
+
+	private static byte[] xor(byte[] in1, byte[] in2) {
+		if (in1 == null || in2 == null || in1.length > in2.length) {
+			throw new IllegalArgumentException("Length of first input must be <= length of second input.");
+		}
+
+		final byte[] result = new byte[in1.length];
+		for (int i = 0; i < result.length; i++) {
+			result[i] = (byte) (in1[i] ^ in2[i]);
+		}
+		return result;
+	}
+
+	private static byte[] xorend(byte[] in1, byte[] in2) {
+		if (in1 == null || in2 == null || in1.length < in2.length) {
+			throw new IllegalArgumentException("Length of first input must be >= length of second input.");
+		}
+
+		final byte[] result = Arrays.copyOf(in1, in1.length);
+		final int diff = in1.length - in2.length;
+		for (int i = 0; i < in2.length; i++) {
+			result[i + diff] = (byte) (result[i + diff] ^ in2[i]);
+		}
+		return result;
+	}
+
+}

main/crypto-aes/src/main/java/org/cryptomator/crypto/aes256/CounterAwareInputStream.java

@@ -0,0 +1,57 @@
+package org.cryptomator.crypto.aes256;
+
+import java.io.FilterInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.concurrent.atomic.AtomicLong;
+
+/**
+ * Throws an exception, if more than (2^32)-1 16 byte blocks will be encrypted (would result in an counter overflow).<br/>
+ * From https://tools.ietf.org/html/rfc3686: <cite> Using the encryption process described in section 2.1, this construction permits each packet to consist of up to: (2^32)-1 blocks</cite>
+ */
+class CounterAwareInputStream extends FilterInputStream {
+
+	static final long SIXTY_FOUR_GIGABYE = ((1l << 32) - 1) * 16;
+
+	private final AtomicLong counter;
+
+	/**
+	 * @param in Stream from which to read contents, which will update the Mac.
+	 */
+	public CounterAwareInputStream(InputStream in) {
+		super(in);
+		this.counter = new AtomicLong(0l);
+	}
+
+	@Override
+	public int read() throws IOException {
+		int b = in.read();
+		if (b != -1) {
+			final long currentValue = counter.incrementAndGet();
+			failWhen64GibReached(currentValue);
+		}
+		return b;
+	}
+
+	@Override
+	public int read(byte[] b, int off, int len) throws IOException {
+		int read = in.read(b, off, len);
+		if (read > 0) {
+			final long currentValue = counter.addAndGet(read);
+			failWhen64GibReached(currentValue);
+		}
+		return read;
+	}
+
+	private void failWhen64GibReached(long currentValue) throws CounterAwareInputLimitReachedException {
+		if (currentValue > SIXTY_FOUR_GIGABYE) {
+			throw new CounterAwareInputLimitReachedException();
+		}
+	}
+
+	static class CounterAwareInputLimitReachedException extends IOException {
+		private static final long serialVersionUID = -1905012809288019359L;
+
+	}
+
+}

main/crypto-aes/src/main/java/org/cryptomator/crypto/aes256/FileNamingConventions.java

@@ -1,61 +0,0 @@
-/*******************************************************************************
- * Copyright (c) 2014 Sebastian Stenzel
- * This file is licensed under the terms of the MIT license.
- * See the LICENSE.txt file for more info.
- * 
- * Contributors:
- *     Sebastian Stenzel - initial API and implementation
- ******************************************************************************/
-package org.cryptomator.crypto.aes256;
-
-import java.nio.file.FileSystems;
-import java.nio.file.PathMatcher;
-
-import org.apache.commons.codec.binary.Base32;
-import org.apache.commons.codec.binary.BaseNCodec;
-
-interface FileNamingConventions {
-
-	/**
-	 * Extension of masterkey files inside the root directory of the encrypted storage.
-	 */
-	String MASTERKEY_FILE_EXT = ".masterkey.json";
-
-	/**
-	 * How to encode the encrypted file names safely.
-	 */
-	BaseNCodec ENCRYPTED_FILENAME_CODEC = new Base32();
-
-	/**
-	 * Maximum length possible on file systems with a filename limit of 255 chars.<br/>
-	 * Also we would need a few chars for our file extension, so lets use {@value #ENCRYPTED_FILENAME_LENGTH_LIMIT}.
-	 */
-	int ENCRYPTED_FILENAME_LENGTH_LIMIT = 250;
-
-	/**
-	 * For plaintext file names <= {@value #ENCRYPTED_FILENAME_LENGTH_LIMIT} chars.
-	 */
-	String BASIC_FILE_EXT = ".aes";
-
-	/**
-	 * For plaintext file names > {@value #ENCRYPTED_FILENAME_LENGTH_LIMIT} chars.
-	 */
-	String LONG_NAME_FILE_EXT = ".lng.aes";
-
-	/**
-	 * Prefix in file names > {@value #ENCRYPTED_FILENAME_LENGTH_LIMIT} chars used to determine the corresponding metadata file.
-	 */
-	String LONG_NAME_PREFIX_SEPARATOR = "_";
-
-	/**
-	 * For metadata files for a certain group of files. The cryptor may decide what files to assign to the same group; hopefully using some
-	 * kind of uniform distribution for better load balancing.
-	 */
-	String METADATA_FILE_EXT = ".meta";
-
-	/**
-	 * Matches both, {@value #BASIC_FILE_EXT} and {@value #LONG_NAME_FILE_EXT} files.
-	 */
-	PathMatcher ENCRYPTED_FILE_GLOB_MATCHER = FileSystems.getDefault().getPathMatcher("glob:**/*{" + BASIC_FILE_EXT + "," + LONG_NAME_FILE_EXT + "}");
-
-}

main/crypto-aes/src/main/java/org/cryptomator/crypto/aes256/Key.java

@@ -1,67 +0,0 @@
-package org.cryptomator.crypto.aes256;
-
-import java.io.Serializable;
-
-import com.fasterxml.jackson.annotation.JsonPropertyOrder;
-
-@JsonPropertyOrder(value = { "salt", "iv", "iterations", "keyLength", "masterkey" })
-public class Key implements Serializable {
-
-	private static final long serialVersionUID = 8578363158959619885L;
-	private byte[] salt;
-	private byte[] iv;
-	private int iterations;
-	private int keyLength;
-	private byte[] pwVerification;
-	private byte[] masterkey;
-	
-	public byte[] getSalt() {
-		return salt;
-	}
-	
-	public void setSalt(byte[] salt) {
-		this.salt = salt;
-	}
-
-	public byte[] getIv() {
-		return iv;
-	}
-
-	public void setIv(byte[] iv) {
-		this.iv = iv;
-	}
-
-	public int getIterations() {
-		return iterations;
-	}
-
-	public void setIterations(int iterations) {
-		this.iterations = iterations;
-	}
-
-	public int getKeyLength() {
-		return keyLength;
-	}
-
-	public void setKeyLength(int keyLength) {
-		this.keyLength = keyLength;
-	}
-
-	public byte[] getPwVerification() {
-		return pwVerification;
-	}
-
-	public void setPwVerification(byte[] pwVerification) {
-		this.pwVerification = pwVerification;
-	}
-
-	public byte[] getMasterkey() {
-		return masterkey;
-	}
-
-	public void setMasterkey(byte[] masterkey) {
-		this.masterkey = masterkey;
-	}
-
-	
-}

main/crypto-aes/src/main/java/org/cryptomator/crypto/aes256/KeyFile.java

@@ -0,0 +1,77 @@
+package org.cryptomator.crypto.aes256;
+
+import java.io.Serializable;
+
+import com.fasterxml.jackson.annotation.JsonPropertyOrder;
+
+@JsonPropertyOrder(value = {"version", "scryptSalt", "scryptCostParam", "scryptBlockSize", "keyLength", "primaryMasterKey", "hMacMasterKey"})
+public class KeyFile implements Serializable {
+
+	static final Integer CURRENT_VERSION = 1;
+	private static final long serialVersionUID = 8578363158959619885L;
+
+	private Integer version;
+	private byte[] scryptSalt;
+	private int scryptCostParam;
+	private int scryptBlockSize;
+	private int keyLength;
+	private byte[] primaryMasterKey;
+	private byte[] hMacMasterKey;
+
+	public Integer getVersion() {
+		return version;
+	}
+
+	public void setVersion(Integer version) {
+		this.version = version;
+	}
+
+	public byte[] getScryptSalt() {
+		return scryptSalt;
+	}
+
+	public void setScryptSalt(byte[] scryptSalt) {
+		this.scryptSalt = scryptSalt;
+	}
+
+	public int getScryptCostParam() {
+		return scryptCostParam;
+	}
+
+	public void setScryptCostParam(int scryptCostParam) {
+		this.scryptCostParam = scryptCostParam;
+	}
+
+	public int getScryptBlockSize() {
+		return scryptBlockSize;
+	}
+
+	public void setScryptBlockSize(int scryptBlockSize) {
+		this.scryptBlockSize = scryptBlockSize;
+	}
+
+	public int getKeyLength() {
+		return keyLength;
+	}
+
+	public void setKeyLength(int keyLength) {
+		this.keyLength = keyLength;
+	}
+
+	public byte[] getPrimaryMasterKey() {
+		return primaryMasterKey;
+	}
+
+	public void setPrimaryMasterKey(byte[] primaryMasterKey) {
+		this.primaryMasterKey = primaryMasterKey;
+	}
+
+	public byte[] getHMacMasterKey() {
+		return hMacMasterKey;
+	}
+
+	public void setHMacMasterKey(byte[] hMacMasterKey) {
+		this.hMacMasterKey = hMacMasterKey;
+	}
+
+}

main/crypto-aes/src/main/java/org/cryptomator/crypto/aes256/LongFilenameMetadata.java

@@ -1,49 +0,0 @@
-/*******************************************************************************
- * Copyright (c) 2014 Sebastian Stenzel
- * This file is licensed under the terms of the MIT license.
- * See the LICENSE.txt file for more info.
- * 
- * Contributors:
- *     Sebastian Stenzel - initial API and implementation
- ******************************************************************************/
-package org.cryptomator.crypto.aes256;
-
-import java.io.Serializable;
-import java.util.UUID;
-
-import org.apache.commons.collections4.BidiMap;
-import org.apache.commons.collections4.bidimap.DualHashBidiMap;
-
-import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
-
-class LongFilenameMetadata implements Serializable {
-
-	private static final long serialVersionUID = 6214509403824421320L;
-
-	@JsonDeserialize(as = DualHashBidiMap.class)
-	private BidiMap<UUID, String> encryptedFilenames = new DualHashBidiMap<>();
-
-	/* Getter/Setter */
-
-	public synchronized String getEncryptedFilenameForUUID(final UUID uuid) {
-		return encryptedFilenames.get(uuid);
-	}
-
-	public synchronized UUID getOrCreateUuidForEncryptedFilename(String encryptedFilename) {
-		UUID uuid = encryptedFilenames.getKey(encryptedFilename);
-		if (uuid == null) {
-			uuid = UUID.randomUUID();
-			encryptedFilenames.put(uuid, encryptedFilename);
-		}
-		return uuid;
-	}
-
-	public BidiMap<UUID, String> getEncryptedFilenames() {
-		return encryptedFilenames;
-	}
-
-	public void setEncryptedFilenames(BidiMap<UUID, String> encryptedFilenames) {
-		this.encryptedFilenames = encryptedFilenames;
-	}
-
-}

main/crypto-aes/src/main/java/org/cryptomator/crypto/aes256/MacInputStream.java

@@ -0,0 +1,43 @@
+package org.cryptomator.crypto.aes256;
+
+import java.io.FilterInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+
+import javax.crypto.Mac;
+
+/**
+ * Updates a {@link Mac} with the bytes read from this stream.
+ */
+class MacInputStream extends FilterInputStream {
+
+	private final Mac mac;
+
+	/**
+	 * @param in Stream from which to read contents, which will update the Mac.
+	 * @param mac Mac to be updated during writes.
+	 */
+	public MacInputStream(InputStream in, Mac mac) {
+		super(in);
+		this.mac = mac;
+	}
+
+	@Override
+	public int read() throws IOException {
+		int b = in.read();
+		if (b != -1) {
+			mac.update((byte) b);
+		}
+		return b;
+	}
+
+	@Override
+	public int read(byte[] b, int off, int len) throws IOException {
+		int read = in.read(b, off, len);
+		if (read > 0) {
+			mac.update(b, off, read);
+		}
+		return read;
+	}
+
+}

main/crypto-aes/src/main/java/org/cryptomator/crypto/aes256/MacOutputStream.java

@@ -0,0 +1,37 @@
+package org.cryptomator.crypto.aes256;
+
+import java.io.FilterOutputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+
+import javax.crypto.Mac;
+
+/**
+ * Updates a {@link Mac} with the bytes written to this stream.
+ */
+class MacOutputStream extends FilterOutputStream {
+
+	private final Mac mac;
+
+	/**
+	 * @param out Stream to redirect contents to after updating the mac.
+	 * @param mac Mac to be updated during writes.
+	 */
+	public MacOutputStream(OutputStream out, Mac mac) {
+		super(out);
+		this.mac = mac;
+	}
+
+	@Override
+	public void write(int b) throws IOException {
+		mac.update((byte) b);
+		out.write(b);
+	}
+
+	@Override
+	public void write(byte[] b, int off, int len) throws IOException {
+		mac.update(b, off, len);
+		out.write(b, off, len);
+	}
+
+}

main/crypto-aes/src/test/java/org/cryptomator/crypto/aes256/Aes256CryptorTest.java

@@ -15,31 +15,29 @@ import java.io.InputStream;
 import java.nio.ByteBuffer;
 import java.nio.channels.SeekableByteChannel;
 import java.util.Arrays;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.Random;
+
+import javax.security.auth.DestroyFailedException;
 
 import org.apache.commons.io.IOUtils;
-import org.cryptomator.crypto.CryptorIOSupport;
 import org.cryptomator.crypto.exceptions.DecryptFailedException;
+import org.cryptomator.crypto.exceptions.EncryptFailedException;
 import org.cryptomator.crypto.exceptions.UnsupportedKeyLengthException;
+import org.cryptomator.crypto.exceptions.UnsupportedVaultException;
 import org.cryptomator.crypto.exceptions.WrongPasswordException;
 import org.junit.Assert;
 import org.junit.Test;
 
 public class Aes256CryptorTest {
 
-	private static final Random TEST_PRNG = new Random();
-
 	@Test
-	public void testCorrectPassword() throws IOException, WrongPasswordException, DecryptFailedException, UnsupportedKeyLengthException {
+	public void testCorrectPassword() throws IOException, WrongPasswordException, DecryptFailedException, UnsupportedKeyLengthException, DestroyFailedException, UnsupportedVaultException {
 		final String pw = "asd";
-		final Aes256Cryptor cryptor = new Aes256Cryptor(TEST_PRNG);
+		final Aes256Cryptor cryptor = new Aes256Cryptor();
 		final ByteArrayOutputStream out = new ByteArrayOutputStream();
 		cryptor.encryptMasterKey(out, pw);
-		cryptor.swipeSensitiveData();
+		cryptor.destroy();
 
-		final Aes256Cryptor decryptor = new Aes256Cryptor(TEST_PRNG);
+		final Aes256Cryptor decryptor = new Aes256Cryptor();
 		final InputStream in = new ByteArrayInputStream(out.toByteArray());
 		decryptor.decryptMasterKey(in, pw);
 
@@ -47,46 +45,124 @@ public class Aes256CryptorTest {
 		IOUtils.closeQuietly(in);
 	}
 
-	@Test(expected = WrongPasswordException.class)
-	public void testWrongPassword() throws IOException, DecryptFailedException, WrongPasswordException, UnsupportedKeyLengthException {
+	@Test
+	public void testWrongPassword() throws IOException, DecryptFailedException, WrongPasswordException, UnsupportedKeyLengthException, DestroyFailedException, UnsupportedVaultException {
 		final String pw = "asd";
-		final Aes256Cryptor cryptor = new Aes256Cryptor(TEST_PRNG);
+		final Aes256Cryptor cryptor = new Aes256Cryptor();
 		final ByteArrayOutputStream out = new ByteArrayOutputStream();
 		cryptor.encryptMasterKey(out, pw);
-		cryptor.swipeSensitiveData();
-
-		final String wrongPw = "foo";
-		final Aes256Cryptor decryptor = new Aes256Cryptor(TEST_PRNG);
-		final InputStream in = new ByteArrayInputStream(out.toByteArray());
-		decryptor.decryptMasterKey(in, wrongPw);
-
+		cryptor.destroy();
 		IOUtils.closeQuietly(out);
-		IOUtils.closeQuietly(in);
+
+		// all these passwords are expected to fail.
+		final String[] wrongPws = {"a", "as", "asdf", "sdf", "das", "dsa", "foo", "bar", "baz"};
+		final Aes256Cryptor decryptor = new Aes256Cryptor();
+		for (final String wrongPw : wrongPws) {
+			final InputStream in = new ByteArrayInputStream(out.toByteArray());
+			try {
+				decryptor.decryptMasterKey(in, wrongPw);
+				Assert.fail("should not succeed.");
+			} catch (WrongPasswordException e) {
+				continue;
+			} finally {
+				IOUtils.closeQuietly(in);
+			}
+		}
 	}
 
 	@Test
-	public void testEncryptionAndDecryption() throws IOException, DecryptFailedException, WrongPasswordException, UnsupportedKeyLengthException {
+	public void testIntegrityAuthentication() throws IOException, DecryptFailedException, EncryptFailedException {
 		// our test plaintext data:
 		final byte[] plaintextData = "Hello World".getBytes();
 		final InputStream plaintextIn = new ByteArrayInputStream(plaintextData);
 
 		// init cryptor:
-		final Aes256Cryptor cryptor = new Aes256Cryptor(TEST_PRNG);
+		final Aes256Cryptor cryptor = new Aes256Cryptor();
 
 		// encrypt:
-		final ByteBuffer encryptedData = ByteBuffer.allocate(plaintextData.length + 200);
+		final ByteBuffer encryptedData = ByteBuffer.allocate(256);
 		final SeekableByteChannel encryptedOut = new ByteBufferBackedSeekableChannel(encryptedData);
 		cryptor.encryptFile(plaintextIn, encryptedOut);
 		IOUtils.closeQuietly(plaintextIn);
 		IOUtils.closeQuietly(encryptedOut);
 
-		// decrypt:
+		encryptedData.position(0);
+
+		// toggle one bit inf first content byte:
+		encryptedData.position(64);
+		final byte fifthByte = encryptedData.get();
+		encryptedData.position(64);
+		encryptedData.put((byte) (fifthByte ^ 0x01));
+
+		encryptedData.position(0);
+
+		// check mac (should return false)
+		final SeekableByteChannel encryptedIn = new ByteBufferBackedSeekableChannel(encryptedData);
+		final boolean authentic = cryptor.isAuthentic(encryptedIn);
+		Assert.assertFalse(authentic);
+	}
+
+	@Test(expected = DecryptFailedException.class)
+	public void testIntegrityViolationDuringDecryption() throws IOException, DecryptFailedException, EncryptFailedException {
+		// our test plaintext data:
+		final byte[] plaintextData = "Hello World".getBytes();
+		final InputStream plaintextIn = new ByteArrayInputStream(plaintextData);
+
+		// init cryptor:
+		final Aes256Cryptor cryptor = new Aes256Cryptor();
+
+		// encrypt:
+		final ByteBuffer encryptedData = ByteBuffer.allocate(256);
+		final SeekableByteChannel encryptedOut = new ByteBufferBackedSeekableChannel(encryptedData);
+		cryptor.encryptFile(plaintextIn, encryptedOut);
+		IOUtils.closeQuietly(plaintextIn);
+		IOUtils.closeQuietly(encryptedOut);
+
+		encryptedData.position(0);
+
+		// toggle one bit inf first content byte:
+		encryptedData.position(64);
+		final byte fifthByte = encryptedData.get();
+		encryptedData.position(64);
+		encryptedData.put((byte) (fifthByte ^ 0x01));
+
+		encryptedData.position(0);
+
+		// decrypt modified content (should fail with DecryptFailedException):
 		final SeekableByteChannel encryptedIn = new ByteBufferBackedSeekableChannel(encryptedData);
 		final ByteArrayOutputStream plaintextOut = new ByteArrayOutputStream();
-		final Long numDecryptedBytes = cryptor.decryptedFile(encryptedIn, plaintextOut);
+		cryptor.decryptFile(encryptedIn, plaintextOut);
+	}
+
+	@Test
+	public void testEncryptionAndDecryption() throws IOException, DecryptFailedException, WrongPasswordException, UnsupportedKeyLengthException, EncryptFailedException {
+		// our test plaintext data:
+		final byte[] plaintextData = "Hello World".getBytes();
+		final InputStream plaintextIn = new ByteArrayInputStream(plaintextData);
+
+		// init cryptor:
+		final Aes256Cryptor cryptor = new Aes256Cryptor();
+
+		// encrypt:
+		final ByteBuffer encryptedData = ByteBuffer.allocate(256);
+		final SeekableByteChannel encryptedOut = new ByteBufferBackedSeekableChannel(encryptedData);
+		cryptor.encryptFile(plaintextIn, encryptedOut);
+		IOUtils.closeQuietly(plaintextIn);
+		IOUtils.closeQuietly(encryptedOut);
+
+		encryptedData.position(0);
+
+		// decrypt file size:
+		final SeekableByteChannel encryptedIn = new ByteBufferBackedSeekableChannel(encryptedData);
+		final Long filesize = cryptor.decryptedContentLength(encryptedIn);
+		Assert.assertEquals(plaintextData.length, filesize.longValue());
+
+		// decrypt:
+		final ByteArrayOutputStream plaintextOut = new ByteArrayOutputStream();
+		final Long numDecryptedBytes = cryptor.decryptFile(encryptedIn, plaintextOut);
 		IOUtils.closeQuietly(encryptedIn);
 		IOUtils.closeQuietly(plaintextOut);
-		Assert.assertTrue(numDecryptedBytes > 0);
+		Assert.assertEquals(filesize.longValue(), numDecryptedBytes.longValue());
 
 		// check decrypted data:
 		final byte[] result = plaintextOut.toByteArray();
@@ -94,7 +170,7 @@ public class Aes256CryptorTest {
 	}
 
 	@Test
-	public void testPartialDecryption() throws IOException, DecryptFailedException, WrongPasswordException, UnsupportedKeyLengthException {
+	public void testPartialDecryption() throws IOException, DecryptFailedException, WrongPasswordException, UnsupportedKeyLengthException, EncryptFailedException {
 		// our test plaintext data:
 		final byte[] plaintextData = new byte[65536 * Integer.BYTES];
 		final ByteBuffer bbIn = ByteBuffer.wrap(plaintextData);
@@ -104,15 +180,17 @@ public class Aes256CryptorTest {
 		final InputStream plaintextIn = new ByteArrayInputStream(plaintextData);
 
 		// init cryptor:
-		final Aes256Cryptor cryptor = new Aes256Cryptor(TEST_PRNG);
+		final Aes256Cryptor cryptor = new Aes256Cryptor();
 
 		// encrypt:
-		final ByteBuffer encryptedData = ByteBuffer.allocate(plaintextData.length + 200);
+		final ByteBuffer encryptedData = ByteBuffer.allocate((int) (96 + plaintextData.length * 1.2));
 		final SeekableByteChannel encryptedOut = new ByteBufferBackedSeekableChannel(encryptedData);
 		cryptor.encryptFile(plaintextIn, encryptedOut);
 		IOUtils.closeQuietly(plaintextIn);
 		IOUtils.closeQuietly(encryptedOut);
 
+		encryptedData.position(0);
+
 		// decrypt:
 		final SeekableByteChannel encryptedIn = new ByteBufferBackedSeekableChannel(encryptedData);
 		final ByteArrayOutputStream plaintextOut = new ByteArrayOutputStream();
@@ -128,38 +206,31 @@ public class Aes256CryptorTest {
 	}
 
 	@Test
-	public void testEncryptionOfFilenames() throws IOException {
-		final CryptorIOSupport ioSupportMock = new CryptoIOSupportMock();
-		final Aes256Cryptor cryptor = new Aes256Cryptor(TEST_PRNG);
+	public void testEncryptionOfFilenames() throws IOException, DecryptFailedException {
+		final Aes256Cryptor cryptor = new Aes256Cryptor();
 
-		// short path components
+		// directory paths
 		final String originalPath1 = "foo/bar/baz";
-		final String encryptedPath1 = cryptor.encryptPath(originalPath1, '/', '/', ioSupportMock);
-		final String decryptedPath1 = cryptor.decryptPath(encryptedPath1, '/', '/', ioSupportMock);
-		Assert.assertEquals(originalPath1, decryptedPath1);
+		final String encryptedPath1a = cryptor.encryptDirectoryPath(originalPath1, "/");
+		final String encryptedPath1b = cryptor.encryptDirectoryPath(originalPath1, "/");
+		Assert.assertEquals(encryptedPath1a, encryptedPath1b);
 
-		// long path components
+		// long file names
 		final String str50chars = "aaaaaaaaaabbbbbbbbbbccccccccccddddddddddeeeeeeeeee";
-		final String originalPath2 = "foo/" + str50chars + str50chars + str50chars + str50chars + str50chars + "/baz";
-		final String encryptedPath2 = cryptor.encryptPath(originalPath2, '/', '/', ioSupportMock);
-		final String decryptedPath2 = cryptor.decryptPath(encryptedPath2, '/', '/', ioSupportMock);
+		final String originalPath2 = str50chars + str50chars + str50chars + str50chars + str50chars + "_isLongerThan255Chars.txt";
+		final String encryptedPath2a = cryptor.encryptFilename(originalPath2);
+		final String encryptedPath2b = cryptor.encryptFilename(originalPath2);
+		Assert.assertEquals(encryptedPath2a, encryptedPath2b);
+		final String decryptedPath2 = cryptor.decryptFilename(encryptedPath2a);
 		Assert.assertEquals(originalPath2, decryptedPath2);
-	}
-
-	private static class CryptoIOSupportMock implements CryptorIOSupport {
-
-		private final Map<String, byte[]> map = new HashMap<>();
-
-		@Override
-		public void writePathSpecificMetadata(String encryptedPath, byte[] encryptedMetadata) {
-			map.put(encryptedPath, encryptedMetadata);
-		}
-
-		@Override
-		public byte[] readPathSpecificMetadata(String encryptedPath) {
-			return map.get(encryptedPath);
-		}
 
+		// block size length file names
+		final String originalPath3 = "aaaabbbbccccdddd";
+		final String encryptedPath3a = cryptor.encryptFilename(originalPath3);
+		final String encryptedPath3b = cryptor.encryptFilename(originalPath3);
+		Assert.assertEquals(encryptedPath3a, encryptedPath3b);
+		final String decryptedPath3 = cryptor.decryptFilename(encryptedPath3a);
+		Assert.assertEquals(originalPath3, decryptedPath3);
 	}
 
 }

main/crypto-aes/src/test/java/org/cryptomator/crypto/aes256/AesSivCipherUtilTest.java

@@ -0,0 +1,224 @@
+package org.cryptomator.crypto.aes256;
+
+import java.security.InvalidKeyException;
+
+import org.apache.commons.codec.DecoderException;
+import org.cryptomator.crypto.exceptions.DecryptFailedException;
+import org.junit.Assert;
+import org.junit.Test;
+
+/**
+ * Official RFC 5297 test vector taken from https://tools.ietf.org/html/rfc5297#appendix-A.1
+ */
+public class AesSivCipherUtilTest {
+
+	@Test
+	public void testS2v() throws DecoderException {
+		final byte[] macKey = {(byte) 0xff, (byte) 0xfe, (byte) 0xfd, (byte) 0xfc, //
+				(byte) 0xfb, (byte) 0xfa, (byte) 0xf9, (byte) 0xf8, //
+				(byte) 0xf7, (byte) 0xf6, (byte) 0xf5, (byte) 0xf4, //
+				(byte) 0xf3, (byte) 0xf2, (byte) 0xf1, (byte) 0xf0};
+
+		final byte[] ad = {(byte) 0x10, (byte) 0x11, (byte) 0x12, (byte) 0x13, //
+				(byte) 0x14, (byte) 0x15, (byte) 0x16, (byte) 0x17, //
+				(byte) 0x18, (byte) 0x19, (byte) 0x1a, (byte) 0x1b, //
+				(byte) 0x1c, (byte) 0x1d, (byte) 0x1e, (byte) 0x1f, //
+				(byte) 0x20, (byte) 0x21, (byte) 0x22, (byte) 0x23, //
+				(byte) 0x24, (byte) 0x25, (byte) 0x26, (byte) 0x27};
+
+		final byte[] plaintext = {(byte) 0x11, (byte) 0x22, (byte) 0x33, (byte) 0x44, //
+				(byte) 0x55, (byte) 0x66, (byte) 0x77, (byte) 0x88, //
+				(byte) 0x99, (byte) 0xaa, (byte) 0xbb, (byte) 0xcc, //
+				(byte) 0xdd, (byte) 0xee};
+
+		final byte[] expected = {(byte) 0x85, (byte) 0x63, (byte) 0x2d, (byte) 0x07, //
+				(byte) 0xc6, (byte) 0xe8, (byte) 0xf3, (byte) 0x7f, //
+				(byte) 0x95, (byte) 0x0a, (byte) 0xcd, (byte) 0x32, //
+				(byte) 0x0a, (byte) 0x2e, (byte) 0xcc, (byte) 0x93};
+
+		final byte[] result = AesSivCipherUtil.s2v(macKey, plaintext, ad);
+		Assert.assertArrayEquals(expected, result);
+	}
+
+	@Test
+	public void testSivEncrypt() throws InvalidKeyException {
+		final byte[] macKey = {(byte) 0xff, (byte) 0xfe, (byte) 0xfd, (byte) 0xfc, //
+				(byte) 0xfb, (byte) 0xfa, (byte) 0xf9, (byte) 0xf8, //
+				(byte) 0xf7, (byte) 0xf6, (byte) 0xf5, (byte) 0xf4, //
+				(byte) 0xf3, (byte) 0xf2, (byte) 0xf1, (byte) 0xf0};
+
+		final byte[] aesKey = {(byte) 0xf0, (byte) 0xf1, (byte) 0xf2, (byte) 0xf3, //
+				(byte) 0xf4, (byte) 0xf5, (byte) 0xf6, (byte) 0xf7, //
+				(byte) 0xf8, (byte) 0xf9, (byte) 0xfa, (byte) 0xfb, //
+				(byte) 0xfc, (byte) 0xfd, (byte) 0xfe, (byte) 0xff};
+
+		final byte[] ad = {(byte) 0x10, (byte) 0x11, (byte) 0x12, (byte) 0x13, //
+				(byte) 0x14, (byte) 0x15, (byte) 0x16, (byte) 0x17, //
+				(byte) 0x18, (byte) 0x19, (byte) 0x1a, (byte) 0x1b, //
+				(byte) 0x1c, (byte) 0x1d, (byte) 0x1e, (byte) 0x1f, //
+				(byte) 0x20, (byte) 0x21, (byte) 0x22, (byte) 0x23, //
+				(byte) 0x24, (byte) 0x25, (byte) 0x26, (byte) 0x27};
+
+		final byte[] plaintext = {(byte) 0x11, (byte) 0x22, (byte) 0x33, (byte) 0x44, //
+				(byte) 0x55, (byte) 0x66, (byte) 0x77, (byte) 0x88, //
+				(byte) 0x99, (byte) 0xaa, (byte) 0xbb, (byte) 0xcc, //
+				(byte) 0xdd, (byte) 0xee};
+
+		final byte[] expected = {(byte) 0x85, (byte) 0x63, (byte) 0x2d, (byte) 0x07, //
+				(byte) 0xc6, (byte) 0xe8, (byte) 0xf3, (byte) 0x7f, //
+				(byte) 0x95, (byte) 0x0a, (byte) 0xcd, (byte) 0x32, //
+				(byte) 0x0a, (byte) 0x2e, (byte) 0xcc, (byte) 0x93, //
+				(byte) 0x40, (byte) 0xc0, (byte) 0x2b, (byte) 0x96, //
+				(byte) 0x90, (byte) 0xc4, (byte) 0xdc, (byte) 0x04, //
+				(byte) 0xda, (byte) 0xef, (byte) 0x7f, (byte) 0x6a, //
+				(byte) 0xfe, (byte) 0x5c};
+
+		final byte[] result = AesSivCipherUtil.sivEncrypt(aesKey, macKey, plaintext, ad);
+		Assert.assertArrayEquals(expected, result);
+	}
+
+	@Test
+	public void testSivDecrypt() throws DecryptFailedException, InvalidKeyException {
+		final byte[] macKey = {(byte) 0xff, (byte) 0xfe, (byte) 0xfd, (byte) 0xfc, //
+				(byte) 0xfb, (byte) 0xfa, (byte) 0xf9, (byte) 0xf8, //
+				(byte) 0xf7, (byte) 0xf6, (byte) 0xf5, (byte) 0xf4, //
+				(byte) 0xf3, (byte) 0xf2, (byte) 0xf1, (byte) 0xf0};
+
+		final byte[] aesKey = {(byte) 0xf0, (byte) 0xf1, (byte) 0xf2, (byte) 0xf3, //
+				(byte) 0xf4, (byte) 0xf5, (byte) 0xf6, (byte) 0xf7, //
+				(byte) 0xf8, (byte) 0xf9, (byte) 0xfa, (byte) 0xfb, //
+				(byte) 0xfc, (byte) 0xfd, (byte) 0xfe, (byte) 0xff};
+
+		final byte[] ad = {(byte) 0x10, (byte) 0x11, (byte) 0x12, (byte) 0x13, //
+				(byte) 0x14, (byte) 0x15, (byte) 0x16, (byte) 0x17, //
+				(byte) 0x18, (byte) 0x19, (byte) 0x1a, (byte) 0x1b, //
+				(byte) 0x1c, (byte) 0x1d, (byte) 0x1e, (byte) 0x1f, //
+				(byte) 0x20, (byte) 0x21, (byte) 0x22, (byte) 0x23, //
+				(byte) 0x24, (byte) 0x25, (byte) 0x26, (byte) 0x27};
+
+		final byte[] ciphertext = {(byte) 0x85, (byte) 0x63, (byte) 0x2d, (byte) 0x07, //
+				(byte) 0xc6, (byte) 0xe8, (byte) 0xf3, (byte) 0x7f, //
+				(byte) 0x95, (byte) 0x0a, (byte) 0xcd, (byte) 0x32, //
+				(byte) 0x0a, (byte) 0x2e, (byte) 0xcc, (byte) 0x93, //
+				(byte) 0x40, (byte) 0xc0, (byte) 0x2b, (byte) 0x96, //
+				(byte) 0x90, (byte) 0xc4, (byte) 0xdc, (byte) 0x04, //
+				(byte) 0xda, (byte) 0xef, (byte) 0x7f, (byte) 0x6a, //
+				(byte) 0xfe, (byte) 0x5c};
+
+		final byte[] expected = {(byte) 0x11, (byte) 0x22, (byte) 0x33, (byte) 0x44, //
+				(byte) 0x55, (byte) 0x66, (byte) 0x77, (byte) 0x88, //
+				(byte) 0x99, (byte) 0xaa, (byte) 0xbb, (byte) 0xcc, //
+				(byte) 0xdd, (byte) 0xee};
+
+		final byte[] result = AesSivCipherUtil.sivDecrypt(aesKey, macKey, ciphertext, ad);
+		Assert.assertArrayEquals(expected, result);
+	}
+
+	@Test(expected = DecryptFailedException.class)
+	public void testSivDecryptWithInvalidKey() throws DecryptFailedException, InvalidKeyException {
+		final byte[] macKey = {(byte) 0xff, (byte) 0xfe, (byte) 0xfd, (byte) 0xfc, //
+				(byte) 0xfb, (byte) 0xfa, (byte) 0xf9, (byte) 0xf8, //
+				(byte) 0xf7, (byte) 0xf6, (byte) 0xf5, (byte) 0xf4, //
+				(byte) 0xf3, (byte) 0xf2, (byte) 0xf1, (byte) 0xf0};
+
+		final byte[] aesKey = {(byte) 0xf0, (byte) 0xf1, (byte) 0xf2, (byte) 0xf3, //
+				(byte) 0xf4, (byte) 0xf5, (byte) 0xf6, (byte) 0xf7, //
+				(byte) 0xf8, (byte) 0xf9, (byte) 0xfa, (byte) 0xfb, //
+				(byte) 0xfc, (byte) 0xfd, (byte) 0xfe, (byte) 0x00};
+
+		final byte[] ad = {(byte) 0x10, (byte) 0x11, (byte) 0x12, (byte) 0x13, //
+				(byte) 0x14, (byte) 0x15, (byte) 0x16, (byte) 0x17, //
+				(byte) 0x18, (byte) 0x19, (byte) 0x1a, (byte) 0x1b, //
+				(byte) 0x1c, (byte) 0x1d, (byte) 0x1e, (byte) 0x1f, //
+				(byte) 0x20, (byte) 0x21, (byte) 0x22, (byte) 0x23, //
+				(byte) 0x24, (byte) 0x25, (byte) 0x26, (byte) 0x27};
+
+		final byte[] ciphertext = {(byte) 0x85, (byte) 0x63, (byte) 0x2d, (byte) 0x07, //
+				(byte) 0xc6, (byte) 0xe8, (byte) 0xf3, (byte) 0x7f, //
+				(byte) 0x95, (byte) 0x0a, (byte) 0xcd, (byte) 0x32, //
+				(byte) 0x0a, (byte) 0x2e, (byte) 0xcc, (byte) 0x93, //
+				(byte) 0x40, (byte) 0xc0, (byte) 0x2b, (byte) 0x96, //
+				(byte) 0x90, (byte) 0xc4, (byte) 0xdc, (byte) 0x04, //
+				(byte) 0xda, (byte) 0xef, (byte) 0x7f, (byte) 0x6a, //
+				(byte) 0xfe, (byte) 0x5c};
+
+		final byte[] expected = {(byte) 0x11, (byte) 0x22, (byte) 0x33, (byte) 0x44, //
+				(byte) 0x55, (byte) 0x66, (byte) 0x77, (byte) 0x88, //
+				(byte) 0x99, (byte) 0xaa, (byte) 0xbb, (byte) 0xcc, //
+				(byte) 0xdd, (byte) 0xee};
+
+		final byte[] result = AesSivCipherUtil.sivDecrypt(aesKey, macKey, ciphertext, ad);
+		Assert.assertArrayEquals(expected, result);
+	}
+
+	/**
+	 * https://tools.ietf.org/html/rfc5297#appendix-A.2
+	 */
+	@Test
+	public void testNonceBasedAuthenticatedEncryption() throws InvalidKeyException {
+		final byte[] macKey = {(byte) 0x7f, (byte) 0x7e, (byte) 0x7d, (byte) 0x7c, //
+				(byte) 0x7b, (byte) 0x7a, (byte) 0x79, (byte) 0x78, //
+				(byte) 0x77, (byte) 0x76, (byte) 0x75, (byte) 0x74, //
+				(byte) 0x73, (byte) 0x72, (byte) 0x71, (byte) 0x70};
+
+		final byte[] aesKey = {(byte) 0x40, (byte) 0x41, (byte) 0x42, (byte) 0x43, //
+				(byte) 0x44, (byte) 0x45, (byte) 0x46, (byte) 0x47, //
+				(byte) 0x48, (byte) 0x49, (byte) 0x4a, (byte) 0x4b, //
+				(byte) 0x4c, (byte) 0x4d, (byte) 0x4e, (byte) 0x4f};
+
+		final byte[] ad1 = {(byte) 0x00, (byte) 0x11, (byte) 0x22, (byte) 0x33, //
+				(byte) 0x44, (byte) 0x55, (byte) 0x66, (byte) 0x77, //
+				(byte) 0x88, (byte) 0x99, (byte) 0xaa, (byte) 0xbb, //
+				(byte) 0xcc, (byte) 0xdd, (byte) 0xee, (byte) 0xff, //
+				(byte) 0xde, (byte) 0xad, (byte) 0xda, (byte) 0xda, //
+				(byte) 0xde, (byte) 0xad, (byte) 0xda, (byte) 0xda, //
+				(byte) 0xff, (byte) 0xee, (byte) 0xdd, (byte) 0xcc, //
+				(byte) 0xbb, (byte) 0xaa, (byte) 0x99, (byte) 0x88, //
+				(byte) 0x77, (byte) 0x66, (byte) 0x55, (byte) 0x44, //
+				(byte) 0x33, (byte) 0x22, (byte) 0x11, (byte) 0x00};
+
+		final byte[] ad2 = {(byte) 0x10, (byte) 0x20, (byte) 0x30, (byte) 0x40, //
+				(byte) 0x50, (byte) 0x60, (byte) 0x70, (byte) 0x80, //
+				(byte) 0x90, (byte) 0xa0};
+
+		final byte[] nonce = {(byte) 0x09, (byte) 0xf9, (byte) 0x11, (byte) 0x02, //
+				(byte) 0x9d, (byte) 0x74, (byte) 0xe3, (byte) 0x5b, //
+				(byte) 0xd8, (byte) 0x41, (byte) 0x56, (byte) 0xc5, //
+				(byte) 0x63, (byte) 0x56, (byte) 0x88, (byte) 0xc0};
+
+		final byte[] plaintext = {(byte) 0x74, (byte) 0x68, (byte) 0x69, (byte) 0x73, //
+				(byte) 0x20, (byte) 0x69, (byte) 0x73, (byte) 0x20, //
+				(byte) 0x73, (byte) 0x6f, (byte) 0x6d, (byte) 0x65, //
+				(byte) 0x20, (byte) 0x70, (byte) 0x6c, (byte) 0x61, //
+				(byte) 0x69, (byte) 0x6e, (byte) 0x74, (byte) 0x65, //
+				(byte) 0x78, (byte) 0x74, (byte) 0x20, (byte) 0x74, //
+				(byte) 0x6f, (byte) 0x20, (byte) 0x65, (byte) 0x6e, //
+				(byte) 0x63, (byte) 0x72, (byte) 0x79, (byte) 0x70, //
+				(byte) 0x74, (byte) 0x20, (byte) 0x75, (byte) 0x73, //
+				(byte) 0x69, (byte) 0x6e, (byte) 0x67, (byte) 0x20, //
+				(byte) 0x53, (byte) 0x49, (byte) 0x56, (byte) 0x2d, //
+				(byte) 0x41, (byte) 0x45, (byte) 0x53};
+
+		final byte[] result = AesSivCipherUtil.sivEncrypt(aesKey, macKey, plaintext, ad1, ad2, nonce);
+
+		final byte[] expected = {(byte) 0x7b, (byte) 0xdb, (byte) 0x6e, (byte) 0x3b, //
+				(byte) 0x43, (byte) 0x26, (byte) 0x67, (byte) 0xeb, //
+				(byte) 0x06, (byte) 0xf4, (byte) 0xd1, (byte) 0x4b, //
+				(byte) 0xff, (byte) 0x2f, (byte) 0xbd, (byte) 0x0f, //
+				(byte) 0xcb, (byte) 0x90, (byte) 0x0f, (byte) 0x2f, //
+				(byte) 0xdd, (byte) 0xbe, (byte) 0x40, (byte) 0x43, //
+				(byte) 0x26, (byte) 0x60, (byte) 0x19, (byte) 0x65, //
+				(byte) 0xc8, (byte) 0x89, (byte) 0xbf, (byte) 0x17, //
+				(byte) 0xdb, (byte) 0xa7, (byte) 0x7c, (byte) 0xeb, //
+				(byte) 0x09, (byte) 0x4f, (byte) 0xa6, (byte) 0x63, //
+				(byte) 0xb7, (byte) 0xa3, (byte) 0xf7, (byte) 0x48, //
+				(byte) 0xba, (byte) 0x8a, (byte) 0xf8, (byte) 0x29, //
+				(byte) 0xea, (byte) 0x64, (byte) 0xad, (byte) 0x54, //
+				(byte) 0x4a, (byte) 0x27, (byte) 0x2e, (byte) 0x9c, //
+				(byte) 0x48, (byte) 0x5b, (byte) 0x62, (byte) 0xa3, //
+				(byte) 0xfd, (byte) 0x5c, (byte) 0x0d};
+
+		Assert.assertArrayEquals(expected, result);
+
+	}
+}

main/crypto-api/pom.xml

@@ -12,12 +12,13 @@
 	<parent>
 		<groupId>org.cryptomator</groupId>
 		<artifactId>main</artifactId>
-		<version>0.3.0-SNAPSHOT</version>
+		<version>0.7.2</version>
 	</parent>
 	<artifactId>crypto-api</artifactId>
 	<name>Cryptomator cryptographic module API</name>
 
 	<dependencies>
+		<!-- commons -->
 		<dependency>
 			<groupId>commons-io</groupId>
 			<artifactId>commons-io</artifactId>
@@ -26,5 +27,9 @@
 			<groupId>org.apache.commons</groupId>
 			<artifactId>commons-lang3</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>org.apache.commons</groupId>
+			<artifactId>commons-collections4</artifactId>
+		</dependency>
 	</dependencies>
 </project>

main/crypto-api/src/main/java/org/cryptomator/crypto/AbstractCryptor.java

@@ -1,38 +0,0 @@
-/*******************************************************************************
- * Copyright (c) 2014 Sebastian Stenzel
- * This file is licensed under the terms of the MIT license.
- * See the LICENSE.txt file for more info.
- * 
- * Contributors:
- *     Sebastian Stenzel - initial API and implementation
- ******************************************************************************/
-package org.cryptomator.crypto;
-
-import java.util.HashSet;
-import java.util.Set;
-
-public abstract class AbstractCryptor implements Cryptor {
-
-	private final Set<SensitiveDataSwipeListener> swipeListeners = new HashSet<>();
-
-	@Override
-	public final void swipeSensitiveData() {
-		this.swipeSensitiveDataInternal();
-		for (final SensitiveDataSwipeListener sensitiveDataSwipeListener : swipeListeners) {
-			sensitiveDataSwipeListener.swipeSensitiveData();
-		}
-	}
-
-	protected abstract void swipeSensitiveDataInternal();
-
-	@Override
-	public final void addSensitiveDataSwipeListener(SensitiveDataSwipeListener listener) {
-		this.swipeListeners.add(listener);
-	}
-
-	@Override
-	public final void removeSensitiveDataSwipeListener(SensitiveDataSwipeListener listener) {
-		this.swipeListeners.remove(listener);
-	}
-
-}

main/crypto-api/src/main/java/org/cryptomator/crypto/AbstractCryptorDecorator.java

@@ -0,0 +1,85 @@
+package org.cryptomator.crypto;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.nio.channels.SeekableByteChannel;
+
+import javax.security.auth.DestroyFailedException;
+
+import org.cryptomator.crypto.exceptions.DecryptFailedException;
+import org.cryptomator.crypto.exceptions.EncryptFailedException;
+import org.cryptomator.crypto.exceptions.MacAuthenticationFailedException;
+import org.cryptomator.crypto.exceptions.UnsupportedKeyLengthException;
+import org.cryptomator.crypto.exceptions.UnsupportedVaultException;
+import org.cryptomator.crypto.exceptions.WrongPasswordException;
+
+public class AbstractCryptorDecorator implements Cryptor {
+
+	protected final Cryptor cryptor;
+
+	public AbstractCryptorDecorator(Cryptor cryptor) {
+		this.cryptor = cryptor;
+	}
+
+	@Override
+	public void encryptMasterKey(OutputStream out, CharSequence password) throws IOException {
+		cryptor.encryptMasterKey(out, password);
+	}
+
+	@Override
+	public void decryptMasterKey(InputStream in, CharSequence password) throws DecryptFailedException, WrongPasswordException, UnsupportedKeyLengthException, IOException, UnsupportedVaultException {
+		cryptor.decryptMasterKey(in, password);
+	}
+
+	@Override
+	public String encryptDirectoryPath(String cleartextDirectoryId, String nativePathSep) {
+		return cryptor.encryptDirectoryPath(cleartextDirectoryId, nativePathSep);
+	}
+
+	@Override
+	public String encryptFilename(String cleartextName) {
+		return cryptor.encryptFilename(cleartextName);
+	}
+
+	@Override
+	public String decryptFilename(String ciphertextName) throws DecryptFailedException {
+		return cryptor.decryptFilename(ciphertextName);
+	}
+
+	@Override
+	public Long decryptedContentLength(SeekableByteChannel encryptedFile) throws IOException, MacAuthenticationFailedException {
+		return cryptor.decryptedContentLength(encryptedFile);
+	}
+
+	@Override
+	public boolean isAuthentic(SeekableByteChannel encryptedFile) throws IOException {
+		return cryptor.isAuthentic(encryptedFile);
+	}
+
+	@Override
+	public Long decryptFile(SeekableByteChannel encryptedFile, OutputStream plaintextFile) throws IOException, DecryptFailedException {
+		return cryptor.decryptFile(encryptedFile, plaintextFile);
+	}
+
+	@Override
+	public Long decryptRange(SeekableByteChannel encryptedFile, OutputStream plaintextFile, long pos, long length) throws IOException, DecryptFailedException {
+		return cryptor.decryptRange(encryptedFile, plaintextFile, pos, length);
+	}
+
+	@Override
+	public Long encryptFile(InputStream plaintextFile, SeekableByteChannel encryptedFile) throws IOException, EncryptFailedException {
+		return cryptor.encryptFile(plaintextFile, encryptedFile);
+	}
+
+	@Override
+	public void destroy() throws DestroyFailedException {
+		cryptor.destroy();
+	}
+
+	@Override
+	public boolean isDestroyed() {
+		return cryptor.isDestroyed();
+	}
+
+}

main/crypto-api/src/main/java/org/cryptomator/crypto/Cryptor.java

@@ -12,17 +12,20 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.nio.channels.SeekableByteChannel;
-import java.nio.file.DirectoryStream.Filter;
-import java.nio.file.Path;
+
+import javax.security.auth.Destroyable;
 
 import org.cryptomator.crypto.exceptions.DecryptFailedException;
+import org.cryptomator.crypto.exceptions.EncryptFailedException;
+import org.cryptomator.crypto.exceptions.MacAuthenticationFailedException;
 import org.cryptomator.crypto.exceptions.UnsupportedKeyLengthException;
+import org.cryptomator.crypto.exceptions.UnsupportedVaultException;
 import org.cryptomator.crypto.exceptions.WrongPasswordException;
 
 /**
  * Provides access to cryptographic functions. All methods are threadsafe.
  */
-public interface Cryptor extends SensitiveDataSwipeListener {
+public interface Cryptor extends Destroyable {
 
 	/**
 	 * Encrypts the current masterKey with the given password and writes the result to the given output stream.
@@ -33,72 +36,67 @@ public interface Cryptor extends SensitiveDataSwipeListener {
 	 * Reads the encrypted masterkey from the given input stream and decrypts it with the given password.
 	 * 
 	 * @throws DecryptFailedException If the decryption failed for various reasons (including wrong password).
-	 * @throws WrongPasswordException If the provided password was wrong. Note: Sometimes the algorithm itself fails due to a wrong
-	 *             password. In this case a DecryptFailedException will be thrown.
-	 * @throws UnsupportedKeyLengthException If the masterkey has been encrypted with a higher key length than supported by the system. In
-	 *             this case Java JCE needs to be installed.
+	 * @throws WrongPasswordException If the provided password was wrong. Note: Sometimes the algorithm itself fails due to a wrong password. In this case a DecryptFailedException will be thrown.
+	 * @throws UnsupportedKeyLengthException If the masterkey has been encrypted with a higher key length than supported by the system. In this case Java JCE needs to be installed.
+	 * @throws UnsupportedVaultException If the masterkey file is too old or too modern.
 	 */
-	void decryptMasterKey(InputStream in, CharSequence password) throws DecryptFailedException, WrongPasswordException, UnsupportedKeyLengthException, IOException;
+	void decryptMasterKey(InputStream in, CharSequence password) throws DecryptFailedException, WrongPasswordException, UnsupportedKeyLengthException, IOException, UnsupportedVaultException;
 
 	/**
-	 * Encrypts each plaintext path component for its own.
+	 * Encrypts a given plaintext path representing a directory structure. See {@link #encryptFilename(String, CryptorMetadataSupport)} for contents inside directories.
 	 * 
-	 * @param cleartextPath A relative path (UTF-8 encoded)
-	 * @param encryptedPathSep Path separator char like '/' used on local file system. Must not be null, even if cleartextPath is a sole
-	 *            file name without any path separators.
-	 * @param cleartextPathSep Path separator char like '/' used in webdav URIs. Must not be null, even if cleartextPath is a sole file name
-	 *            without any path separators.
-	 * @param metadataSupport Support object allowing the Cryptor to read and write its own metadata to the location of the encrypted file.
-	 * @return Encrypted path components concatenated by the given encryptedPathSep. Must not start with encryptedPathSep, unless the
-	 *         encrypted path is explicitly absolute.
+	 * @param cleartextDirectoryId A unique directory id
+	 * @param nativePathSep Path separator like "/" used on local file system. Must not be null, even if cleartextPath is a sole file name without any path separators.
+	 * @return Encrypted path.
 	 */
-	String encryptPath(String cleartextPath, char encryptedPathSep, char cleartextPathSep, CryptorIOSupport ioSupport);
+	String encryptDirectoryPath(String cleartextDirectoryId, String nativePathSep);
 
 	/**
-	 * Decrypts each encrypted path component for its own.
+	 * Encrypts the name of a file. See {@link #encryptDirectoryPath(String, char)} for parent dir.
 	 * 
-	 * @param encryptedPath A relative path (UTF-8 encoded)
-	 * @param encryptedPathSep Path separator char like '/' used on local file system. Must not be null, even if encryptedPath is a sole
-	 *            file name without any path separators.
-	 * @param cleartextPathSep Path separator char like '/' used in webdav URIs. Must not be null, even if encryptedPath is a sole file name
-	 *            without any path separators.
-	 * @param metadataSupport Support object allowing the Cryptor to read and write its own metadata to the location of the encrypted file.
-	 * @return Decrypted path components concatenated by the given cleartextPathSep. Must not start with cleartextPathSep, unless the
-	 *         cleartext path is explicitly absolute.
+	 * @param cleartextName A plaintext filename without any preceeding directory paths.
+	 * @return Encrypted filename.
 	 */
-	String decryptPath(String encryptedPath, char encryptedPathSep, char cleartextPathSep, CryptorIOSupport ioSupport);
+	String encryptFilename(String cleartextName);
+
+	/**
+	 * Decrypts the name of a file.
+	 * 
+	 * @param ciphertextName A ciphertext filename without any preceeding directory paths.
+	 * @return Decrypted filename.
+	 * @throws DecryptFailedException If the decryption failed for various reasons (including wrong password).
+	 */
+	String decryptFilename(String ciphertextName) throws DecryptFailedException;
 
 	/**
 	 * @param metadataSupport Support object allowing the Cryptor to read and write its own metadata to the location of the encrypted file.
 	 * @return Content length of the decrypted file or <code>null</code> if unknown.
+	 * @throws MacAuthenticationFailedException If the MAC auth failed.
 	 */
-	Long decryptedContentLength(SeekableByteChannel encryptedFile) throws IOException;
+	Long decryptedContentLength(SeekableByteChannel encryptedFile) throws IOException, MacAuthenticationFailedException;
+
+	/**
+	 * @return true, if the stored MAC matches the calculated one.
+	 */
+	boolean isAuthentic(SeekableByteChannel encryptedFile) throws IOException;
 
 	/**
 	 * @return Number of decrypted bytes. This might not be equal to the encrypted file size due to optional metadata written to it.
+	 * @throws DecryptFailedException If decryption failed
 	 */
-	Long decryptedFile(SeekableByteChannel encryptedFile, OutputStream plaintextFile) throws IOException;
+	Long decryptFile(SeekableByteChannel encryptedFile, OutputStream plaintextFile) throws IOException, DecryptFailedException;
 
 	/**
 	 * @param pos First byte (inclusive)
 	 * @param length Number of requested bytes beginning at pos.
 	 * @return Number of decrypted bytes. This might not be equal to the number of bytes requested due to potential overheads.
+	 * @throws DecryptFailedException If decryption failed
 	 */
-	Long decryptRange(SeekableByteChannel encryptedFile, OutputStream plaintextFile, long pos, long length) throws IOException;
+	Long decryptRange(SeekableByteChannel encryptedFile, OutputStream plaintextFile, long pos, long length) throws IOException, DecryptFailedException;
 
 	/**
 	 * @return Number of encrypted bytes. This might not be equal to the encrypted file size due to optional metadata written to it.
 	 */
-	Long encryptFile(InputStream plaintextFile, SeekableByteChannel encryptedFile) throws IOException;
-
-	/**
-	 * @return A filter, that returns <code>true</code> for encrypted files, i.e. if the file is an actual user payload and not a supporting
-	 *         metadata file of the {@link Cryptor}.
-	 */
-	Filter<Path> getPayloadFilesFilter();
-
-	void addSensitiveDataSwipeListener(SensitiveDataSwipeListener listener);
-
-	void removeSensitiveDataSwipeListener(SensitiveDataSwipeListener listener);
+	Long encryptFile(InputStream plaintextFile, SeekableByteChannel encryptedFile) throws IOException, EncryptFailedException;
 
 }

main/crypto-api/src/main/java/org/cryptomator/crypto/CryptorIOSupport.java

@@ -1,31 +0,0 @@
-/*******************************************************************************
- * Copyright (c) 2014 Sebastian Stenzel
- * This file is licensed under the terms of the MIT license.
- * See the LICENSE.txt file for more info.
- * 
- * Contributors:
- *     Sebastian Stenzel - initial API and implementation
- ******************************************************************************/
-package org.cryptomator.crypto;
-
-import java.io.IOException;
-
-/**
- * Methods that may be called by the Cryptor when accessing a path.
- */
-public interface CryptorIOSupport {
-
-	/**
-	 * Persists encryptedMetadata to the given encryptedPath.
-	 * 
-	 * @param encryptedPath A relative path
-	 * @throws IOException
-	 */
-	void writePathSpecificMetadata(String encryptedPath, byte[] encryptedMetadata) throws IOException;
-
-	/**
-	 * @return Previously written encryptedMetadata stored at the given encryptedPath or <code>null</code> if no such file exists.
-	 */
-	byte[] readPathSpecificMetadata(String encryptedPath) throws IOException;
-
-}

main/crypto-api/src/main/java/org/cryptomator/crypto/PathCachingCryptorDecorator.java

@@ -0,0 +1,65 @@
+package org.cryptomator.crypto;
+
+import java.util.Map;
+
+import org.apache.commons.collections4.BidiMap;
+import org.apache.commons.collections4.bidimap.AbstractDualBidiMap;
+import org.apache.commons.collections4.map.LRUMap;
+import org.cryptomator.crypto.exceptions.DecryptFailedException;
+
+public class PathCachingCryptorDecorator extends AbstractCryptorDecorator {
+
+	private static final int MAX_CACHED_PATHS = 5000;
+	private static final int MAX_CACHED_NAMES = 5000;
+
+	private final Map<String, String> pathCache = new LRUMap<>(MAX_CACHED_PATHS); // <cleartextDirectoryId, ciphertextPath>
+	private final BidiMap<String, String> nameCache = new BidiLRUMap<>(MAX_CACHED_NAMES); // <cleartextName, ciphertextName>
+
+	private PathCachingCryptorDecorator(Cryptor cryptor) {
+		super(cryptor);
+	}
+
+	public static Cryptor decorate(Cryptor cryptor) {
+		return new PathCachingCryptorDecorator(cryptor);
+	}
+
+	/* Cryptor */
+
+	@Override
+	public String encryptDirectoryPath(String cleartextDirectoryId, String nativePathSep) {
+		return pathCache.computeIfAbsent(cleartextDirectoryId, id -> cryptor.encryptDirectoryPath(id, nativePathSep));
+	}
+
+	@Override
+	public String encryptFilename(String cleartextName) {
+		return nameCache.computeIfAbsent(cleartextName, name -> cryptor.encryptFilename(name));
+	}
+
+	@Override
+	public String decryptFilename(String ciphertextName) throws DecryptFailedException {
+		String cleartextName = nameCache.getKey(ciphertextName);
+		if (cleartextName == null) {
+			cleartextName = cryptor.decryptFilename(ciphertextName);
+			nameCache.put(cleartextName, ciphertextName);
+		}
+		return cleartextName;
+	}
+
+	private static class BidiLRUMap<K, V> extends AbstractDualBidiMap<K, V> {
+
+		BidiLRUMap(int maxSize) {
+			super(new LRUMap<K, V>(maxSize), new LRUMap<V, K>(maxSize));
+		}
+
+		protected BidiLRUMap(final Map<K, V> normalMap, final Map<V, K> reverseMap, final BidiMap<V, K> inverseBidiMap) {
+			super(normalMap, reverseMap, inverseBidiMap);
+		}
+
+		@Override
+		protected BidiMap<V, K> createBidiMap(Map<V, K> normalMap, Map<K, V> reverseMap, BidiMap<K, V> inverseMap) {
+			return new BidiLRUMap<V, K>(normalMap, reverseMap, inverseMap);
+		}
+
+	}
+
+}

main/crypto-api/src/main/java/org/cryptomator/crypto/SamplingCryptorDecorator.java

@@ -4,34 +4,24 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.nio.channels.SeekableByteChannel;
-import java.nio.file.DirectoryStream.Filter;
-import java.nio.file.Path;
 import java.util.concurrent.atomic.AtomicLong;
 
-import org.apache.commons.lang3.StringUtils;
 import org.cryptomator.crypto.exceptions.DecryptFailedException;
-import org.cryptomator.crypto.exceptions.UnsupportedKeyLengthException;
-import org.cryptomator.crypto.exceptions.WrongPasswordException;
+import org.cryptomator.crypto.exceptions.EncryptFailedException;
 
-public class SamplingDecorator implements Cryptor, CryptorIOSampling {
+public class SamplingCryptorDecorator extends AbstractCryptorDecorator implements CryptorIOSampling {
 
-	private final Cryptor cryptor;
 	private final AtomicLong encryptedBytes;
 	private final AtomicLong decryptedBytes;
 
-	private SamplingDecorator(Cryptor cryptor) {
-		this.cryptor = cryptor;
+	private SamplingCryptorDecorator(Cryptor cryptor) {
+		super(cryptor);
 		encryptedBytes = new AtomicLong();
 		decryptedBytes = new AtomicLong();
 	}
 
 	public static Cryptor decorate(Cryptor cryptor) {
-		return new SamplingDecorator(cryptor);
-	}
-
-	@Override
-	public void swipeSensitiveData() {
-		cryptor.swipeSensitiveData();
+		return new SamplingCryptorDecorator(cryptor);
 	}
 
 	@Override
@@ -55,65 +45,23 @@ public class SamplingDecorator implements Cryptor, CryptorIOSampling {
 	/* Cryptor */
 
 	@Override
-	public void encryptMasterKey(OutputStream out, CharSequence password) throws IOException {
-		cryptor.encryptMasterKey(out, password);
-	}
-
-	@Override
-	public void decryptMasterKey(InputStream in, CharSequence password) throws DecryptFailedException, WrongPasswordException, UnsupportedKeyLengthException, IOException {
-		cryptor.decryptMasterKey(in, password);
-	}
-
-	@Override
-	public String encryptPath(String cleartextPath, char encryptedPathSep, char cleartextPathSep, CryptorIOSupport ioSupport) {
-		encryptedBytes.addAndGet(StringUtils.length(cleartextPath));
-		return cryptor.encryptPath(cleartextPath, encryptedPathSep, cleartextPathSep, ioSupport);
-	}
-
-	@Override
-	public String decryptPath(String encryptedPath, char encryptedPathSep, char cleartextPathSep, CryptorIOSupport ioSupport) {
-		decryptedBytes.addAndGet(StringUtils.length(encryptedPath));
-		return cryptor.decryptPath(encryptedPath, encryptedPathSep, cleartextPathSep, ioSupport);
-	}
-
-	@Override
-	public Long decryptedContentLength(SeekableByteChannel encryptedFile) throws IOException {
-		return cryptor.decryptedContentLength(encryptedFile);
-	}
-
-	@Override
-	public Long decryptedFile(SeekableByteChannel encryptedFile, OutputStream plaintextFile) throws IOException {
+	public Long decryptFile(SeekableByteChannel encryptedFile, OutputStream plaintextFile) throws IOException, DecryptFailedException {
 		final OutputStream countingInputStream = new CountingOutputStream(decryptedBytes, plaintextFile);
-		return cryptor.decryptedFile(encryptedFile, countingInputStream);
+		return cryptor.decryptFile(encryptedFile, countingInputStream);
 	}
 
 	@Override
-	public Long decryptRange(SeekableByteChannel encryptedFile, OutputStream plaintextFile, long pos, long length) throws IOException {
+	public Long decryptRange(SeekableByteChannel encryptedFile, OutputStream plaintextFile, long pos, long length) throws IOException, DecryptFailedException {
 		final OutputStream countingInputStream = new CountingOutputStream(decryptedBytes, plaintextFile);
 		return cryptor.decryptRange(encryptedFile, countingInputStream, pos, length);
 	}
 
 	@Override
-	public Long encryptFile(InputStream plaintextFile, SeekableByteChannel encryptedFile) throws IOException {
+	public Long encryptFile(InputStream plaintextFile, SeekableByteChannel encryptedFile) throws IOException, EncryptFailedException {
 		final InputStream countingInputStream = new CountingInputStream(encryptedBytes, plaintextFile);
 		return cryptor.encryptFile(countingInputStream, encryptedFile);
 	}
 
-	@Override
-	public Filter<Path> getPayloadFilesFilter() {
-		return cryptor.getPayloadFilesFilter();
-	}
-
-	@Override
-	public void addSensitiveDataSwipeListener(SensitiveDataSwipeListener listener) {
-		cryptor.addSensitiveDataSwipeListener(listener);
-	}
-
-	@Override
-	public void removeSensitiveDataSwipeListener(SensitiveDataSwipeListener listener) {
-		cryptor.removeSensitiveDataSwipeListener(listener);
-	}
-
 	private class CountingInputStream extends InputStream {
 
 		private final InputStream in;

main/crypto-api/src/main/java/org/cryptomator/crypto/SensitiveDataSwipeListener.java

@@ -1,19 +0,0 @@
-/*******************************************************************************
- * Copyright (c) 2014 Sebastian Stenzel
- * This file is licensed under the terms of the MIT license.
- * See the LICENSE.txt file for more info.
- * 
- * Contributors:
- *     Sebastian Stenzel - initial API and implementation
- ******************************************************************************/
-package org.cryptomator.crypto;
-
-public interface SensitiveDataSwipeListener {
-
-	/**
-	 * Removes sensitive data from memory. Depending on the data (e.g. for passwords) it might be necessary to overwrite the memory before
-	 * freeing the object.
-	 */
-	void swipeSensitiveData();
-
-}

main/crypto-api/src/main/java/org/cryptomator/crypto/exceptions/CounterOverflowException.java

@@ -0,0 +1,10 @@
+package org.cryptomator.crypto.exceptions;
+
+public class CounterOverflowException extends EncryptFailedException {
+	private static final long serialVersionUID = 380066751064534731L;
+
+	public CounterOverflowException(String msg) {
+		super(msg);
+	}
+
+}

main/crypto-api/src/main/java/org/cryptomator/crypto/exceptions/DecryptFailedException.java

@@ -6,4 +6,8 @@ public class DecryptFailedException extends StorageCryptingException {
 	public DecryptFailedException(Throwable t) {
 		super("Decryption failed.", t);
 	}
+
+	public DecryptFailedException(String msg) {
+		super(msg);
+	}
 }

main/crypto-api/src/main/java/org/cryptomator/crypto/exceptions/EncryptFailedException.java

@@ -0,0 +1,9 @@
+package org.cryptomator.crypto.exceptions;
+
+public class EncryptFailedException extends StorageCryptingException {
+	private static final long serialVersionUID = -3855673600374897828L;
+
+	public EncryptFailedException(String msg) {
+		super(msg);
+	}
+}

main/crypto-api/src/main/java/org/cryptomator/crypto/exceptions/MacAuthenticationFailedException.java

@@ -0,0 +1,11 @@
+package org.cryptomator.crypto.exceptions;
+
+public class MacAuthenticationFailedException extends DecryptFailedException {
+
+	private static final long serialVersionUID = -5577052361643658772L;
+
+	public MacAuthenticationFailedException(String msg) {
+		super(msg);
+	}
+
+}

main/crypto-api/src/main/java/org/cryptomator/crypto/exceptions/UnsupportedKeyLengthException.java

@@ -7,7 +7,7 @@ public class UnsupportedKeyLengthException extends StorageCryptingException {
 	private final int supportedLength;
 
 	public UnsupportedKeyLengthException(int length, int maxLength) {
-		super(String.format("Key length (%i) exceeds policy maximum (%i).", length, maxLength));
+		super(String.format("Key length (%d) exceeds policy maximum (%d).", length, maxLength));
 		this.requestedLength = length;
 		this.supportedLength = maxLength;
 	}

main/crypto-api/src/main/java/org/cryptomator/crypto/exceptions/UnsupportedVaultException.java

@@ -0,0 +1,32 @@
+package org.cryptomator.crypto.exceptions;
+
+public class UnsupportedVaultException extends Exception {
+
+	private static final long serialVersionUID = -5147549533387945622L;
+
+	private final Integer detectedVersion;
+	private final Integer supportedVersion;
+
+	public UnsupportedVaultException(Integer detectedVersion, Integer supportedVersion) {
+		super("Tried to open vault of version " + detectedVersion + ", but can only handle version " + supportedVersion);
+		this.detectedVersion = detectedVersion;
+		this.supportedVersion = supportedVersion;
+	}
+
+	public Integer getDetectedVersion() {
+		return detectedVersion;
+	}
+
+	public Integer getSupportedVersion() {
+		return supportedVersion;
+	}
+
+	public boolean isVaultOlderThanSoftware() {
+		return detectedVersion == null || detectedVersion < supportedVersion;
+	}
+
+	public boolean isSoftwareOlderThanVault() {
+		return detectedVersion > supportedVersion;
+	}
+
+}

main/installer-debian/package/linux/control

@@ -0,0 +1,16 @@
+Package: APPLICATION_PACKAGE
+Version: APPLICATION_VERSION
+Section: contrib/utils
+Maintainer: Sebastian Stenzel <sebastian.stenzel@gmail.com>
+Homepage: https://cryptomator.org
+Vcs-Git: https://github.com/totalvoidness/cryptomator.git
+Vcs-Browser: https://github.com/totalvoidness/cryptomator
+Priority: optional
+Architecture: APPLICATION_ARCH
+Provides: APPLICATION_PACKAGE
+Installed-Size: APPLICATION_INSTALLED_SIZE
+Depends: gvfs-bin, gvfs-backends, gvfs-fuse, xdg-utils
+Description: Multi-platform client-side encryption of your cloud files.
+ Cryptomator provides free client-side AES encryption for your cloud files.
+ Create encrypted vaults, which get mounted as virtual volumes. Whatever
+ you save on one of these volumes will end up encrypted inside your vault.

main/installer-debian/package/linux/copyright

@@ -0,0 +1,23 @@
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: cryptomator
+Source: <https://github.com/totalvoidness/cryptomator>
+
+Copyright: 2015 Sebastian Stenzel <sebastian.stenzel@gmail.com> and contributors.
+License: MIT
+ Permission is hereby granted, free of charge, to any person obtaining a
+ copy of this software and associated documentation files (the "Software"),
+ to deal in the Software without restriction, including without limitation
+ the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ and/or sell copies of the Software, and to permit persons to whom the
+ Software is furnished to do so, subject to the following conditions:
+ .
+ The above copyright notice and this permission notice shall be included
+ in all copies or substantial portions of the Software.
+ .
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+ OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+ IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+ CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+ TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

main/installer-debian/pom.xml

@@ -0,0 +1,60 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<groupId>org.cryptomator</groupId>
+		<artifactId>main</artifactId>
+		<version>0.7.2</version>
+	</parent>
+	<artifactId>installer-debian</artifactId>
+	<packaging>pom</packaging>
+	<name>Cryptomator Debian installer</name>
+
+	<properties>
+		<javafx.application.name>Cryptomator</javafx.application.name>
+		<exec.mainClass>org.cryptomator.ui.Cryptomator</exec.mainClass>
+		<javafx.tools.ant.jar>${java.home}/../lib/ant-javafx.jar</javafx.tools.ant.jar>
+	</properties>
+
+	<dependencies>
+		<dependency>
+			<groupId>org.cryptomator</groupId>
+			<artifactId>ui</artifactId>
+		</dependency>
+	</dependencies>
+
+	<build>
+		<plugins>
+			<plugin>
+				<artifactId>maven-antrun-plugin</artifactId>
+				<version>1.7</version>
+				<executions>
+					<execution>
+						<id>create-deployment-bundle</id>
+						<phase>install</phase>
+						<goals>
+							<goal>run</goal>
+						</goals>
+						<configuration>
+							<target xmlns:fx="javafx:com.sun.javafx.tools.ant">
+								<taskdef uri="javafx:com.sun.javafx.tools.ant" resource="com/sun/javafx/tools/ant/antlib.xml" classpath="${project.basedir}:${javafx.tools.ant.jar}" />
+
+								<fx:deploy nativeBundles="deb" outdir="${project.build.directory}" outfile="Cryptomator-${project.parent.version}" verbose="true">
+									<fx:application name="${javafx.application.name}" version="${project.version}" mainClass="${exec.mainClass}" />
+									<fx:info title="${javafx.application.name}" vendor="cryptomator.org" copyright="cryptomator.org" license="MIT" category="Utility" />
+									<fx:platform javafx="2.2+" j2se="8.0">
+										<fx:property name="logPath" value="~/.Cryptomator/cryptomator.log" />
+									</fx:platform>
+									<fx:resources>
+										<fx:fileset dir="../target/" includes="Cryptomator-${project.parent.version}.jar" />
+									</fx:resources>
+									<fx:permissions elevated="false" />
+									<fx:preferences install="true" />
+								</fx:deploy>
+							</target>
+						</configuration>
+					</execution>
+				</executions>
+			</plugin>
+		</plugins>
+	</build>
+</project>

main/installer-osx/package/macosx/Info.plist

@@ -0,0 +1,102 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>LSMinimumSystemVersion</key>
+  <string>10.7.4</string>
+  <key>CFBundleDevelopmentRegion</key>
+  <string>English</string>
+  <key>CFBundleAllowMixedLocalizations</key>
+  <true/>
+  <key>CFBundleExecutable</key>
+  <string>DEPLOY_LAUNCHER_NAME</string>
+  <key>CFBundleIconFile</key>
+  <string>DEPLOY_ICON_FILE</string>
+  <key>CFBundleIdentifier</key>
+  <string>DEPLOY_BUNDLE_IDENTIFIER</string>
+  <key>CFBundleInfoDictionaryVersion</key>
+  <string>6.0</string>
+  <key>CFBundleName</key>
+  <string>DEPLOY_BUNDLE_NAME</string>
+  <key>CFBundlePackageType</key>
+  <string>APPL</string>
+  <key>CFBundleShortVersionString</key>
+  <string>DEPLOY_BUNDLE_SHORT_VERSION</string>
+  <key>CFBundleSignature</key>
+  <string>????</string>
+  <!-- See http://developer.apple.com/library/mac/#releasenotes/General/SubmittingToMacAppStore/_index.html for list of AppStore categories -->
+  <key>LSApplicationCategoryType</key>
+  <string>DEPLOY_BUNDLE_CATEGORY</string>
+  <key>CFBundleVersion</key>
+  <string>100</string>
+  <key>NSHumanReadableCopyright</key>
+  <string>DEPLOY_BUNDLE_COPYRIGHT</string>
+  <key>JVMRuntime</key>
+  <string>DEPLOY_JAVA_RUNTIME_NAME</string>
+  <key>JVMMainClassName</key>
+  <string>DEPLOY_LAUNCHER_CLASS</string>
+  <key>JVMAppClasspath</key>
+  <string>DEPLOY_APP_CLASSPATH</string>
+  <key>JVMMainJarName</key>
+  <string>DEPLOY_MAIN_JAR_NAME</string>
+  <key>JVMPreferencesID</key>
+  <string>DEPLOY_PREFERENCES_ID</string>
+  <key>JVMOptions</key>
+  <array>
+DEPLOY_JVM_OPTIONS
+  </array>
+  <key>JVMUserOptions</key>
+  <dict>
+DEPLOY_JVM_USER_OPTIONS
+  </dict>
+  <key>NSHighResolutionCapable</key>
+  <string>true</string>
+  <!-- hide from dock -->
+  <key>LSUIElement</key>
+  <string>1</string>
+  <!-- register .cryptomator bundle extension -->
+  <key>CFBundleDocumentTypes</key>
+  <array>
+    <dict>
+      <key>CFBundleTypeExtensions</key>
+      <array>
+        <string>cryptomator</string>
+      </array>
+      <key>CFBundleTypeIconFile</key>
+      <string>Cryptomator.icns</string>
+      <key>CFBundleTypeName</key>
+      <string>Cryptomator Vault</string>
+      <key>CFBundleTypeRole</key>
+      <string>Editor</string>
+      <key>LSItemContentTypes</key>
+      <array>
+        <string>org.cryptomator.folder</string>
+      </array>
+      <key>LSTypeIsPackage</key>
+      <true/>
+    </dict>
+  </array>
+  <key>UTExportedTypeDeclarations</key>
+  <array>
+    <dict>
+      <key>UTTypeConformsTo</key>
+      <array>
+        <string>com.apple.package</string>
+      </array>
+      <key>UTTypeDescription</key>
+      <string>Cryptomator Vault</string>
+      <key>UTTypeIconFile</key>
+      <string>Cryptomator.icns</string>
+      <key>UTTypeIdentifier</key>
+      <string>org.cryptomator.folder</string>
+      <key>UTTypeTagSpecification</key>
+      <dict>
+        <key>public.filename-extension</key>
+        <array>
+          <string>cryptomator</string>
+        </array>
+      </dict>
+    </dict>
+  </array>
+</dict>
+</plist>

main/installer-osx/pom.xml

@@ -0,0 +1,60 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<groupId>org.cryptomator</groupId>
+		<artifactId>main</artifactId>
+		<version>0.7.2</version>
+	</parent>
+	<artifactId>installer-osx</artifactId>
+	<packaging>pom</packaging>
+	<name>Cryptomator Mac OS X installer</name>
+
+	<properties>
+		<javafx.application.name>Cryptomator</javafx.application.name>
+		<exec.mainClass>org.cryptomator.ui.Cryptomator</exec.mainClass>
+		<javafx.tools.ant.jar>${java.home}/../lib/ant-javafx.jar</javafx.tools.ant.jar>
+	</properties>
+
+	<dependencies>
+		<dependency>
+			<groupId>org.cryptomator</groupId>
+			<artifactId>ui</artifactId>
+		</dependency>
+	</dependencies>
+
+	<build>
+		<plugins>
+			<plugin>
+				<artifactId>maven-antrun-plugin</artifactId>
+				<version>1.7</version>
+				<executions>
+					<execution>
+						<id>create-deployment-bundle</id>
+						<phase>install</phase>
+						<goals>
+							<goal>run</goal>
+						</goals>
+						<configuration>
+							<target xmlns:fx="javafx:com.sun.javafx.tools.ant">
+								<taskdef uri="javafx:com.sun.javafx.tools.ant" resource="com/sun/javafx/tools/ant/antlib.xml" classpath="${project.basedir}:${javafx.tools.ant.jar}" />
+
+								<fx:deploy nativeBundles="dmg" outdir="${project.build.directory}" outfile="Cryptomator-${project.parent.version}" verbose="true">
+									<fx:application name="${javafx.application.name}" version="${project.version}" mainClass="${exec.mainClass}" />
+									<fx:info title="${javafx.application.name}" vendor="cryptomator.org" copyright="cryptomator.org" license="MIT" category="Utility" />
+									<fx:platform javafx="2.2+" j2se="8.0">
+										<fx:property name="logPath" value="~/Library/Logs/Cryptomator/cryptomator.log" />
+									</fx:platform>
+									<fx:resources>
+										<fx:fileset dir="../target/" includes="Cryptomator-${project.parent.version}.jar" />
+									</fx:resources>
+									<fx:permissions elevated="false" />
+									<fx:preferences install="true" />
+								</fx:deploy>
+							</target>
+						</configuration>
+					</execution>
+				</executions>
+			</plugin>
+		</plugins>
+	</build>
+</project>

main/installer-win-portable/package/windows/Cryptomator.iss

@@ -0,0 +1,74 @@
+;This file will be executed next to the application bundle image
+;I.e. current directory will contain folder APPLICATION_NAME with application files
+[Setup]
+AppId={{PRODUCT_APP_IDENTIFIER}}
+AppName=APPLICATION_NAME
+AppVersion=APPLICATION_VERSION
+AppVerName=APPLICATION_NAME APPLICATION_VERSION
+AppPublisher=APPLICATION_VENDOR
+AppComments=APPLICATION_COMMENTS
+AppCopyright=APPLICATION_COPYRIGHT
+AppPublisherURL=https://cryptomator.org/
+;AppSupportURL=http://java.com/
+;AppUpdatesURL=http://java.com/
+DefaultDirName=APPLICATION_INSTALL_ROOT\APPLICATION_NAME
+DisableStartupPrompt=Yes
+DisableDirPage=No
+DisableProgramGroupPage=Yes
+DisableReadyPage=Yes
+DisableFinishedPage=No
+DisableWelcomePage=Yes
+DefaultGroupName=APPLICATION_GROUP
+;Optional License
+LicenseFile=APPLICATION_LICENSE_FILE
+;WinXP or above
+MinVersion=0,5.1
+OutputBaseFilename=INSTALLER_FILE_NAME
+Compression=lzma
+SolidCompression=yes
+PrivilegesRequired=admin
+SetupIconFile=APPLICATION_NAME\APPLICATION_NAME.ico
+UninstallDisplayIcon={app}\APPLICATION_NAME.ico
+UninstallDisplayName=APPLICATION_NAME
+WizardImageStretch=No
+WizardSmallImageFile=Cryptomator-setup-icon.bmp
+WizardImageBackColor=$ffffff
+ArchitecturesInstallIn64BitMode=ARCHITECTURE_BIT_MODE
+
+[Languages]
+Name: "english"; MessagesFile: "compiler:Default.isl"
+
+[Files]
+Source: "APPLICATION_NAME\APPLICATION_NAME.exe"; DestDir: "{app}"; Flags: ignoreversion
+Source: "APPLICATION_NAME\*"; DestDir: "{app}"; Flags: ignoreversion recursesubdirs createallsubdirs
+
+[Icons]
+Name: "{group}\APPLICATION_NAME"; Filename: "{app}\APPLICATION_NAME.exe"; IconFilename: "{app}\APPLICATION_NAME.ico"; Check: APPLICATION_MENU_SHORTCUT()
+Name: "{commondesktop}\APPLICATION_NAME"; Filename: "{app}\APPLICATION_NAME.exe";  IconFilename: "{app}\APPLICATION_NAME.ico"; Check: APPLICATION_DESKTOP_SHORTCUT()
+
+[Run]
+Filename: "{app}\RUN_FILENAME.exe"; Description: "{cm:LaunchProgram,APPLICATION_NAME}"; Flags: nowait postinstall skipifsilent; Check: APPLICATION_NOT_SERVICE()
+Filename: "{app}\RUN_FILENAME.exe"; Parameters: "-install -svcName ""APPLICATION_NAME"" -svcDesc ""APPLICATION_DESCRIPTION"" -mainExe ""APPLICATION_LAUNCHER_FILENAME"" START_ON_INSTALL RUN_AT_STARTUP"; Check: APPLICATION_SERVICE()
+
+[UninstallRun]
+Filename: "{app}\RUN_FILENAME.exe "; Parameters: "-uninstall -svcName APPLICATION_NAME STOP_ON_UNINSTALL"; Check: APPLICATION_SERVICE()
+
+[Code]
+function returnTrue(): Boolean;
+begin
+  Result := True;
+end;
+
+function returnFalse(): Boolean;
+begin
+  Result := False;
+end;
+
+function InitializeSetup(): Boolean;
+begin
+// Possible future improvements:
+//   if version less or same => just launch app
+//   if upgrade => check if same app is running and wait for it to exit
+//   Add pack200/unpack200 support?
+  Result := True;
+end;

main/installer-win-portable/pom.xml

@@ -0,0 +1,61 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<groupId>org.cryptomator</groupId>
+		<artifactId>main</artifactId>
+		<version>0.7.2</version>
+	</parent>
+	<artifactId>installer-win-portable</artifactId>
+	<packaging>pom</packaging>
+	<name>Cryptomator (Portable) Windows installer</name>
+
+	<properties>
+		<javafx.application.name>Cryptomator</javafx.application.name>
+		<exec.mainClass>org.cryptomator.ui.Cryptomator</exec.mainClass>
+		<javafx.tools.ant.jar>${java.home}/../lib/ant-javafx.jar</javafx.tools.ant.jar>
+	</properties>
+
+	<dependencies>
+		<dependency>
+			<groupId>org.cryptomator</groupId>
+			<artifactId>ui</artifactId>
+		</dependency>
+	</dependencies>
+
+	<build>
+		<plugins>
+			<plugin>
+				<artifactId>maven-antrun-plugin</artifactId>
+				<version>1.7</version>
+				<executions>
+					<execution>
+						<id>create-deployment-bundle</id>
+						<phase>install</phase>
+						<goals>
+							<goal>run</goal>
+						</goals>
+						<configuration>
+							<target xmlns:fx="javafx:com.sun.javafx.tools.ant">
+								<taskdef uri="javafx:com.sun.javafx.tools.ant" resource="com/sun/javafx/tools/ant/antlib.xml" classpath="${project.basedir}:${javafx.tools.ant.jar}" />
+
+								<fx:deploy nativeBundles="exe" outdir="${project.build.directory}" outfile="Cryptomator-${project.parent.version}" verbose="true">
+									<fx:application name="${javafx.application.name}" version="${project.version}" mainClass="${exec.mainClass}" />
+									<fx:info title="${javafx.application.name}" vendor="cryptomator.org" copyright="cryptomator.org" license="MIT" category="Utility" />
+									<fx:platform javafx="2.2+" j2se="8.0">
+										<fx:property name="settingsPath" value="./settings.json" />
+										<fx:property name="logPath" value="cryptomator.log" />
+									</fx:platform>
+									<fx:resources>
+										<fx:fileset dir="../target/" includes="Cryptomator-${project.parent.version}.jar" />
+									</fx:resources>
+									<fx:permissions elevated="false" />
+									<fx:preferences install="false" menu="false" shortcut="false" />
+								</fx:deploy>
+							</target>
+						</configuration>
+					</execution>
+				</executions>
+			</plugin>
+		</plugins>
+	</build>
+</project>

main/installer-win/package/windows/Cryptomator.iss

@@ -0,0 +1,80 @@
+;This file will be executed next to the application bundle image
+;I.e. current directory will contain folder APPLICATION_NAME with application files
+[Setup]
+AppId={{PRODUCT_APP_IDENTIFIER}}
+AppName=APPLICATION_NAME
+AppVersion=APPLICATION_VERSION
+AppVerName=APPLICATION_NAME APPLICATION_VERSION
+AppPublisher=APPLICATION_VENDOR
+AppComments=APPLICATION_COMMENTS
+AppCopyright=APPLICATION_COPYRIGHT
+AppPublisherURL=https://cryptomator.org/
+;AppSupportURL=http://java.com/
+;AppUpdatesURL=http://java.com/
+DefaultDirName=APPLICATION_INSTALL_ROOT\APPLICATION_NAME
+DisableStartupPrompt=Yes
+DisableDirPage=No
+DisableProgramGroupPage=Yes
+DisableReadyPage=Yes
+DisableFinishedPage=No
+DisableWelcomePage=Yes
+DefaultGroupName=APPLICATION_GROUP
+;Optional License
+LicenseFile=APPLICATION_LICENSE_FILE
+;WinXP or above
+MinVersion=0,5.1
+OutputBaseFilename=INSTALLER_FILE_NAME
+Compression=lzma
+SolidCompression=yes
+PrivilegesRequired=admin
+SetupIconFile=APPLICATION_NAME\APPLICATION_NAME.ico
+UninstallDisplayIcon={app}\APPLICATION_NAME.ico
+UninstallDisplayName=APPLICATION_NAME
+WizardImageStretch=No
+WizardSmallImageFile=Cryptomator-setup-icon.bmp
+WizardImageBackColor=$ffffff
+ArchitecturesInstallIn64BitMode=ARCHITECTURE_BIT_MODE
+
+[Languages]
+Name: "english"; MessagesFile: "compiler:Default.isl"
+
+[Registry]
+;Root: HKCU; Subkey: "Software\Microsoft\Windows\CurrentVersion\Internet Settings"; ValueType: dword; ValueName: "AutoDetect"; ValueData: "0"
+Root: HKLM; Subkey: "SYSTEM\CurrentControlSet\Services\WebClient\Parameters"; ValueType: dword; ValueName: "FileSizeLimitInBytes"; ValueData: "$ffffffff"
+
+[Files]
+Source: "APPLICATION_NAME\APPLICATION_NAME.exe"; DestDir: "{app}"; Flags: ignoreversion
+Source: "APPLICATION_NAME\*"; DestDir: "{app}"; Flags: ignoreversion recursesubdirs createallsubdirs
+
+[Icons]
+Name: "{group}\APPLICATION_NAME"; Filename: "{app}\APPLICATION_NAME.exe"; IconFilename: "{app}\APPLICATION_NAME.ico"; Check: APPLICATION_MENU_SHORTCUT()
+Name: "{commondesktop}\APPLICATION_NAME"; Filename: "{app}\APPLICATION_NAME.exe";  IconFilename: "{app}\APPLICATION_NAME.ico"; Check: APPLICATION_DESKTOP_SHORTCUT()
+
+[Run]
+Filename: "{app}\RUN_FILENAME.exe"; Description: "{cm:LaunchProgram,APPLICATION_NAME}"; Flags: nowait postinstall skipifsilent; Check: APPLICATION_NOT_SERVICE()
+Filename: "{app}\RUN_FILENAME.exe"; Parameters: "-install -svcName ""APPLICATION_NAME"" -svcDesc ""APPLICATION_DESCRIPTION"" -mainExe ""APPLICATION_LAUNCHER_FILENAME"" START_ON_INSTALL RUN_AT_STARTUP"; Check: APPLICATION_SERVICE()
+Filename: "net"; Parameters: "stop webclient"; Description: "Stopping WebClient..."; Flags: waituntilterminated runhidden
+Filename: "net"; Parameters: "start webclient"; Description: "Restarting WebClient..."; Flags: waituntilterminated runhidden
+
+[UninstallRun]
+Filename: "{app}\RUN_FILENAME.exe "; Parameters: "-uninstall -svcName APPLICATION_NAME STOP_ON_UNINSTALL"; Check: APPLICATION_SERVICE()
+
+[Code]
+function returnTrue(): Boolean;
+begin
+  Result := True;
+end;
+
+function returnFalse(): Boolean;
+begin
+  Result := False;
+end;
+
+function InitializeSetup(): Boolean;
+begin
+// Possible future improvements:
+//   if version less or same => just launch app
+//   if upgrade => check if same app is running and wait for it to exit
+//   Add pack200/unpack200 support?
+  Result := True;
+end;

main/installer-win/pom.xml

@@ -0,0 +1,60 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<groupId>org.cryptomator</groupId>
+		<artifactId>main</artifactId>
+		<version>0.7.2</version>
+	</parent>
+	<artifactId>installer-win</artifactId>
+	<packaging>pom</packaging>
+	<name>Cryptomator Windows installer</name>
+
+	<properties>
+		<javafx.application.name>Cryptomator</javafx.application.name>
+		<exec.mainClass>org.cryptomator.ui.Cryptomator</exec.mainClass>
+		<javafx.tools.ant.jar>${java.home}/../lib/ant-javafx.jar</javafx.tools.ant.jar>
+	</properties>
+
+	<dependencies>
+		<dependency>
+			<groupId>org.cryptomator</groupId>
+			<artifactId>ui</artifactId>
+		</dependency>
+	</dependencies>
+
+	<build>
+		<plugins>
+			<plugin>
+				<artifactId>maven-antrun-plugin</artifactId>
+				<version>1.7</version>
+				<executions>
+					<execution>
+						<id>create-deployment-bundle</id>
+						<phase>install</phase>
+						<goals>
+							<goal>run</goal>
+						</goals>
+						<configuration>
+							<target xmlns:fx="javafx:com.sun.javafx.tools.ant">
+								<taskdef uri="javafx:com.sun.javafx.tools.ant" resource="com/sun/javafx/tools/ant/antlib.xml" classpath="${project.basedir}:${javafx.tools.ant.jar}" />
+
+								<fx:deploy nativeBundles="exe" outdir="${project.build.directory}" outfile="Cryptomator-${project.parent.version}" verbose="true">
+									<fx:application name="${javafx.application.name}" version="${project.version}" mainClass="${exec.mainClass}" />
+									<fx:info title="${javafx.application.name}" vendor="cryptomator.org" copyright="cryptomator.org" license="MIT" category="Utility" />
+									<fx:platform javafx="2.2+" j2se="8.0" >
+										<fx:property name="logPath" value="%appdata%/Cryptomator/cryptomator.log" />
+									</fx:platform>
+									<fx:resources>
+										<fx:fileset dir="../target/" includes="Cryptomator-${project.parent.version}.jar" />
+									</fx:resources>
+									<fx:permissions elevated="false" />
+									<fx:preferences install="true" />
+								</fx:deploy>
+							</target>
+						</configuration>
+					</execution>
+				</executions>
+			</plugin>
+		</plugins>
+	</build>
+</project>

main/pom.xml

@@ -1,10 +1,17 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!-- Copyright (c) 2014 Sebastian Stenzel This file is licensed under the terms of the MIT license. See the LICENSE.txt file for more info. Contributors: Sebastian Stenzel - initial API and implementation -->
+<!--
+  Copyright (c) 2014 Sebastian Stenzel
+  This file is licensed under the terms of the MIT license.
+  See the LICENSE.txt file for more info.
+  
+  Contributors:
+      Sebastian Stenzel - initial API and implementation
+-->
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>org.cryptomator</groupId>
 	<artifactId>main</artifactId>
-	<version>0.3.0-SNAPSHOT</version>
+	<version>0.7.2</version>
 	<packaging>pom</packaging>
 	<name>Cryptomator</name>
 
@@ -27,11 +34,14 @@
 		<!-- dependency versions -->
 		<log4j.version>2.1</log4j.version>
 		<slf4j.version>1.7.7</slf4j.version>
-		<junit.version>4.11</junit.version>
+		<junit.version>4.12</junit.version>
 		<commons-io.version>2.4</commons-io.version>
 		<commons-collections.version>4.0</commons-collections.version>
-		<commons-lang3.version>3.1</commons-lang3.version>
-		<commons-codec.version>1.9</commons-codec.version>
+		<commons-lang3.version>3.3.2</commons-lang3.version>
+		<commons-codec.version>1.10</commons-codec.version>
+		<commons-httpclient.version>3.1</commons-httpclient.version>
+		<jackson-databind.version>2.4.4</jackson-databind.version>
+		<mockito.version>1.10.19</mockito.version>
 	</properties>
 
 	<dependencyManagement>
@@ -101,19 +111,46 @@
 				<artifactId>commons-codec</artifactId>
 				<version>${commons-codec.version}</version>
 			</dependency>
+			<dependency>
+				<!-- org.apache.httpcomponents:httpclient is newer, but jackrabbit uses this version. We don't have a reason to upgrade --> 
+				<groupId>commons-httpclient</groupId>
+				<artifactId>commons-httpclient</artifactId>
+				<version>${commons-httpclient.version}</version>
+			</dependency>
+
+			<!-- Guava -->
+			<dependency>
+				<groupId>com.google.guava</groupId>
+				<artifactId>guava</artifactId>
+				<version>18.0</version>
+			</dependency>
+
+			<!-- DI -->
+			<dependency>
+				<groupId>com.google.inject</groupId>
+				<artifactId>guice</artifactId>
+				<version>3.0</version>
+			</dependency>
 
 			<!-- JSON -->
 			<dependency>
 				<groupId>com.fasterxml.jackson.core</groupId>
 				<artifactId>jackson-databind</artifactId>
-				<version>2.4.2</version>
+				<version>${jackson-databind.version}</version>
 			</dependency>
 
 			<!-- JUnit -->
 			<dependency>
 				<groupId>junit</groupId>
 				<artifactId>junit</artifactId>
-				<version>4.11</version>
+				<version>${junit.version}</version>
+				<scope>test</scope>
+			</dependency>
+
+			<dependency>
+				<groupId>org.mockito</groupId>
+				<artifactId>mockito-core</artifactId>
+				<version>${mockito.version}</version>
 				<scope>test</scope>
 			</dependency>
 		</dependencies>
@@ -136,6 +173,10 @@
 			<groupId>junit</groupId>
 			<artifactId>junit</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>org.mockito</groupId>
+			<artifactId>mockito-core</artifactId>
+		</dependency>
 	</dependencies>
 
 	<modules>
@@ -145,12 +186,39 @@
 		<module>ui</module>
 	</modules>
 
+	<profiles>
+		<profile>
+			<id>debian</id>
+			<modules>
+				<module>installer-debian</module>
+			</modules>
+		</profile>
+		<profile>
+			<id>osx</id>
+			<modules>
+				<module>installer-osx</module>
+			</modules>
+		</profile>
+		<profile>
+			<id>win</id>
+			<modules>
+				<module>installer-win</module>
+			</modules>
+		</profile>
+		<profile>
+			<id>win-portable</id>
+			<modules>
+				<module>installer-win-portable</module>
+			</modules>
+		</profile>
+	</profiles>
+
 	<build>
 		<plugins>
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-compiler-plugin</artifactId>
-				<version>3.1</version>
+				<version>3.2</version>
 				<configuration>
 					<source>1.8</source>
 					<target>1.8</target>

main/ui/pom.xml

@@ -12,18 +12,11 @@
 	<parent>
 		<groupId>org.cryptomator</groupId>
 		<artifactId>main</artifactId>
-		<version>0.3.0-SNAPSHOT</version>
+		<version>0.7.2</version>
 	</parent>
 	<artifactId>ui</artifactId>
 	<name>Cryptomator GUI</name>
 
-	<properties>
-		<javafx.application.name>Cryptomator</javafx.application.name>
-		<exec.mainClass>org.cryptomator.ui.MainApplication</exec.mainClass>
-		<javafx.tools.ant.jar>${java.home}/../lib/ant-javafx.jar</javafx.tools.ant.jar>
-		<controlsfx.version>8.20.8</controlsfx.version>
-	</properties>
-
 	<dependencies>
 		<dependency>
 			<groupId>org.cryptomator</groupId>
@@ -49,15 +42,18 @@
 			<groupId>org.apache.commons</groupId>
 			<artifactId>commons-lang3</artifactId>
 		</dependency>
-		
-		<!-- UI -->
 		<dependency>
-		    <groupId>org.controlsfx</groupId>
-		    <artifactId>controlsfx</artifactId>
-		    <version>${controlsfx.version}</version>
+			<groupId>commons-httpclient</groupId>
+			<artifactId>commons-httpclient</artifactId>
+		</dependency>
+
+		<!-- DI -->
+		<dependency>
+			<groupId>com.google.inject</groupId>
+			<artifactId>guice</artifactId>
 		</dependency>
 	</dependencies>
-
+	
 	<build>
 		<plugins>
 			<plugin>
@@ -72,49 +68,20 @@
 					</execution>
 				</executions>
 				<configuration>
+					<outputDirectory>${project.parent.build.directory}</outputDirectory>
+					<finalName>Cryptomator-${project.parent.version}</finalName>
 					<descriptorRefs>
 						<descriptorRef>jar-with-dependencies</descriptorRef>
 					</descriptorRefs>
-					<finalName>${javafx.application.name}</finalName>
 					<appendAssemblyId>false</appendAssemblyId>
 					<archive>
 						<manifestEntries>
-							<Main-Class>${exec.mainClass}</Main-Class>
+							<Main-Class>org.cryptomator.ui.Cryptomator</Main-Class>
+							<Implementation-Version>${project.version}</Implementation-Version>
 						</manifestEntries>
 					</archive>
 				</configuration>
 			</plugin>
-
-			<plugin>
-				<artifactId>maven-antrun-plugin</artifactId>
-				<version>1.7</version>
-				<executions>
-					<execution>
-						<id>create-deployment-bundle</id>
-						<phase>install</phase>
-						<goals>
-							<goal>run</goal>
-						</goals>
-						<configuration>
-							<target xmlns:fx="javafx:com.sun.javafx.tools.ant">
-								<taskdef uri="javafx:com.sun.javafx.tools.ant" resource="com/sun/javafx/tools/ant/antlib.xml" classpath="${project.basedir}:${javafx.tools.ant.jar}" />
-
-								<fx:deploy nativeBundles="all" outdir="${project.build.directory}/dist" outfile="${project.build.finalName}" verbose="false">
-									<fx:application name="${javafx.application.name}" version="${project.version}" mainClass="${exec.mainClass}" />
-									<fx:info title="${javafx.application.name}" vendor="cryptomator.org" copyright="cryptomator.org" license="MIT" category="Utility" />
-									<fx:platform basedir="" javafx="2.2+" j2se="8.0" />
-									<fx:resources>
-										<fx:fileset dir="${project.build.directory}" includes="${javafx.application.name}.jar" />
-									</fx:resources>
-									<fx:permissions elevated="false" />
-									<fx:preferences install="true" />
-								</fx:deploy>
-							</target>
-						</configuration>
-					</execution>
-				</executions>
-			</plugin>
-
 		</plugins>
 	</build>
 </project>

main/ui/src/main/java/org/cryptomator/ui/Cryptomator.java

@@ -0,0 +1,149 @@
+/*******************************************************************************
+ * Copyright (c) 2014 cryptomator.org
+ * This file is licensed under the terms of the MIT license.
+ * See the LICENSE.txt file for more info.
+ * 
+ * Contributors:
+ *     Tillmann Gaida - initial implementation
+ *     Sebastian Stenzel - refactoring
+ ******************************************************************************/
+package org.cryptomator.ui;
+
+import java.io.File;
+import java.lang.reflect.InvocationHandler;
+import java.lang.reflect.Method;
+import java.lang.reflect.Proxy;
+import java.util.List;
+import java.util.Optional;
+import java.util.Set;
+import java.util.concurrent.CompletableFuture;
+import java.util.function.Consumer;
+
+import javafx.application.Application;
+
+import org.apache.commons.lang3.SystemUtils;
+import org.cryptomator.ui.util.SingleInstanceManager;
+import org.cryptomator.ui.util.SingleInstanceManager.RemoteInstance;
+import org.eclipse.jetty.util.ConcurrentHashSet;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class Cryptomator {
+	public static final Logger LOG = LoggerFactory.getLogger(MainApplication.class);
+
+	public static final CompletableFuture<Consumer<File>> OPEN_FILE_HANDLER = new CompletableFuture<>();
+
+	private static final Set<Runnable> SHUTDOWN_TASKS = new ConcurrentHashSet<>();
+	private static final CleanShutdownPerformer CLEAN_SHUTDOWN_PERFORMER = new CleanShutdownPerformer();
+
+	public static void main(String[] args) {
+		if (SystemUtils.IS_OS_MAC_OSX) {
+			/*
+			 * On OSX we're in an awkward position. We need to register a handler in the main thread of this application. However, we can't
+			 * even pass objects to the application, so we're forced to use a static CompletableFuture for the handler, which actually opens
+			 * the file in the application.
+			 * 
+			 * Code taken from https://github.com/axet/desktop/blob/master/src/main/java/com/github/axet/desktop/os/mac/AppleHandlers.java
+			 */
+			try {
+				final Class<?> applicationClass = Class.forName("com.apple.eawt.Application");
+				final Class<?> openFilesHandlerClass = Class.forName("com.apple.eawt.OpenFilesHandler");
+				final Method getApplication = applicationClass.getMethod("getApplication");
+				final Object application = getApplication.invoke(null);
+				final Method setOpenFileHandler = applicationClass.getMethod("setOpenFileHandler", openFilesHandlerClass);
+
+				final ClassLoader openFilesHandlerClassLoader = openFilesHandlerClass.getClassLoader();
+				final OpenFilesHandlerClassHandler openFilesHandlerHandler = new OpenFilesHandlerClassHandler();
+				final Object openFilesHandlerObject = Proxy.newProxyInstance(openFilesHandlerClassLoader, new Class<?>[] {openFilesHandlerClass}, openFilesHandlerHandler);
+
+				setOpenFileHandler.invoke(application, openFilesHandlerObject);
+			} catch (ReflectiveOperationException | RuntimeException e) {
+				// Since we're trying to call OS-specific code, we'll just have
+				// to hope for the best.
+				LOG.error("exception adding OSX file open handler", e);
+			}
+		}
+
+		/*
+		 * Perform certain things on VM termination.
+		 */
+		Runtime.getRuntime().addShutdownHook(CLEAN_SHUTDOWN_PERFORMER);
+
+		/*
+		 * Before starting the application, we check if there is already an instance running on this computer. If so, we send our command
+		 * line arguments to that instance and quit.
+		 */
+		final Optional<RemoteInstance> remoteInstance = SingleInstanceManager.getRemoteInstance(MainApplication.APPLICATION_KEY);
+
+		if (remoteInstance.isPresent()) {
+			try (RemoteInstance instance = remoteInstance.get()) {
+				LOG.info("An instance of Cryptomator is already running at {}.", instance.getRemotePort());
+				for (int i = 0; i < args.length; i++) {
+					remoteInstance.get().sendMessage(args[i], 100);
+				}
+			} catch (Exception e) {
+				LOG.error("Error forwarding arguments to remote instance", e);
+			}
+		} else {
+			Application.launch(MainApplication.class, args);
+		}
+	}
+
+	public static void addShutdownTask(Runnable r) {
+		SHUTDOWN_TASKS.add(r);
+	}
+
+	public static void removeShutdownTask(Runnable r) {
+		SHUTDOWN_TASKS.remove(r);
+	}
+
+	private static class CleanShutdownPerformer extends Thread {
+		@Override
+		public void run() {
+			LOG.debug("Shutting down");
+			SHUTDOWN_TASKS.forEach(r -> {
+				try {
+					r.run();
+				} catch (RuntimeException e) {
+					LOG.error("exception while shutting down", e);
+				}
+			});
+			SHUTDOWN_TASKS.clear();
+		}
+	}
+
+	private static void handleOpenFileRequest(File file) {
+		try {
+			OPEN_FILE_HANDLER.get().accept(file);
+		} catch (Exception e) {
+			LOG.error("exception handling file open event for file " + file.getAbsolutePath(), e);
+			throw new RuntimeException(e);
+		}
+	}
+
+	/**
+	 * Handler class taken from https://github.com/axet/desktop/blob/master/src/main/java/com/github/axet/desktop/os/mac/AppleHandlers.java
+	 */
+	private static class OpenFilesHandlerClassHandler implements InvocationHandler {
+		@Override
+		public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
+			if (method.getName().equals("openFiles")) {
+				final Class<?> openFilesEventClass = Class.forName("com.apple.eawt.AppEvent$OpenFilesEvent");
+				final Method getFiles = openFilesEventClass.getMethod("getFiles");
+				Object e = args[0];
+				try {
+					@SuppressWarnings("unchecked")
+					final List<File> ff = (List<File>) getFiles.invoke(e);
+					for (File f : ff) {
+						handleOpenFileRequest(f);
+					}
+				} catch (RuntimeException ee) {
+					throw ee;
+				} catch (Exception ee) {
+					throw new RuntimeException(ee);
+				}
+			}
+			return null;
+		}
+	}
+}

main/ui/src/main/java/org/cryptomator/ui/InitializeController.java

@@ -1,238 +0,0 @@
-/*******************************************************************************
- * Copyright (c) 2014 Sebastian Stenzel
- * This file is licensed under the terms of the MIT license.
- * See the LICENSE.txt file for more info.
- * 
- * Contributors:
- *     Sebastian Stenzel - initial API and implementation
- ******************************************************************************/
-package org.cryptomator.ui;
-
-import java.io.IOException;
-import java.io.OutputStream;
-import java.net.URL;
-import java.nio.file.DirectoryStream;
-import java.nio.file.FileAlreadyExistsException;
-import java.nio.file.FileVisitor;
-import java.nio.file.Files;
-import java.nio.file.InvalidPathException;
-import java.nio.file.Path;
-import java.nio.file.StandardOpenOption;
-import java.util.Optional;
-import java.util.ResourceBundle;
-import java.util.concurrent.Future;
-
-import javafx.beans.value.ObservableValue;
-import javafx.event.ActionEvent;
-import javafx.fxml.FXML;
-import javafx.fxml.Initializable;
-import javafx.scene.control.Alert;
-import javafx.scene.control.Alert.AlertType;
-import javafx.scene.control.Button;
-import javafx.scene.control.ButtonType;
-import javafx.scene.control.Label;
-import javafx.scene.control.ProgressIndicator;
-import javafx.scene.control.TextField;
-import javafx.scene.input.KeyEvent;
-
-import org.apache.commons.io.IOUtils;
-import org.apache.commons.lang3.CharUtils;
-import org.apache.commons.lang3.StringUtils;
-import org.cryptomator.crypto.aes256.Aes256Cryptor;
-import org.cryptomator.files.EncryptingFileVisitor;
-import org.cryptomator.ui.controls.ClearOnDisableListener;
-import org.cryptomator.ui.controls.SecPasswordField;
-import org.cryptomator.ui.model.Directory;
-import org.cryptomator.ui.util.FXThreads;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-public class InitializeController implements Initializable {
-
-	private static final Logger LOG = LoggerFactory.getLogger(InitializeController.class);
-	private static final int MAX_USERNAME_LENGTH = 250;
-
-	private ResourceBundle localization;
-	private Directory directory;
-	private InitializationListener listener;
-
-	@FXML
-	private TextField usernameField;
-
-	@FXML
-	private SecPasswordField passwordField;
-
-	@FXML
-	private SecPasswordField retypePasswordField;
-
-	@FXML
-	private Button okButton;
-
-	@FXML
-	private ProgressIndicator progressIndicator;
-
-	@FXML
-	private Label messageLabel;
-
-	@Override
-	public void initialize(URL url, ResourceBundle rb) {
-		this.localization = rb;
-		usernameField.addEventFilter(KeyEvent.KEY_TYPED, this::filterAlphanumericKeyEvents);
-		usernameField.textProperty().addListener(this::usernameFieldDidChange);
-		passwordField.textProperty().addListener(this::passwordFieldDidChange);
-		retypePasswordField.textProperty().addListener(this::retypePasswordFieldDidChange);
-		retypePasswordField.disableProperty().addListener(new ClearOnDisableListener(retypePasswordField));
-
-	}
-
-	// ****************************************
-	// Username field
-	// ****************************************
-
-	public void filterAlphanumericKeyEvents(KeyEvent t) {
-		if (t.getCharacter() == null || t.getCharacter().length() == 0) {
-			return;
-		}
-		char c = t.getCharacter().charAt(0);
-		if (!CharUtils.isAsciiAlphanumeric(c)) {
-			t.consume();
-		}
-	}
-
-	public void usernameFieldDidChange(ObservableValue<? extends String> property, String oldValue, String newValue) {
-		if (StringUtils.length(newValue) > MAX_USERNAME_LENGTH) {
-			usernameField.setText(newValue.substring(0, MAX_USERNAME_LENGTH));
-		}
-		passwordField.setDisable(StringUtils.isEmpty(newValue));
-	}
-
-	// ****************************************
-	// Password field
-	// ****************************************
-
-	private void passwordFieldDidChange(ObservableValue<? extends String> property, String oldValue, String newValue) {
-		retypePasswordField.setDisable(StringUtils.isEmpty(newValue));
-	}
-
-	// ****************************************
-	// Retype password field
-	// ****************************************
-
-	private void retypePasswordFieldDidChange(ObservableValue<? extends String> property, String oldValue, String newValue) {
-		boolean passwordsAreEqual = passwordField.getText().equals(retypePasswordField.getText());
-		okButton.setDisable(!passwordsAreEqual);
-	}
-
-	// ****************************************
-	// OK button
-	// ****************************************
-
-	@FXML
-	protected void initializeVault(ActionEvent event) {
-		setControlsDisabled(true);
-		if (!isDirectoryEmpty() && !shouldEncryptExistingFiles()) {
-			return;
-		}
-		final String masterKeyFileName = usernameField.getText() + Aes256Cryptor.MASTERKEY_FILE_EXT;
-		final Path masterKeyPath = directory.getPath().resolve(masterKeyFileName);
-		final CharSequence password = passwordField.getCharacters();
-		OutputStream masterKeyOutputStream = null;
-		try {
-			progressIndicator.setVisible(true);
-			masterKeyOutputStream = Files.newOutputStream(masterKeyPath, StandardOpenOption.WRITE, StandardOpenOption.CREATE_NEW);
-			directory.getCryptor().encryptMasterKey(masterKeyOutputStream, password);
-			final Future<?> futureDone = FXThreads.runOnBackgroundThread(this::encryptExistingContents);
-			FXThreads.runOnMainThreadWhenFinished(futureDone, (result) -> {
-				progressIndicator.setVisible(false);
-				progressIndicator.setVisible(false);
-				directory.getCryptor().swipeSensitiveData();
-				if (listener != null) {
-					listener.didInitialize(this);
-				}
-			});
-		} catch (FileAlreadyExistsException ex) {
-			setControlsDisabled(false);
-			progressIndicator.setVisible(false);
-			messageLabel.setText(localization.getString("initialize.messageLabel.alreadyInitialized"));
-		} catch (InvalidPathException ex) {
-			setControlsDisabled(false);
-			progressIndicator.setVisible(false);
-			messageLabel.setText(localization.getString("initialize.messageLabel.invalidPath"));
-		} catch (IOException ex) {
-			setControlsDisabled(false);
-			progressIndicator.setVisible(false);
-			LOG.error("I/O Exception", ex);
-		} finally {
-			usernameField.setText(null);
-			passwordField.swipe();
-			retypePasswordField.swipe();
-			IOUtils.closeQuietly(masterKeyOutputStream);
-		}
-	}
-
-	private void setControlsDisabled(boolean disable) {
-		usernameField.setDisable(disable);
-		passwordField.setDisable(disable);
-		retypePasswordField.setDisable(disable);
-		okButton.setDisable(disable);
-	}
-
-	private boolean isDirectoryEmpty() {
-		try {
-			final DirectoryStream<Path> dirContents = Files.newDirectoryStream(directory.getPath());
-			return !dirContents.iterator().hasNext();
-		} catch (IOException e) {
-			LOG.error("Failed to analyze directory.", e);
-			throw new IllegalStateException(e);
-		}
-	}
-
-	private boolean shouldEncryptExistingFiles() {
-		final Alert alert = new Alert(AlertType.CONFIRMATION);
-		alert.setTitle(localization.getString("initialize.alert.directoryIsNotEmpty.title"));
-		alert.setHeaderText(null);
-		alert.setContentText(localization.getString("initialize.alert.directoryIsNotEmpty.content"));
-
-		final Optional<ButtonType> result = alert.showAndWait();
-		return ButtonType.OK.equals(result.get());
-	}
-
-	private void encryptExistingContents() {
-		try {
-			final FileVisitor<Path> visitor = new EncryptingFileVisitor(directory.getPath(), directory.getCryptor(), this::shouldEncryptExistingFile);
-			Files.walkFileTree(directory.getPath(), visitor);
-		} catch (IOException ex) {
-			LOG.error("I/O Exception", ex);
-		}
-	}
-
-	private boolean shouldEncryptExistingFile(Path path) {
-		final String name = path.getFileName().toString();
-		return !directory.getPath().equals(path) && !name.endsWith(Aes256Cryptor.BASIC_FILE_EXT) && !name.endsWith(Aes256Cryptor.METADATA_FILE_EXT) && !name.endsWith(Aes256Cryptor.MASTERKEY_FILE_EXT);
-	}
-
-	/* Getter/Setter */
-
-	public Directory getDirectory() {
-		return directory;
-	}
-
-	public void setDirectory(Directory directory) {
-		this.directory = directory;
-	}
-
-	public InitializationListener getListener() {
-		return listener;
-	}
-
-	public void setListener(InitializationListener listener) {
-		this.listener = listener;
-	}
-
-	/* callback */
-
-	interface InitializationListener {
-		void didInitialize(InitializeController ctrl);
-	}
-
-}

main/ui/src/main/java/org/cryptomator/ui/MainApplication.java

@@ -9,8 +9,11 @@
 package org.cryptomator.ui;
 
 import java.io.IOException;
+import java.nio.file.FileSystems;
+import java.nio.file.Files;
+import java.nio.file.Path;
 import java.util.ResourceBundle;
-import java.util.Set;
+import java.util.concurrent.ExecutorService;
 
 import javafx.application.Application;
 import javafx.application.Platform;
@@ -20,25 +23,69 @@ import javafx.scene.Scene;
 import javafx.stage.Stage;
 
 import org.apache.commons.lang3.SystemUtils;
-import org.cryptomator.ui.settings.Settings;
+import org.cryptomator.ui.MainModule.ControllerFactory;
+import org.cryptomator.ui.controllers.MainController;
+import org.cryptomator.ui.model.Vault;
+import org.cryptomator.ui.util.ActiveWindowStyleSupport;
+import org.cryptomator.ui.util.DeferredCloser;
+import org.cryptomator.ui.util.SingleInstanceManager;
+import org.cryptomator.ui.util.SingleInstanceManager.LocalInstance;
 import org.cryptomator.ui.util.TrayIconUtil;
-import org.eclipse.jetty.util.ConcurrentHashSet;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.inject.Guice;
+import com.google.inject.Injector;
 
 public class MainApplication extends Application {
 
-	private static final Set<Runnable> SHUTDOWN_TASKS = new ConcurrentHashSet<>();
-	private static final CleanShutdownPerformer CLEAN_SHUTDOWN_PERFORMER = new CleanShutdownPerformer();
+	public static final String APPLICATION_KEY = "CryptomatorGUI";
 
-	public static void main(String[] args) {
-		Application.launch(args);
-		Runtime.getRuntime().addShutdownHook(CLEAN_SHUTDOWN_PERFORMER);
+	private static final Logger LOG = LoggerFactory.getLogger(MainApplication.class);
+
+	private final ExecutorService executorService;
+	private final ControllerFactory controllerFactory;
+	private final DeferredCloser closer;
+
+	public MainApplication() {
+		this(getInjector());
+	}
+
+	private static Injector getInjector() {
+		return Guice.createInjector(new MainModule());
+	}
+
+	public MainApplication(Injector injector) {
+		this(injector.getInstance(ExecutorService.class), injector.getInstance(ControllerFactory.class), injector.getInstance(DeferredCloser.class), injector.getInstance(MainApplicationReference.class));
+	}
+
+	public MainApplication(ExecutorService executorService, ControllerFactory controllerFactory, DeferredCloser closer, MainApplicationReference appRef) {
+		super();
+		this.executorService = executorService;
+		this.controllerFactory = controllerFactory;
+		this.closer = closer;
+		Cryptomator.addShutdownTask(closer::close);
+		appRef.set(this);
 	}
 
 	@Override
 	public void start(final Stage primaryStage) throws IOException {
+		ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
+		FXMLLoader.setDefaultClassLoader(contextClassLoader);
+		Platform.runLater(() -> {
+			/*
+			 * This fixes a bug on OSX where the magic file open handler leads to no context class loader being set in the AppKit (event)
+			 * thread if the application is not started opening a file.
+			 */
+			if (Thread.currentThread().getContextClassLoader() == null) {
+				Thread.currentThread().setContextClassLoader(contextClassLoader);
+			}
+		});
+
 		chooseNativeStylesheet();
 		final ResourceBundle rb = ResourceBundle.getBundle("localization");
 		final FXMLLoader loader = new FXMLLoader(getClass().getResource("/fxml/main.fxml"), rb);
+		loader.setControllerFactory(controllerFactory);
 		final Parent root = loader.load();
 		final MainController ctrl = loader.getController();
 		ctrl.setStage(primaryStage);
@@ -48,9 +95,48 @@ public class MainApplication extends Application {
 		primaryStage.sizeToScene();
 		primaryStage.setResizable(false);
 		primaryStage.show();
+		ActiveWindowStyleSupport.startObservingFocus(primaryStage);
 		TrayIconUtil.init(primaryStage, rb, () -> {
 			quit();
 		});
+
+		for (String arg : getParameters().getUnnamed()) {
+			handleCommandLineArg(ctrl, arg);
+		}
+
+		if (SystemUtils.IS_OS_MAC_OSX) {
+			Cryptomator.OPEN_FILE_HANDLER.complete(file -> handleCommandLineArg(ctrl, file.getAbsolutePath()));
+		}
+
+		LocalInstance cryptomatorGuiInstance = closer.closeLater(SingleInstanceManager.startLocalInstance(APPLICATION_KEY, executorService), LocalInstance::close).get().get();
+
+		cryptomatorGuiInstance.registerListener(arg -> handleCommandLineArg(ctrl, arg));
+	}
+
+	void handleCommandLineArg(final MainController ctrl, String arg) {
+		// only open files with our file extension:
+		if (!arg.endsWith(Vault.VAULT_FILE_EXTENSION)) {
+			LOG.warn("Invalid vault path %s", arg);
+			return;
+		}
+
+		// find correct location:
+		final Path path = FileSystems.getDefault().getPath(arg);
+		final Path vaultPath;
+		if (Files.isDirectory(path)) {
+			vaultPath = path;
+		} else if (Files.isRegularFile(path) && path.getParent().getFileName().toString().endsWith(Vault.VAULT_FILE_EXTENSION)) {
+			vaultPath = path.getParent();
+		} else {
+			LOG.warn("Invalid vault path %s", arg);
+			return;
+		}
+
+		// add vault to ctrl:
+		Platform.runLater(() -> {
+			ctrl.addVault(vaultPath, true);
+			ctrl.toFront();
+		});
 	}
 
 	private void chooseNativeStylesheet() {
@@ -65,8 +151,7 @@ public class MainApplication extends Application {
 
 	private void quit() {
 		Platform.runLater(() -> {
-			CLEAN_SHUTDOWN_PERFORMER.run();
-			Settings.save();
+			stop();
 			Platform.exit();
 			System.exit(0);
 		});
@@ -74,26 +159,28 @@ public class MainApplication extends Application {
 
 	@Override
 	public void stop() {
-		CLEAN_SHUTDOWN_PERFORMER.run();
-		Settings.save();
+		closer.close();
 	}
 
-	public static void addShutdownTask(Runnable r) {
-		SHUTDOWN_TASKS.add(r);
-	}
+	/**
+	 * Needed to inject MainApplication. Problem: Application needs to be set asap after injector creation.
+	 */
+	static class MainApplicationReference {
 
-	public static void removeShutdownTask(Runnable r) {
-		SHUTDOWN_TASKS.remove(r);
-	}
+		private Application application;
 
-	private static class CleanShutdownPerformer extends Thread {
-		@Override
-		public void run() {
-			SHUTDOWN_TASKS.forEach(r -> {
-				r.run();
-			});
-			SHUTDOWN_TASKS.clear();
+		private void set(Application application) {
+			this.application = application;
 		}
+
+		public Application get() {
+			if (application == null) {
+				throw new IllegalStateException("not yet ready.");
+			} else {
+				return application;
+			}
+		}
+
 	}
 
 }

main/ui/src/main/java/org/cryptomator/ui/MainController.java

@@ -1,200 +0,0 @@
-/*******************************************************************************
- * Copyright (c) 2014 Sebastian Stenzel
- * This file is licensed under the terms of the MIT license.
- * See the LICENSE.txt file for more info.
- * 
- * Contributors:
- *     Sebastian Stenzel - initial API and implementation
- ******************************************************************************/
-package org.cryptomator.ui;
-
-import java.io.File;
-import java.io.IOException;
-import java.net.URL;
-import java.util.Collection;
-import java.util.ResourceBundle;
-import java.util.stream.Collectors;
-
-import javafx.application.Platform;
-import javafx.collections.FXCollections;
-import javafx.collections.ListChangeListener;
-import javafx.collections.ObservableList;
-import javafx.event.ActionEvent;
-import javafx.fxml.FXML;
-import javafx.fxml.FXMLLoader;
-import javafx.fxml.Initializable;
-import javafx.scene.Parent;
-import javafx.scene.control.ContextMenu;
-import javafx.scene.control.ListCell;
-import javafx.scene.control.ListView;
-import javafx.scene.layout.HBox;
-import javafx.scene.layout.Pane;
-import javafx.stage.DirectoryChooser;
-import javafx.stage.Stage;
-
-import org.cryptomator.ui.InitializeController.InitializationListener;
-import org.cryptomator.ui.UnlockController.UnlockListener;
-import org.cryptomator.ui.UnlockedController.LockListener;
-import org.cryptomator.ui.controls.DirectoryListCell;
-import org.cryptomator.ui.model.Directory;
-import org.cryptomator.ui.settings.Settings;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-public class MainController implements Initializable, InitializationListener, UnlockListener, LockListener {
-
-	private static final Logger LOG = LoggerFactory.getLogger(MainController.class);
-
-	private Stage stage;
-
-	@FXML
-	private ContextMenu directoryContextMenu;
-
-	@FXML
-	private HBox rootPane;
-
-	@FXML
-	private ListView<Directory> directoryList;
-
-	@FXML
-	private Pane contentPane;
-
-	private ResourceBundle rb;
-
-	@Override
-	public void initialize(URL url, ResourceBundle rb) {
-		this.rb = rb;
-
-		final ObservableList<Directory> items = FXCollections.observableList(Settings.load().getDirectories());
-		directoryList.setItems(items);
-		directoryList.setCellFactory(this::createDirecoryListCell);
-		directoryList.getSelectionModel().getSelectedItems().addListener(this::selectedDirectoryDidChange);
-	}
-
-	@FXML
-	private void didClickAddDirectory(ActionEvent event) {
-		final DirectoryChooser dirChooser = new DirectoryChooser();
-		final File file = dirChooser.showDialog(stage);
-		if (file != null && file.canWrite()) {
-			final Directory dir = new Directory(file.toPath());
-			directoryList.getItems().add(dir);
-			directoryList.getSelectionModel().selectLast();
-		}
-	}
-
-	private ListCell<Directory> createDirecoryListCell(ListView<Directory> param) {
-		final DirectoryListCell cell = new DirectoryListCell();
-		cell.setContextMenu(directoryContextMenu);
-		return cell;
-	}
-
-	private void selectedDirectoryDidChange(ListChangeListener.Change<? extends Directory> change) {
-		final Directory selectedDir = directoryList.getSelectionModel().getSelectedItem();
-		if (selectedDir == null) {
-			stage.setTitle(rb.getString("app.name"));
-			showWelcomeView();
-		} else {
-			stage.setTitle(selectedDir.getName());
-			showDirectory(selectedDir);
-		}
-	}
-
-	@FXML
-	private void didClickRemoveSelectedEntry(ActionEvent e) {
-		final Directory selectedDir = directoryList.getSelectionModel().getSelectedItem();
-		directoryList.getItems().remove(selectedDir);
-		directoryList.getSelectionModel().clearSelection();
-	}
-
-	// ****************************************
-	// Subcontroller for right panel
-	// ****************************************
-
-	private void showDirectory(Directory directory) {
-		try {
-			if (directory.isUnlocked()) {
-				this.showUnlockedView(directory);
-			} else if (directory.containsMasterKey()) {
-				this.showUnlockView(directory);
-			} else {
-				this.showInitializeView(directory);
-			}
-		} catch (IOException e) {
-			LOG.error("Failed to analyze directory.", e);
-		}
-	}
-
-	private <T> T showView(String fxml) {
-		try {
-			final FXMLLoader loader = new FXMLLoader(getClass().getResource(fxml), rb);
-			final Parent root = loader.load();
-			contentPane.getChildren().clear();
-			contentPane.getChildren().add(root);
-			return loader.getController();
-		} catch (IOException e) {
-			throw new IllegalStateException("Failed to load fxml file.", e);
-		}
-	}
-
-	private void showWelcomeView() {
-		this.showView("/fxml/welcome.fxml");
-	}
-
-	private void showInitializeView(Directory directory) {
-		final InitializeController ctrl = showView("/fxml/initialize.fxml");
-		ctrl.setDirectory(directory);
-		ctrl.setListener(this);
-	}
-
-	@Override
-	public void didInitialize(InitializeController ctrl) {
-		showUnlockView(ctrl.getDirectory());
-	}
-
-	private void showUnlockView(Directory directory) {
-		final UnlockController ctrl = showView("/fxml/unlock.fxml");
-		ctrl.setDirectory(directory);
-		ctrl.setListener(this);
-	}
-
-	@Override
-	public void didUnlock(UnlockController ctrl) {
-		showUnlockedView(ctrl.getDirectory());
-		Platform.setImplicitExit(false);
-	}
-
-	private void showUnlockedView(Directory directory) {
-		final UnlockedController ctrl = showView("/fxml/unlocked.fxml");
-		ctrl.setDirectory(directory);
-		ctrl.setListener(this);
-	}
-
-	@Override
-	public void didLock(UnlockedController ctrl) {
-		showUnlockView(ctrl.getDirectory());
-		if (getUnlockedDirectories().isEmpty()) {
-			Platform.setImplicitExit(true);
-		}
-	}
-
-	/* Convenience */
-
-	public Collection<Directory> getDirectories() {
-		return directoryList.getItems();
-	}
-
-	public Collection<Directory> getUnlockedDirectories() {
-		return getDirectories().stream().filter(d -> d.isUnlocked()).collect(Collectors.toSet());
-	}
-
-	/* public Getter/Setter */
-
-	public Stage getStage() {
-		return stage;
-	}
-
-	public void setStage(Stage stage) {
-		this.stage = stage;
-	}
-
-}

main/ui/src/main/java/org/cryptomator/ui/MainModule.java

@@ -0,0 +1,111 @@
+/*******************************************************************************
+ * Copyright (c) 2014 cryptomator.org
+ * This file is licensed under the terms of the MIT license.
+ * See the LICENSE.txt file for more info.
+ * 
+ * Contributors:
+ *     Tillmann Gaida - initial implementation
+ ******************************************************************************/
+package org.cryptomator.ui;
+
+import java.util.Comparator;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+
+import javafx.application.Application;
+import javafx.util.Callback;
+
+import javax.inject.Named;
+import javax.inject.Singleton;
+
+import org.cryptomator.crypto.Cryptor;
+import org.cryptomator.crypto.SamplingCryptorDecorator;
+import org.cryptomator.crypto.aes256.Aes256Cryptor;
+import org.cryptomator.ui.MainApplication.MainApplicationReference;
+import org.cryptomator.ui.model.VaultFactory;
+import org.cryptomator.ui.model.VaultObjectMapperProvider;
+import org.cryptomator.ui.settings.Settings;
+import org.cryptomator.ui.settings.SettingsProvider;
+import org.cryptomator.ui.util.DeferredCloser;
+import org.cryptomator.ui.util.DeferredCloser.Closer;
+import org.cryptomator.ui.util.SemVerComparator;
+import org.cryptomator.ui.util.mount.WebDavMounter;
+import org.cryptomator.ui.util.mount.WebDavMounterProvider;
+import org.cryptomator.webdav.WebDavServer;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.inject.AbstractModule;
+import com.google.inject.Injector;
+import com.google.inject.Provider;
+import com.google.inject.Provides;
+import com.google.inject.name.Names;
+
+public class MainModule extends AbstractModule {
+
+	private final DeferredCloser deferredCloser = new DeferredCloser();
+
+	public static interface ControllerFactory extends Callback<Class<?>, Object> {
+
+	}
+
+	@Override
+	protected void configure() {
+		bind(DeferredCloser.class).toInstance(deferredCloser);
+		bind(ObjectMapper.class).annotatedWith(Names.named("VaultJsonMapper")).toProvider(VaultObjectMapperProvider.class);
+		bind(Settings.class).toProvider(SettingsProvider.class);
+		bind(WebDavMounter.class).toProvider(WebDavMounterProvider.class).asEagerSingleton();
+	}
+
+	@Provides
+	@Singleton
+	ControllerFactory getControllerFactory(Injector injector) {
+		return cls -> injector.getInstance(cls);
+	}
+
+	@Provides
+	@Singleton
+	MainApplicationReference getApplicationBinding() {
+		return new MainApplicationReference();
+	}
+
+	@Provides
+	Application getApplication(MainApplicationReference ref) {
+		return ref.get();
+	}
+
+	@Provides
+	@Named("SemVer")
+	@Singleton
+	Comparator<String> getSemVerComparator() {
+		return new SemVerComparator();
+	}
+
+	@Provides
+	@Singleton
+	ExecutorService getExec() {
+		return closeLater(Executors.newCachedThreadPool(), ExecutorService::shutdown);
+	}
+
+	@Provides
+	Cryptor getCryptor() {
+		return SamplingCryptorDecorator.decorate(new Aes256Cryptor());
+	}
+
+	@Provides
+	@Singleton
+	VaultFactory getVaultFactory(WebDavServer server, Provider<Cryptor> cryptorProvider, WebDavMounter mounter, DeferredCloser closer) {
+		return new VaultFactory(server, cryptorProvider, mounter, closer);
+	}
+
+	@Provides
+	@Singleton
+	WebDavServer getServer() {
+		final WebDavServer webDavServer = new WebDavServer();
+		webDavServer.start();
+		return closeLater(webDavServer, WebDavServer::stop);
+	}
+
+	<T> T closeLater(T object, Closer<T> closer) {
+		return deferredCloser.closeLater(object, closer).get().get();
+	}
+}

main/ui/src/main/java/org/cryptomator/ui/UnlockController.java

@@ -1,189 +0,0 @@
-/*******************************************************************************
- * Copyright (c) 2014 Sebastian Stenzel
- * This file is licensed under the terms of the MIT license.
- * See the LICENSE.txt file for more info.
- * 
- * Contributors:
- *     Sebastian Stenzel - initial API and implementation
- ******************************************************************************/
-package org.cryptomator.ui;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.net.URL;
-import java.nio.file.DirectoryStream;
-import java.nio.file.Files;
-import java.nio.file.Path;
-import java.nio.file.StandardOpenOption;
-import java.util.ResourceBundle;
-import java.util.concurrent.Future;
-
-import javafx.application.Platform;
-import javafx.beans.value.ObservableValue;
-import javafx.event.ActionEvent;
-import javafx.fxml.FXML;
-import javafx.fxml.Initializable;
-import javafx.scene.control.Button;
-import javafx.scene.control.ComboBox;
-import javafx.scene.control.Label;
-import javafx.scene.control.ProgressIndicator;
-
-import org.apache.commons.io.IOUtils;
-import org.apache.commons.lang3.StringUtils;
-import org.cryptomator.crypto.aes256.Aes256Cryptor;
-import org.cryptomator.crypto.exceptions.DecryptFailedException;
-import org.cryptomator.crypto.exceptions.UnsupportedKeyLengthException;
-import org.cryptomator.crypto.exceptions.WrongPasswordException;
-import org.cryptomator.ui.controls.SecPasswordField;
-import org.cryptomator.ui.model.Directory;
-import org.cryptomator.ui.util.FXThreads;
-import org.cryptomator.ui.util.MasterKeyFilter;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-public class UnlockController implements Initializable {
-
-	private static final Logger LOG = LoggerFactory.getLogger(UnlockController.class);
-
-	private ResourceBundle rb;
-	private UnlockListener listener;
-	private Directory directory;
-
-	@FXML
-	private ComboBox<String> usernameBox;
-
-	@FXML
-	private SecPasswordField passwordField;
-
-	@FXML
-	private Button unlockButton;
-
-	@FXML
-	private ProgressIndicator progressIndicator;
-
-	@FXML
-	private Label messageLabel;
-
-	@Override
-	public void initialize(URL url, ResourceBundle rb) {
-		this.rb = rb;
-
-		usernameBox.valueProperty().addListener(this::didChooseUsername);
-	}
-
-	// ****************************************
-	// Username box
-	// ****************************************
-
-	public void didChooseUsername(ObservableValue<? extends String> property, String oldValue, String newValue) {
-		if (newValue != null) {
-			Platform.runLater(passwordField::requestFocus);
-		}
-		passwordField.setDisable(StringUtils.isEmpty(newValue));
-	}
-
-	// ****************************************
-	// Unlock button
-	// ****************************************
-
-	@FXML
-	private void didClickUnlockButton(ActionEvent event) {
-		setControlsDisabled(true);
-		final String masterKeyFileName = usernameBox.getValue() + Aes256Cryptor.MASTERKEY_FILE_EXT;
-		final Path masterKeyPath = directory.getPath().resolve(masterKeyFileName);
-		final CharSequence password = passwordField.getCharacters();
-		InputStream masterKeyInputStream = null;
-		try {
-			progressIndicator.setVisible(true);
-			masterKeyInputStream = Files.newInputStream(masterKeyPath, StandardOpenOption.READ);
-			directory.getCryptor().decryptMasterKey(masterKeyInputStream, password);
-			if (!directory.startServer()) {
-				messageLabel.setText(rb.getString("unlock.messageLabel.startServerFailed"));
-				directory.getCryptor().swipeSensitiveData();
-				return;
-			}
-			directory.setUnlocked(true);
-			final Future<Boolean> futureMount = FXThreads.runOnBackgroundThread(directory::mount);
-			FXThreads.runOnMainThreadWhenFinished(futureMount, this::didUnlockAndMount);
-			FXThreads.runOnMainThreadWhenFinished(futureMount, (result) -> {
-				setControlsDisabled(false);
-			});
-		} catch (DecryptFailedException | IOException ex) {
-			setControlsDisabled(false);
-			progressIndicator.setVisible(false);
-			messageLabel.setText(rb.getString("unlock.errorMessage.decryptionFailed"));
-			LOG.error("Decryption failed for technical reasons.", ex);
-		} catch (WrongPasswordException e) {
-			setControlsDisabled(false);
-			progressIndicator.setVisible(false);
-			messageLabel.setText(rb.getString("unlock.errorMessage.wrongPassword"));
-			passwordField.requestFocus();
-		} catch (UnsupportedKeyLengthException ex) {
-			setControlsDisabled(false);
-			progressIndicator.setVisible(false);
-			messageLabel.setText(rb.getString("unlock.errorMessage.unsupportedKeyLengthInstallJCE"));
-			LOG.warn("Unsupported Key-Length. Please install Oracle Java Cryptography Extension (JCE).", ex);
-		} finally {
-			passwordField.swipe();
-			IOUtils.closeQuietly(masterKeyInputStream);
-		}
-	}
-
-	private void setControlsDisabled(boolean disable) {
-		usernameBox.setDisable(disable);
-		passwordField.setDisable(disable);
-		unlockButton.setDisable(disable);
-	}
-
-	private void findExistingUsernames() {
-		try {
-			DirectoryStream<Path> ds = MasterKeyFilter.filteredDirectory(directory.getPath());
-			final String masterKeyExt = Aes256Cryptor.MASTERKEY_FILE_EXT.toLowerCase();
-			usernameBox.getItems().clear();
-			for (final Path path : ds) {
-				final String fileName = path.getFileName().toString();
-				final int beginOfExt = fileName.toLowerCase().lastIndexOf(masterKeyExt);
-				final String baseName = fileName.substring(0, beginOfExt);
-				usernameBox.getItems().add(baseName);
-			}
-			if (usernameBox.getItems().size() == 1) {
-				usernameBox.getSelectionModel().selectFirst();
-			}
-		} catch (IOException e) {
-			LOG.trace("Invalid path: " + directory.getPath(), e);
-		}
-	}
-
-	private void didUnlockAndMount(boolean mountSuccess) {
-		progressIndicator.setVisible(false);
-		if (listener != null) {
-			listener.didUnlock(this);
-		}
-	}
-
-	/* Getter/Setter */
-
-	public Directory getDirectory() {
-		return directory;
-	}
-
-	public void setDirectory(Directory directory) {
-		this.directory = directory;
-		this.findExistingUsernames();
-	}
-
-	public UnlockListener getListener() {
-		return listener;
-	}
-
-	public void setListener(UnlockListener listener) {
-		this.listener = listener;
-	}
-
-	/* callback */
-
-	interface UnlockListener {
-		void didUnlock(UnlockController ctrl);
-	}
-
-}

main/ui/src/main/java/org/cryptomator/ui/controllers/ChangePasswordController.java

@@ -0,0 +1,204 @@
+package org.cryptomator.ui.controllers;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.net.URL;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.StandardCopyOption;
+import java.nio.file.StandardOpenOption;
+import java.util.ResourceBundle;
+
+import javafx.application.Application;
+import javafx.application.Platform;
+import javafx.beans.value.ObservableValue;
+import javafx.event.ActionEvent;
+import javafx.fxml.FXML;
+import javafx.fxml.Initializable;
+import javafx.scene.control.Button;
+import javafx.scene.control.Hyperlink;
+import javafx.scene.text.Text;
+
+import org.cryptomator.crypto.exceptions.DecryptFailedException;
+import org.cryptomator.crypto.exceptions.UnsupportedKeyLengthException;
+import org.cryptomator.crypto.exceptions.UnsupportedVaultException;
+import org.cryptomator.crypto.exceptions.WrongPasswordException;
+import org.cryptomator.ui.controls.SecPasswordField;
+import org.cryptomator.ui.model.Vault;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.inject.Inject;
+
+public class ChangePasswordController implements Initializable {
+
+	private static final Logger LOG = LoggerFactory.getLogger(ChangePasswordController.class);
+
+	private ResourceBundle rb;
+	private ChangePasswordListener listener;
+	private Vault vault;
+
+	@FXML
+	private SecPasswordField oldPasswordField;
+
+	@FXML
+	private SecPasswordField newPasswordField;
+
+	@FXML
+	private SecPasswordField retypePasswordField;
+
+	@FXML
+	private Button changePasswordButton;
+
+	@FXML
+	private Text messageText;
+
+	@FXML
+	private Hyperlink downloadsPageLink;
+
+	private final Application app;
+
+	@Inject
+	public ChangePasswordController(Application app) {
+		super();
+		this.app = app;
+	}
+
+	@Override
+	public void initialize(URL location, ResourceBundle rb) {
+		this.rb = rb;
+
+		oldPasswordField.textProperty().addListener(this::passwordFieldsDidChange);
+		newPasswordField.textProperty().addListener(this::passwordFieldsDidChange);
+		retypePasswordField.textProperty().addListener(this::passwordFieldsDidChange);
+	}
+
+	// ****************************************
+	// Password fields
+	// ****************************************
+
+	private void passwordFieldsDidChange(ObservableValue<? extends String> property, String oldValue, String newValue) {
+		boolean oldPasswordIsEmpty = oldPasswordField.getText().isEmpty();
+		boolean newPasswordIsEmpty = newPasswordField.getText().isEmpty();
+		boolean passwordsAreEqual = newPasswordField.getText().equals(retypePasswordField.getText());
+		changePasswordButton.setDisable(oldPasswordIsEmpty || newPasswordIsEmpty || !passwordsAreEqual);
+	}
+
+	// ****************************************
+	// Downloads link
+	// ****************************************
+
+	@FXML
+	public void didClickDownloadsLink(ActionEvent event) {
+		app.getHostServices().showDocument("https://cryptomator.org/downloads/");
+	}
+
+	// ****************************************
+	// Change password button
+	// ****************************************
+
+	@FXML
+	private void didClickChangePasswordButton(ActionEvent event) {
+		downloadsPageLink.setVisible(false);
+		final Path masterKeyPath = vault.getPath().resolve(Vault.VAULT_MASTERKEY_FILE);
+		final Path masterKeyBackupPath = vault.getPath().resolve(Vault.VAULT_MASTERKEY_BACKUP_FILE);
+
+		// decrypt with old password:
+		final CharSequence oldPassword = oldPasswordField.getCharacters();
+		try (final InputStream masterKeyInputStream = Files.newInputStream(masterKeyPath, StandardOpenOption.READ)) {
+			vault.getCryptor().decryptMasterKey(masterKeyInputStream, oldPassword);
+			Files.copy(masterKeyPath, masterKeyBackupPath, StandardCopyOption.REPLACE_EXISTING);
+		} catch (DecryptFailedException | IOException ex) {
+			messageText.setText(rb.getString("changePassword.errorMessage.decryptionFailed"));
+			LOG.error("Decryption failed for technical reasons.", ex);
+			newPasswordField.swipe();
+			retypePasswordField.swipe();
+			return;
+		} catch (WrongPasswordException e) {
+			messageText.setText(rb.getString("changePassword.errorMessage.wrongPassword"));
+			newPasswordField.swipe();
+			retypePasswordField.swipe();
+			Platform.runLater(oldPasswordField::requestFocus);
+			return;
+		} catch (UnsupportedKeyLengthException ex) {
+			messageText.setText(rb.getString("changePassword.errorMessage.unsupportedKeyLengthInstallJCE"));
+			LOG.warn("Unsupported Key-Length. Please install Oracle Java Cryptography Extension (JCE).", ex);
+			newPasswordField.swipe();
+			retypePasswordField.swipe();
+			return;
+		} catch (UnsupportedVaultException e) {
+			downloadsPageLink.setVisible(true);
+			if (e.isVaultOlderThanSoftware()) {
+				messageText.setText(rb.getString("changePassword.errorMessage.unsupportedVersion.vaultOlderThanSoftware") + " ");
+			} else if (e.isSoftwareOlderThanVault()) {
+				messageText.setText(rb.getString("changePassword.errorMessage.unsupportedVersion.softwareOlderThanVault") + " ");
+			}
+			newPasswordField.swipe();
+			retypePasswordField.swipe();
+			return;
+		} finally {
+			oldPasswordField.swipe();
+		}
+
+		// when we reach this line, decryption was successful.
+
+		// encrypt with new password:
+		final CharSequence newPassword = newPasswordField.getCharacters();
+		try (final OutputStream masterKeyOutputStream = Files.newOutputStream(masterKeyPath, StandardOpenOption.WRITE, StandardOpenOption.TRUNCATE_EXISTING, StandardOpenOption.SYNC)) {
+			vault.getCryptor().encryptMasterKey(masterKeyOutputStream, newPassword);
+			messageText.setText(rb.getString("changePassword.infoMessage.success"));
+			Platform.runLater(this::didChangePassword);
+			// At this point the backup is still using the old password.
+			// It will be changed as soon as the user unlocks the vault the next time.
+			// This way he can still restore the old password, if he doesn't remember the new one.
+		} catch (IOException ex) {
+			LOG.error("Re-encryption failed for technical reasons. Restoring Backup.", ex);
+			this.restoreBackupQuietly();
+		} finally {
+			newPasswordField.swipe();
+			retypePasswordField.swipe();
+		}
+	}
+
+	private void restoreBackupQuietly() {
+		final Path masterKeyPath = vault.getPath().resolve(Vault.VAULT_MASTERKEY_FILE);
+		final Path masterKeyBackupPath = vault.getPath().resolve(Vault.VAULT_MASTERKEY_BACKUP_FILE);
+		try {
+			Files.copy(masterKeyBackupPath, masterKeyPath, StandardCopyOption.REPLACE_EXISTING);
+		} catch (IOException ex) {
+			LOG.error("Restoring Backup failed.", ex);
+		}
+	}
+
+	private void didChangePassword() {
+		if (listener != null) {
+			listener.didChangePassword(this);
+		}
+	}
+
+	/* Getter/Setter */
+
+	public Vault getVault() {
+		return vault;
+	}
+
+	public void setVault(Vault vault) {
+		this.vault = vault;
+	}
+
+	public ChangePasswordListener getListener() {
+		return listener;
+	}
+
+	public void setListener(ChangePasswordListener listener) {
+		this.listener = listener;
+	}
+
+	/* callback */
+
+	interface ChangePasswordListener {
+		void didChangePassword(ChangePasswordController ctrl);
+	}
+
+}

main/ui/src/main/java/org/cryptomator/ui/controllers/InitializeController.java

@@ -0,0 +1,133 @@
+/*******************************************************************************
+ * Copyright (c) 2014 Sebastian Stenzel
+ * This file is licensed under the terms of the MIT license.
+ * See the LICENSE.txt file for more info.
+ * 
+ * Contributors:
+ *     Sebastian Stenzel - initial API and implementation
+ ******************************************************************************/
+package org.cryptomator.ui.controllers;
+
+import java.io.IOException;
+import java.io.OutputStream;
+import java.net.URL;
+import java.nio.file.FileAlreadyExistsException;
+import java.nio.file.FileSystems;
+import java.nio.file.Files;
+import java.nio.file.InvalidPathException;
+import java.nio.file.Path;
+import java.nio.file.StandardOpenOption;
+import java.util.ResourceBundle;
+
+import javafx.beans.value.ObservableValue;
+import javafx.event.ActionEvent;
+import javafx.fxml.FXML;
+import javafx.fxml.Initializable;
+import javafx.scene.control.Button;
+import javafx.scene.control.Label;
+
+import org.cryptomator.ui.controls.SecPasswordField;
+import org.cryptomator.ui.model.Vault;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class InitializeController implements Initializable {
+
+	private static final Logger LOG = LoggerFactory.getLogger(InitializeController.class);
+
+	private ResourceBundle localization;
+	private Vault vault;
+	private InitializationListener listener;
+
+	@FXML
+	private SecPasswordField passwordField;
+
+	@FXML
+	private SecPasswordField retypePasswordField;
+
+	@FXML
+	private Button okButton;
+
+	@FXML
+	private Label messageLabel;
+
+	@Override
+	public void initialize(URL url, ResourceBundle rb) {
+		this.localization = rb;
+		passwordField.textProperty().addListener(this::passwordFieldsDidChange);
+		retypePasswordField.textProperty().addListener(this::passwordFieldsDidChange);
+	}
+
+	// ****************************************
+	// Password fields
+	// ****************************************
+
+	private void passwordFieldsDidChange(ObservableValue<? extends String> property, String oldValue, String newValue) {
+		boolean passwordIsEmpty = passwordField.getText().isEmpty();
+		boolean passwordsAreEqual = passwordField.getText().equals(retypePasswordField.getText());
+		okButton.setDisable(passwordIsEmpty || !passwordsAreEqual);
+	}
+
+	// ****************************************
+	// OK button
+	// ****************************************
+
+	@FXML
+	protected void initializeVault(ActionEvent event) {
+		setControlsDisabled(true);
+		final Path masterKeyPath = vault.getPath().resolve(Vault.VAULT_MASTERKEY_FILE);
+		final CharSequence password = passwordField.getCharacters();
+		try (OutputStream masterKeyOutputStream = Files.newOutputStream(masterKeyPath, StandardOpenOption.WRITE, StandardOpenOption.CREATE_NEW)) {
+			vault.getCryptor().encryptMasterKey(masterKeyOutputStream, password);
+			final String dataRootDir = vault.getCryptor().encryptDirectoryPath("", FileSystems.getDefault().getSeparator());
+			final Path dataRootPath = vault.getPath().resolve("d").resolve(dataRootDir);
+			final Path metadataPath = vault.getPath().resolve("m");
+			Files.createDirectories(dataRootPath);
+			Files.createDirectories(metadataPath);
+			if (listener != null) {
+				listener.didInitialize(this);
+			}
+		} catch (FileAlreadyExistsException ex) {
+			messageLabel.setText(localization.getString("initialize.messageLabel.alreadyInitialized"));
+		} catch (InvalidPathException ex) {
+			messageLabel.setText(localization.getString("initialize.messageLabel.invalidPath"));
+		} catch (IOException ex) {
+			LOG.error("I/O Exception", ex);
+		} finally {
+			setControlsDisabled(false);
+			passwordField.swipe();
+			retypePasswordField.swipe();
+		}
+	}
+
+	private void setControlsDisabled(boolean disable) {
+		passwordField.setDisable(disable);
+		retypePasswordField.setDisable(disable);
+		okButton.setDisable(disable);
+	}
+
+	/* Getter/Setter */
+
+	public Vault getVault() {
+		return vault;
+	}
+
+	public void setVault(Vault vault) {
+		this.vault = vault;
+	}
+
+	public InitializationListener getListener() {
+		return listener;
+	}
+
+	public void setListener(InitializationListener listener) {
+		this.listener = listener;
+	}
+
+	/* callback */
+
+	interface InitializationListener {
+		void didInitialize(InitializeController ctrl);
+	}
+
+}

main/ui/src/main/java/org/cryptomator/ui/controllers/MacWarningsController.java

@@ -0,0 +1,58 @@
+package org.cryptomator.ui.controllers;
+
+import javafx.application.Application;
+import javafx.collections.ListChangeListener.Change;
+import javafx.collections.ObservableList;
+import javafx.collections.WeakListChangeListener;
+import javafx.event.ActionEvent;
+import javafx.fxml.FXML;
+import javafx.scene.control.ListView;
+import javafx.stage.Stage;
+
+import javax.inject.Inject;
+
+public class MacWarningsController {
+
+	@FXML
+	private ListView<String> warningsList;
+
+	private Stage stage;
+
+	private final Application application;
+
+	@Inject
+	public MacWarningsController(Application application) {
+		this.application = application;
+	}
+
+	@FXML
+	private void didClickDismissButton(ActionEvent event) {
+		stage.hide();
+	}
+
+	@FXML
+	private void didClickMoreInformationButton(ActionEvent event) {
+		application.getHostServices().showDocument("https://cryptomator.org/help.html#macWarning");
+	}
+
+	public void setMacWarnings(ObservableList<String> macWarnings) {
+		this.warningsList.setItems(macWarnings);
+		this.warningsList.getItems().addListener(new WeakListChangeListener<String>(this::warningsDidChange));
+	}
+
+	// closes this window automatically, if all warnings disappeared (e.g. due to an unmount event)
+	private void warningsDidChange(Change<? extends String> change) {
+		if (change.getList().isEmpty()) {
+			stage.hide();
+		}
+	}
+
+	public Stage getStage() {
+		return stage;
+	}
+
+	public void setStage(Stage stage) {
+		this.stage = stage;
+	}
+
+}

main/ui/src/main/java/org/cryptomator/ui/controllers/MainController.java

@@ -0,0 +1,387 @@
+/*******************************************************************************
+ * Copyright (c) 2014 Sebastian Stenzel
+ * This file is licensed under the terms of the MIT license.
+ * See the LICENSE.txt file for more info.
+ * 
+ * Contributors:
+ *     Sebastian Stenzel - initial API and implementation
+ ******************************************************************************/
+package org.cryptomator.ui.controllers;
+
+import java.io.File;
+import java.io.IOException;
+import java.net.URL;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+import java.util.ResourceBundle;
+import java.util.concurrent.atomic.AtomicBoolean;
+import java.util.stream.Collectors;
+
+import javafx.application.Platform;
+import javafx.collections.FXCollections;
+import javafx.collections.ListChangeListener;
+import javafx.collections.ObservableList;
+import javafx.collections.SetChangeListener;
+import javafx.event.ActionEvent;
+import javafx.fxml.FXML;
+import javafx.fxml.FXMLLoader;
+import javafx.fxml.Initializable;
+import javafx.geometry.Side;
+import javafx.scene.Parent;
+import javafx.scene.Scene;
+import javafx.scene.control.ContextMenu;
+import javafx.scene.control.ListCell;
+import javafx.scene.control.ListView;
+import javafx.scene.control.ToggleButton;
+import javafx.scene.layout.HBox;
+import javafx.scene.layout.Pane;
+import javafx.stage.FileChooser;
+import javafx.stage.Stage;
+import javafx.stage.WindowEvent;
+
+import org.cryptomator.ui.MainModule.ControllerFactory;
+import org.cryptomator.ui.controllers.ChangePasswordController.ChangePasswordListener;
+import org.cryptomator.ui.controllers.InitializeController.InitializationListener;
+import org.cryptomator.ui.controllers.UnlockController.UnlockListener;
+import org.cryptomator.ui.controllers.UnlockedController.LockListener;
+import org.cryptomator.ui.controls.DirectoryListCell;
+import org.cryptomator.ui.model.Vault;
+import org.cryptomator.ui.model.VaultFactory;
+import org.cryptomator.ui.settings.Settings;
+import org.cryptomator.ui.util.ActiveWindowStyleSupport;
+import org.cryptomator.ui.util.ObservableSetAggregator;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.inject.Inject;
+
+public class MainController implements Initializable, InitializationListener, UnlockListener, LockListener, ChangePasswordListener {
+
+	private static final Logger LOG = LoggerFactory.getLogger(MainController.class);
+
+	private Stage stage;
+
+	@FXML
+	private ContextMenu vaultListCellContextMenu;
+
+	@FXML
+	private ContextMenu addVaultContextMenu;
+
+	@FXML
+	private HBox rootPane;
+
+	@FXML
+	private ListView<Vault> vaultList;
+
+	@FXML
+	private ToggleButton addVaultButton;
+
+	@FXML
+	private Pane contentPane;
+
+	private final ControllerFactory controllerFactory;
+	private final Settings settings;
+	private final VaultFactory vaultFactoy;
+	private final ObservableList<String> aggregatedMacWarnings;
+	private final SetChangeListener<String> macWarningsAggregator;
+	private final AtomicBoolean macWarningsWindowVisible;
+
+	private ResourceBundle rb;
+
+	@Inject
+	public MainController(ControllerFactory controllerFactory, Settings settings, VaultFactory vaultFactoy) {
+		super();
+		this.controllerFactory = controllerFactory;
+		this.settings = settings;
+		this.vaultFactoy = vaultFactoy;
+		this.aggregatedMacWarnings = FXCollections.observableList(new ArrayList<>());
+		this.macWarningsAggregator = new ObservableSetAggregator<>(this.aggregatedMacWarnings);
+		this.macWarningsWindowVisible = new AtomicBoolean();
+	}
+
+	@Override
+	public void initialize(URL url, ResourceBundle rb) {
+		this.rb = rb;
+
+		final ObservableList<Vault> items = FXCollections.observableList(settings.getDirectories());
+		vaultList.setItems(items);
+		vaultList.setCellFactory(this::createDirecoryListCell);
+		vaultList.getSelectionModel().getSelectedItems().addListener(this::selectedVaultDidChange);
+
+		aggregatedMacWarnings.addListener(this::macWarningsDidChange);
+	}
+
+	@FXML
+	private void didClickAddVault(ActionEvent event) {
+		if (addVaultContextMenu.isShowing()) {
+			addVaultContextMenu.hide();
+		} else {
+			addVaultContextMenu.show(addVaultButton, Side.RIGHT, 0.0, 0.0);
+		}
+	}
+
+	@FXML
+	private void willShowAddVaultContextMenu(WindowEvent event) {
+		addVaultButton.setSelected(true);
+	}
+
+	@FXML
+	private void didHideAddVaultContextMenu(WindowEvent event) {
+		addVaultButton.setSelected(false);
+	}
+
+	@FXML
+	private void didClickCreateNewVault(ActionEvent event) {
+		final FileChooser fileChooser = new FileChooser();
+		fileChooser.getExtensionFilters().add(new FileChooser.ExtensionFilter("Cryptomator vault", "*" + Vault.VAULT_FILE_EXTENSION));
+		final File file = fileChooser.showSaveDialog(stage);
+		if (file == null) {
+			return;
+		}
+		try {
+			final Path vaultDir;
+			// enforce .cryptomator file extension:
+			if (!file.getName().endsWith(Vault.VAULT_FILE_EXTENSION)) {
+				vaultDir = file.toPath().resolveSibling(file.getName() + Vault.VAULT_FILE_EXTENSION);
+			} else {
+				vaultDir = file.toPath();
+			}
+			if (!Files.exists(vaultDir)) {
+				Files.createDirectory(vaultDir);
+			}
+			addVault(vaultDir, true);
+		} catch (IOException e) {
+			LOG.error("Unable to create vault", e);
+		}
+	}
+
+	@FXML
+	private void didClickAddExistingVaults(ActionEvent event) {
+		final FileChooser fileChooser = new FileChooser();
+		fileChooser.getExtensionFilters().add(new FileChooser.ExtensionFilter("Cryptomator vault", "*" + Vault.VAULT_FILE_EXTENSION));
+		final List<File> files = fileChooser.showOpenMultipleDialog(stage);
+		if (files != null) {
+			for (final File file : files) {
+				addVault(file.toPath(), false);
+			}
+		}
+	}
+
+	/**
+	 * adds the given directory or selects it if it is already in the list of directories.
+	 * 
+	 * @param path non-null, writable, existing directory
+	 */
+	public void addVault(final Path path, boolean select) {
+		if (path == null || !Files.isWritable(path)) {
+			return;
+		}
+
+		final Path vaultPath;
+		if (path != null && Files.isDirectory(path)) {
+			vaultPath = path;
+		} else if (path != null && Files.isRegularFile(path) && path.getParent().getFileName().toString().endsWith(Vault.VAULT_FILE_EXTENSION)) {
+			vaultPath = path.getParent();
+		} else {
+			return;
+		}
+
+		final Vault vault = vaultFactoy.createVault(vaultPath);
+		if (!vaultList.getItems().contains(vault)) {
+			vaultList.getItems().add(vault);
+		}
+		vaultList.getSelectionModel().select(vault);
+	}
+
+	private ListCell<Vault> createDirecoryListCell(ListView<Vault> param) {
+		final DirectoryListCell cell = new DirectoryListCell();
+		cell.setVaultContextMenu(vaultListCellContextMenu);
+		return cell;
+	}
+
+	private void selectedVaultDidChange(ListChangeListener.Change<? extends Vault> change) {
+		final Vault selectedVault = vaultList.getSelectionModel().getSelectedItem();
+		if (selectedVault == null) {
+			stage.setTitle(rb.getString("app.name"));
+			showWelcomeView();
+		} else if (!Files.isDirectory(selectedVault.getPath())) {
+			Platform.runLater(() -> {
+				vaultList.getItems().remove(selectedVault);
+				vaultList.getSelectionModel().clearSelection();
+			});
+			stage.setTitle(rb.getString("app.name"));
+			showWelcomeView();
+		} else {
+			stage.setTitle(selectedVault.getName());
+			showVault(selectedVault);
+		}
+	}
+
+	@FXML
+	private void didClickRemoveSelectedEntry(ActionEvent e) {
+		final Vault selectedVault = vaultList.getSelectionModel().getSelectedItem();
+		vaultList.getItems().remove(selectedVault);
+		vaultList.getSelectionModel().clearSelection();
+	}
+
+	@FXML
+	private void didClickChangePassword(ActionEvent e) {
+		final Vault selectedVault = vaultList.getSelectionModel().getSelectedItem();
+		showChangePasswordView(selectedVault);
+	}
+
+	private void macWarningsDidChange(ListChangeListener.Change<? extends String> change) {
+		if (aggregatedMacWarnings.size() > 0) {
+			Platform.runLater(this::showMacWarningsWindow);
+		}
+	}
+
+	// ****************************************
+	// Subcontroller for right panel
+	// ****************************************
+
+	private void showVault(Vault vault) {
+		try {
+			if (vault.isUnlocked()) {
+				this.showUnlockedView(vault);
+			} else if (vault.containsMasterKey()) {
+				this.showUnlockView(vault);
+			} else {
+				this.showInitializeView(vault);
+			}
+		} catch (IOException e) {
+			LOG.error("Failed to analyze directory.", e);
+		}
+	}
+
+	private <T> T showView(String fxml) {
+		try {
+			final FXMLLoader loader = new FXMLLoader(getClass().getResource(fxml), rb);
+			loader.setControllerFactory(controllerFactory);
+			final Parent root = loader.load();
+			contentPane.getChildren().clear();
+			contentPane.getChildren().add(root);
+			return loader.getController();
+		} catch (IOException e) {
+			throw new IllegalStateException("Failed to load fxml file.", e);
+		}
+	}
+
+	private void showWelcomeView() {
+		this.showView("/fxml/welcome.fxml");
+	}
+
+	private void showInitializeView(Vault vault) {
+		final InitializeController ctrl = showView("/fxml/initialize.fxml");
+		ctrl.setVault(vault);
+		ctrl.setListener(this);
+	}
+
+	@Override
+	public void didInitialize(InitializeController ctrl) {
+		showUnlockView(ctrl.getVault());
+	}
+
+	private void showUnlockView(Vault vault) {
+		final UnlockController ctrl = showView("/fxml/unlock.fxml");
+		ctrl.setVault(vault);
+		ctrl.setListener(this);
+	}
+
+	@Override
+	public void didUnlock(UnlockController ctrl) {
+		ctrl.getVault().getNamesOfResourcesWithInvalidMac().addListener(this.macWarningsAggregator);
+		showUnlockedView(ctrl.getVault());
+		Platform.setImplicitExit(false);
+	}
+
+	private void showUnlockedView(Vault vault) {
+		final UnlockedController ctrl = showView("/fxml/unlocked.fxml");
+		ctrl.setVault(vault);
+		ctrl.setListener(this);
+	}
+
+	@Override
+	public void didLock(UnlockedController ctrl) {
+		ctrl.getVault().getNamesOfResourcesWithInvalidMac().removeListener(this.macWarningsAggregator);
+		showUnlockView(ctrl.getVault());
+		if (getUnlockedDirectories().isEmpty()) {
+			Platform.setImplicitExit(true);
+		}
+	}
+
+	private void showChangePasswordView(Vault vault) {
+		final ChangePasswordController ctrl = showView("/fxml/change_password.fxml");
+		ctrl.setVault(vault);
+		ctrl.setListener(this);
+	}
+
+	@Override
+	public void didChangePassword(ChangePasswordController ctrl) {
+		showUnlockView(ctrl.getVault());
+	}
+
+	private void showMacWarningsWindow() {
+		if (macWarningsWindowVisible.getAndSet(true) == false) {
+			try {
+				final FXMLLoader loader = new FXMLLoader(getClass().getResource("/fxml/mac_warnings.fxml"), rb);
+				loader.setControllerFactory(controllerFactory);
+
+				final Parent root = loader.load();
+				final Stage stage = new Stage();
+				stage.setTitle(rb.getString("macWarnings.windowTitle"));
+				stage.setScene(new Scene(root));
+				stage.sizeToScene();
+				stage.setResizable(false);
+				stage.setOnHidden(this::onHideMacWarningsWindow);
+				ActiveWindowStyleSupport.startObservingFocus(stage);
+
+				final MacWarningsController ctrl = loader.getController();
+				ctrl.setMacWarnings(this.aggregatedMacWarnings);
+				ctrl.setStage(stage);
+
+				stage.show();
+			} catch (IOException e) {
+				throw new IllegalStateException("Failed to load fxml file.", e);
+			}
+		}
+	}
+
+	private void onHideMacWarningsWindow(WindowEvent event) {
+		macWarningsWindowVisible.set(false);
+		aggregatedMacWarnings.clear();
+	}
+
+	/* Convenience */
+
+	public Collection<Vault> getDirectories() {
+		return vaultList.getItems();
+	}
+
+	public Collection<Vault> getUnlockedDirectories() {
+		return getDirectories().stream().filter(d -> d.isUnlocked()).collect(Collectors.toSet());
+	}
+
+	/* public Getter/Setter */
+
+	public Stage getStage() {
+		return stage;
+	}
+
+	public void setStage(Stage stage) {
+		this.stage = stage;
+	}
+
+	/**
+	 * Attempts to make the application window visible.
+	 */
+	public void toFront() {
+		stage.setIconified(false);
+		stage.show();
+		stage.toFront();
+	}
+
+}

main/ui/src/main/java/org/cryptomator/ui/controllers/UnlockController.java

@@ -0,0 +1,231 @@
+/*******************************************************************************
+ * Copyright (c) 2014 Sebastian Stenzel
+ * This file is licensed under the terms of the MIT license.
+ * See the LICENSE.txt file for more info.
+ * 
+ * Contributors:
+ *     Sebastian Stenzel - initial API and implementation
+ ******************************************************************************/
+package org.cryptomator.ui.controllers;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URL;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.StandardCopyOption;
+import java.nio.file.StandardOpenOption;
+import java.util.ResourceBundle;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Future;
+
+import javafx.application.Application;
+import javafx.application.Platform;
+import javafx.beans.value.ObservableValue;
+import javafx.event.ActionEvent;
+import javafx.fxml.FXML;
+import javafx.fxml.Initializable;
+import javafx.scene.control.Button;
+import javafx.scene.control.Hyperlink;
+import javafx.scene.control.ProgressIndicator;
+import javafx.scene.control.TextField;
+import javafx.scene.input.KeyEvent;
+import javafx.scene.text.Text;
+
+import javax.security.auth.DestroyFailedException;
+
+import org.apache.commons.lang3.CharUtils;
+import org.cryptomator.crypto.exceptions.DecryptFailedException;
+import org.cryptomator.crypto.exceptions.UnsupportedKeyLengthException;
+import org.cryptomator.crypto.exceptions.UnsupportedVaultException;
+import org.cryptomator.crypto.exceptions.WrongPasswordException;
+import org.cryptomator.ui.controls.SecPasswordField;
+import org.cryptomator.ui.model.Vault;
+import org.cryptomator.ui.util.FXThreads;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.inject.Inject;
+
+public class UnlockController implements Initializable {
+
+	private static final Logger LOG = LoggerFactory.getLogger(UnlockController.class);
+
+	private ResourceBundle rb;
+	private UnlockListener listener;
+	private Vault vault;
+
+	@FXML
+	private SecPasswordField passwordField;
+
+	@FXML
+	private TextField mountName;
+
+	@FXML
+	private Button unlockButton;
+
+	@FXML
+	private ProgressIndicator progressIndicator;
+
+	@FXML
+	private Text messageText;
+
+	@FXML
+	private Hyperlink downloadsPageLink;
+
+	private final ExecutorService exec;
+	private final Application app;
+
+	@Inject
+	public UnlockController(Application app, ExecutorService exec) {
+		super();
+		this.app = app;
+		this.exec = exec;
+	}
+
+	@Override
+	public void initialize(URL url, ResourceBundle rb) {
+		this.rb = rb;
+
+		passwordField.textProperty().addListener(this::passwordFieldsDidChange);
+		mountName.addEventFilter(KeyEvent.KEY_TYPED, this::filterAlphanumericKeyEvents);
+		mountName.textProperty().addListener(this::mountNameDidChange);
+	}
+
+	// ****************************************
+	// Password field
+	// ****************************************
+
+	private void passwordFieldsDidChange(ObservableValue<? extends String> property, String oldValue, String newValue) {
+		boolean passwordIsEmpty = passwordField.getText().isEmpty();
+		unlockButton.setDisable(passwordIsEmpty);
+	}
+
+	// ****************************************
+	// Downloads link
+	// ****************************************
+
+	@FXML
+	public void didClickDownloadsLink(ActionEvent event) {
+		app.getHostServices().showDocument("https://cryptomator.org/downloads/");
+	}
+
+	// ****************************************
+	// Unlock button
+	// ****************************************
+
+	@FXML
+	private void didClickUnlockButton(ActionEvent event) {
+		setControlsDisabled(true);
+		progressIndicator.setVisible(true);
+		downloadsPageLink.setVisible(false);
+		final Path masterKeyPath = vault.getPath().resolve(Vault.VAULT_MASTERKEY_FILE);
+		final Path masterKeyBackupPath = vault.getPath().resolve(Vault.VAULT_MASTERKEY_BACKUP_FILE);
+		final CharSequence password = passwordField.getCharacters();
+		try (final InputStream masterKeyInputStream = Files.newInputStream(masterKeyPath, StandardOpenOption.READ)) {
+			vault.getCryptor().decryptMasterKey(masterKeyInputStream, password);
+			if (!vault.startServer()) {
+				messageText.setText(rb.getString("unlock.messageLabel.startServerFailed"));
+				vault.getCryptor().destroy();
+				return;
+			}
+			// at this point we know for sure, that the masterkey can be decrypted, so lets make a backup:
+			Files.copy(masterKeyPath, masterKeyBackupPath, StandardCopyOption.REPLACE_EXISTING);
+			vault.setUnlocked(true);
+			final Future<Boolean> futureMount = exec.submit(() -> vault.mount());
+			FXThreads.runOnMainThreadWhenFinished(exec, futureMount, this::unlockAndMountFinished);
+		} catch (DecryptFailedException | IOException ex) {
+			setControlsDisabled(false);
+			progressIndicator.setVisible(false);
+			messageText.setText(rb.getString("unlock.errorMessage.decryptionFailed"));
+			LOG.error("Decryption failed for technical reasons.", ex);
+		} catch (WrongPasswordException e) {
+			setControlsDisabled(false);
+			progressIndicator.setVisible(false);
+			messageText.setText(rb.getString("unlock.errorMessage.wrongPassword"));
+			Platform.runLater(passwordField::requestFocus);
+		} catch (UnsupportedKeyLengthException ex) {
+			setControlsDisabled(false);
+			progressIndicator.setVisible(false);
+			messageText.setText(rb.getString("unlock.errorMessage.unsupportedKeyLengthInstallJCE"));
+			LOG.warn("Unsupported Key-Length. Please install Oracle Java Cryptography Extension (JCE).", ex);
+		} catch (UnsupportedVaultException e) {
+			setControlsDisabled(false);
+			progressIndicator.setVisible(false);
+			downloadsPageLink.setVisible(true);
+			if (e.isVaultOlderThanSoftware()) {
+				messageText.setText(rb.getString("unlock.errorMessage.unsupportedVersion.vaultOlderThanSoftware") + " ");
+			} else if (e.isSoftwareOlderThanVault()) {
+				messageText.setText(rb.getString("unlock.errorMessage.unsupportedVersion.softwareOlderThanVault") + " ");
+			}
+		} catch (DestroyFailedException e) {
+			setControlsDisabled(false);
+			progressIndicator.setVisible(false);
+			LOG.error("Destruction of cryptor threw an exception.", e);
+		} finally {
+			passwordField.swipe();
+		}
+	}
+
+	private void setControlsDisabled(boolean disable) {
+		passwordField.setDisable(disable);
+		mountName.setDisable(disable);
+		unlockButton.setDisable(disable);
+	}
+
+	private void unlockAndMountFinished(boolean mountSuccess) {
+		progressIndicator.setVisible(false);
+		setControlsDisabled(false);
+		if (vault.isUnlocked() && !mountSuccess) {
+			vault.stopServer();
+		}
+		if (mountSuccess && listener != null) {
+			listener.didUnlock(this);
+		}
+	}
+
+	public void filterAlphanumericKeyEvents(KeyEvent t) {
+		if (t.getCharacter() == null || t.getCharacter().length() == 0) {
+			return;
+		}
+		char c = t.getCharacter().charAt(0);
+		if (!CharUtils.isAsciiAlphanumeric(c)) {
+			t.consume();
+		}
+	}
+
+	private void mountNameDidChange(ObservableValue<? extends String> property, String oldValue, String newValue) {
+		// newValue is guaranteed to be a-z0-9, see #filterAlphanumericKeyEvents
+		if (newValue.isEmpty()) {
+			mountName.setText(vault.getMountName());
+		} else {
+			vault.setMountName(newValue);
+		}
+	}
+
+	/* Getter/Setter */
+
+	public Vault getVault() {
+		return vault;
+	}
+
+	public void setVault(Vault vault) {
+		this.vault = vault;
+		this.mountName.setText(vault.getMountName());
+	}
+
+	public UnlockListener getListener() {
+		return listener;
+	}
+
+	public void setListener(UnlockListener listener) {
+		this.listener = listener;
+	}
+
+	/* callback */
+
+	interface UnlockListener {
+		void didUnlock(UnlockController ctrl);
+	}
+
+}

main/ui/src/main/java/org/cryptomator/ui/controllers/UnlockedController.java

@@ -6,7 +6,7 @@
  * Contributors:
  *     Sebastian Stenzel - initial API and implementation
  ******************************************************************************/
-package org.cryptomator.ui;
+package org.cryptomator.ui.controllers;
 
 import java.net.URL;
 import java.util.ResourceBundle;
@@ -26,15 +26,15 @@ import javafx.scene.control.Label;
 import javafx.util.Duration;
 
 import org.cryptomator.crypto.CryptorIOSampling;
-import org.cryptomator.ui.model.Directory;
+import org.cryptomator.ui.model.Vault;
+import org.cryptomator.ui.util.mount.CommandFailedException;
 
 public class UnlockedController implements Initializable {
 
 	private static final int IO_SAMPLING_STEPS = 100;
 	private static final double IO_SAMPLING_INTERVAL = 0.25;
-	private ResourceBundle rb;
 	private LockListener listener;
-	private Directory directory;
+	private Vault vault;
 	private Timeline ioAnimation;
 
 	@FXML
@@ -46,6 +46,8 @@ public class UnlockedController implements Initializable {
 	@FXML
 	private NumberAxis xAxis;
 
+	private ResourceBundle rb;
+
 	@Override
 	public void initialize(URL url, ResourceBundle rb) {
 		this.rb = rb;
@@ -53,9 +55,14 @@ public class UnlockedController implements Initializable {
 
 	@FXML
 	private void didClickCloseVault(ActionEvent event) {
-		directory.unmount();
-		directory.stopServer();
-		directory.setUnlocked(false);
+		try {
+			vault.unmount();
+		} catch (CommandFailedException e) {
+			messageLabel.setText(rb.getString("unlocked.label.unmountFailed"));
+			return;
+		}
+		vault.stopServer();
+		vault.setUnlocked(false);
 		if (listener != null) {
 			listener.didLock(this);
 		}
@@ -117,14 +124,12 @@ public class UnlockedController implements Initializable {
 
 	/* Getter/Setter */
 
-	public Directory getDirectory() {
-		return directory;
+	public Vault getVault() {
+		return vault;
 	}
 
-	public void setDirectory(Directory directory) {
-		this.directory = directory;
-		final String msg = String.format(rb.getString("unlocked.messageLabel.runningOnPort"), directory.getServer().getPort());
-		messageLabel.setText(msg);
+	public void setVault(Vault directory) {
+		this.vault = directory;
 
 		if (directory.getCryptor() instanceof CryptorIOSampling) {
 			startIoSampling((CryptorIOSampling) directory.getCryptor());

main/ui/src/main/java/org/cryptomator/ui/controllers/WelcomeController.java

@@ -0,0 +1,119 @@
+/*******************************************************************************
+ * Copyright (c) 2014 Sebastian Stenzel
+ * This file is licensed under the terms of the MIT license.
+ * See the LICENSE.txt file for more info.
+ * 
+ * Contributors:
+ *     Sebastian Stenzel - initial API and implementation
+ ******************************************************************************/
+package org.cryptomator.ui.controllers;
+
+import java.io.IOException;
+import java.net.URL;
+import java.util.Comparator;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.ResourceBundle;
+import java.util.concurrent.ExecutorService;
+
+import javafx.application.Application;
+import javafx.application.Platform;
+import javafx.event.ActionEvent;
+import javafx.fxml.FXML;
+import javafx.fxml.Initializable;
+import javafx.scene.control.Hyperlink;
+import javafx.scene.image.Image;
+import javafx.scene.image.ImageView;
+
+import javax.inject.Inject;
+import javax.inject.Named;
+
+import org.apache.commons.httpclient.HttpClient;
+import org.apache.commons.httpclient.HttpMethod;
+import org.apache.commons.httpclient.HttpStatus;
+import org.apache.commons.httpclient.cookie.CookiePolicy;
+import org.apache.commons.httpclient.methods.GetMethod;
+import org.apache.commons.lang3.SystemUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.fasterxml.jackson.core.type.TypeReference;
+import com.fasterxml.jackson.databind.ObjectMapper;
+
+public class WelcomeController implements Initializable {
+
+	private static final Logger LOG = LoggerFactory.getLogger(WelcomeController.class);
+
+	@FXML
+	private ImageView botImageView;
+
+	@FXML
+	private Hyperlink updateLink;
+
+	private final Application app;
+	private final Comparator<String> semVerComparator;
+	private final ExecutorService executor;
+	private ResourceBundle rb;
+
+	@Inject
+	public WelcomeController(Application app, @Named("SemVer") Comparator<String> semVerComparator, ExecutorService executor) {
+		this.app = app;
+		this.semVerComparator = semVerComparator;
+		this.executor = executor;
+	}
+
+	@Override
+	public void initialize(URL url, ResourceBundle rb) {
+		this.rb = rb;
+		this.botImageView.setImage(new Image(WelcomeController.class.getResource("/bot_welcome.png").toString()));
+		executor.execute(this::checkForUpdates);
+	}
+
+	private void checkForUpdates() {
+		final HttpClient client = new HttpClient();
+		final HttpMethod method = new GetMethod("https://cryptomator.org/downloads/latestVersion.json");
+		client.getParams().setCookiePolicy(CookiePolicy.IGNORE_COOKIES);
+		client.getParams().setConnectionManagerTimeout(5000);
+		try {
+			client.executeMethod(method);
+			if (method.getStatusCode() == HttpStatus.SC_OK) {
+				final byte[] responseData = method.getResponseBody();
+				final ObjectMapper mapper = new ObjectMapper();
+				final Map<String, String> map = mapper.readValue(responseData, new TypeReference<HashMap<String, String>>() {
+				});
+				this.compareVersions(map);
+			}
+		} catch (IOException e) {
+			// no error handling required. Maybe next time the version check is successful.
+		}
+	}
+
+	private void compareVersions(final Map<String, String> latestVersions) {
+		final String latestVersion;
+		if (SystemUtils.IS_OS_MAC_OSX) {
+			latestVersion = latestVersions.get("mac");
+		} else if (SystemUtils.IS_OS_WINDOWS) {
+			latestVersion = latestVersions.get("win");
+		} else if (SystemUtils.IS_OS_LINUX) {
+			latestVersion = latestVersions.get("linux");
+		} else {
+			// no version check possible on unsupported OS
+			return;
+		}
+		final String currentVersion = WelcomeController.class.getPackage().getImplementationVersion();
+		LOG.debug("Current version: {}, lastest version: {}", currentVersion, latestVersion);
+		if (currentVersion != null && semVerComparator.compare(currentVersion, latestVersion) < 0) {
+			final String msg = String.format(rb.getString("welcome.newVersionMessage"), latestVersion, currentVersion);
+			Platform.runLater(() -> {
+				this.updateLink.setText(msg);
+				this.updateLink.setVisible(true);
+			});
+		}
+	}
+
+	@FXML
+	public void didClickUpdateLink(ActionEvent event) {
+		app.getHostServices().showDocument("https://cryptomator.org/#download");
+	}
+
+}

main/ui/src/main/java/org/cryptomator/ui/controls/ClearOnDisableListener.java

@@ -1,30 +0,0 @@
-/*******************************************************************************
- * Copyright (c) 2014 Sebastian Stenzel
- * This file is licensed under the terms of the MIT license.
- * See the LICENSE.txt file for more info.
- * 
- * Contributors:
- *     Sebastian Stenzel - initial API and implementation
- ******************************************************************************/
-package org.cryptomator.ui.controls;
-
-import javafx.beans.value.ChangeListener;
-import javafx.beans.value.ObservableValue;
-import javafx.scene.control.TextInputControl;
-
-public class ClearOnDisableListener implements ChangeListener<Boolean> {
-
-	final TextInputControl control;
-
-	public ClearOnDisableListener(TextInputControl control) {
-		this.control = control;
-	}
-
-	@Override
-	public void changed(ObservableValue<? extends Boolean> property, Boolean wasDisabled, Boolean isDisabled) {
-		if (isDisabled) {
-			control.clear();
-		}
-	}
-
-}

main/ui/src/main/java/org/cryptomator/ui/controls/DirectoryListCell.java

@@ -3,15 +3,15 @@ package org.cryptomator.ui.controls;
 import javafx.beans.value.ChangeListener;
 import javafx.beans.value.ObservableValue;
 import javafx.scene.control.ContentDisplay;
-import javafx.scene.control.ListCell;
+import javafx.scene.control.ContextMenu;
 import javafx.scene.control.Tooltip;
 import javafx.scene.paint.Color;
 import javafx.scene.paint.Paint;
 import javafx.scene.shape.Circle;
 
-import org.cryptomator.ui.model.Directory;
+import org.cryptomator.ui.model.Vault;
 
-public class DirectoryListCell extends ListCell<Directory> implements ChangeListener<Boolean> {
+public class DirectoryListCell extends DraggableListCell<Vault> implements ChangeListener<Boolean> {
 
 	// fill: #FD4943, stroke: #E1443F
 	private static final Color RED_FILL = Color.rgb(253, 73, 67);
@@ -22,6 +22,7 @@ public class DirectoryListCell extends ListCell<Directory> implements ChangeList
 	private static final Color GREEN_STROKE = Color.rgb(48, 183, 64);
 
 	private final Circle statusIndicator = new Circle(4.5);
+	private ContextMenu vaultContextMenu;
 
 	public DirectoryListCell() {
 		setGraphic(statusIndicator);
@@ -30,8 +31,8 @@ public class DirectoryListCell extends ListCell<Directory> implements ChangeList
 	}
 
 	@Override
-	protected void updateItem(Directory item, boolean empty) {
-		final Directory oldItem = super.getItem();
+	protected void updateItem(Vault item, boolean empty) {
+		final Vault oldItem = super.getItem();
 		if (oldItem != null) {
 			oldItem.unlockedProperty().removeListener(this);
 		}
@@ -39,6 +40,7 @@ public class DirectoryListCell extends ListCell<Directory> implements ChangeList
 		if (item == null) {
 			setText(null);
 			setTooltip(null);
+			setContextMenu(null);
 			statusIndicator.setVisible(false);
 		} else {
 			setText(item.getName());
@@ -46,12 +48,14 @@ public class DirectoryListCell extends ListCell<Directory> implements ChangeList
 			statusIndicator.setVisible(true);
 			item.unlockedProperty().addListener(this);
 			updateStatusIndicator();
+			updateContextMenu();
 		}
 	}
 
 	@Override
 	public void changed(ObservableValue<? extends Boolean> observable, Boolean oldValue, Boolean newValue) {
 		updateStatusIndicator();
+		updateContextMenu();
 	}
 
 	private void updateStatusIndicator() {
@@ -61,4 +65,16 @@ public class DirectoryListCell extends ListCell<Directory> implements ChangeList
 		statusIndicator.setStroke(strokeColor);
 	}
 
+	private void updateContextMenu() {
+		if (getItem().isUnlocked()) {
+			this.setContextMenu(null);
+		} else {
+			this.setContextMenu(vaultContextMenu);
+		}
+	}
+
+	public void setVaultContextMenu(ContextMenu contextMenu) {
+		this.vaultContextMenu = contextMenu;
+	}
+
 }