Merge branch 'release/1.12.2'

See: https://github.com/cryptomator/cryptofs/pull/202#discussion_r1453615249

.github/ISSUE_TEMPLATE/bug.yml

@@ -26,6 +26,7 @@ body:
         Examples:
           - Operating System: Windows 10
           - Cryptomator: 1.5.16
+          - OneDrive: 23.226
           - LibreOffice: 7.1.4
       value: |
           - Operating System: 

.github/dependabot.yml

@@ -6,11 +6,38 @@ updates:
       interval: "weekly"
       day: "monday"
       time: "06:00"
-      timezone: "UTC"
+      timezone: "Etc/UTC"
     groups:
-      maven-dependencies:
+      java-test-dependencies:
+        patterns:
+          - "org.junit.jupiter:*"
+          - "org.mockito:*"
+          - "org.hamcrest:*"
+          - "com.google.jimfs:jimfs"
+      maven-build-plugins:
+        patterns:
+          - "org.apache.maven.plugins:*"
+          - "org.jacoco:jacoco-maven-plugin"
+          - "org.owasp:dependency-check-maven"
+          - "me.fabriciorby:maven-surefire-junit5-tree-reporter"
+          - "org.codehaus.mojo:license-maven-plugin"
+      javafx:
+        patterns:
+          - "org.openjfx:*"
+      java-production-dependencies:
         patterns:
           - "*"
+        exclude-patterns:
+          - "org.openjfx:*"
+          - "org.apache.maven.plugins:*"
+          - "org.jacoco:jacoco-maven-plugin"
+          - "org.owasp:dependency-check-maven"
+          - "me.fabriciorby:maven-surefire-junit5-tree-reporter"
+          - "org.codehaus.mojo:license-maven-plugin"
+          - "org.junit.jupiter:*"
+          - "org.mockito:*"
+          - "org.hamcrest:*"
+          - "com.google.jimfs:jimfs"
 
   - package-ecosystem: "github-actions"
     directory: "/" # even for `.github/workflows`

.github/workflows/appimage.yml

@@ -10,8 +10,8 @@ on:
         required: false
 
 env:
-  JAVA_DIST: 'temurin'
-  JAVA_VERSION: 20
+  JAVA_DIST: 'zulu'
+  JAVA_VERSION: '21.0.2+13'
 
 jobs:
   get-version:
@@ -29,16 +29,16 @@ jobs:
         include:
           - os: ubuntu-latest
             appimage-suffix: x86_64
-            openjfx-url: 'https://download2.gluonhq.com/openjfx/20.0.2/openjfx-20.0.2_linux-x64_bin-jmods.zip'
-            openjfx-sha: 'f522ac2ae4bdd61f0219b7b8d2058ff72a22f36a44378453bcfdcd82f8f5e08c'
+            openjfx-url: 'https://download2.gluonhq.com/openjfx/21.0.1/openjfx-21.0.1_linux-x64_bin-jmods.zip'
+            openjfx-sha: '7baed11ca56d5fee85995fa6612d4299f1e8b7337287228f7f12fd50407c56f8'
           - os: [self-hosted, Linux, ARM64]
             appimage-suffix: aarch64
-            openjfx-url: 'https://download2.gluonhq.com/openjfx/20.0.2/openjfx-20.0.2_linux-aarch64_bin-jmods.zip'
-            openjfx-sha: 'c0d80ebbe0aab404ef9ad8b46c05bf533a1e40b39b2720eebd9238d81f6326ca'
+            openjfx-url: 'https://download2.gluonhq.com/openjfx/21.0.1/openjfx-21.0.1_linux-aarch64_bin-jmods.zip'
+            openjfx-sha: '871e7b9d7af16aef2e55c1b7830d0e0b2503b13dd8641374ba7e55ecb81d2ef9'
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Setup Java
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
           distribution: ${{ env.JAVA_DIST }}
           java-version: ${{ env.JAVA_VERSION }}
@@ -68,12 +68,13 @@ jobs:
       - name: Set version
         run : mvn versions:set -DnewVersion=${{ needs.get-version.outputs.semVerStr }}
       - name: Run maven
-        run: mvn -B clean package -Pdependency-check,linux -DskipTests
+        run: mvn -B clean package -Plinux -DskipTests
       - name: Patch target dir
         run: |
           cp LICENSE.txt target
           cp target/cryptomator-*.jar target/mods
       - name: Run jlink
+        #Remark: no compression is applied for improved build compression later (here appimage)
         run: >
           ${JAVA_HOME}/bin/jlink
           --verbose
@@ -84,7 +85,7 @@ jobs:
           --no-header-files
           --no-man-pages
           --strip-debug
-          --compress=1
+          --compress zip-0
       - name: Prepare additional launcher
         run: envsubst '${SEMVER_STR} ${REVISION_NUM}' < dist/linux/launcher-gtk2.properties > launcher-gtk2.properties
         env:
@@ -102,7 +103,7 @@ jobs:
           --dest appdir
           --name Cryptomator
           --vendor "Skymatic GmbH"
-          --copyright "(C) 2016 - 2023 Skymatic GmbH"
+          --copyright "(C) 2016 - 2024 Skymatic GmbH"
           --app-version "${{  needs.get-version.outputs.semVerNum }}.${{  needs.get-version.outputs.revNum }}"
           --java-options "--enable-preview"
           --java-options "--enable-native-access=org.cryptomator.jfuse.linux.amd64,org.cryptomator.jfuse.linux.aarch64,org.purejava.appindicator"
@@ -163,7 +164,7 @@ jobs:
           gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a cryptomator-*.AppImage
           gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a cryptomator-*.AppImage.zsync
       - name: Upload artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: appimage-${{ matrix.appimage-suffix }}
           path: |

.github/workflows/build.yml

@@ -6,8 +6,8 @@ on:
     types: [labeled]
 
 env:
-  JAVA_DIST: 'temurin'
-  JAVA_VERSION: 20
+  JAVA_DIST: 'zulu'
+  JAVA_VERSION: 21
 
 defaults:
   run:
@@ -18,14 +18,14 @@ jobs:
     name: Compile and Test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-java@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-java@v4
         with:
           distribution: ${{ env.JAVA_DIST }}
           java-version: ${{ env.JAVA_VERSION }}
           cache: 'maven'
       - name: Cache SonarCloud packages
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ~/.sonar/cache
           key: ${{ runner.os }}-sonar
@@ -36,7 +36,7 @@ jobs:
           mvn -B verify
           jacoco:report
           org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
-          -Pcoverage,dependency-check
+          -Pcoverage
           -Dsonar.projectKey=cryptomator_cryptomator
           -Dsonar.organization=cryptomator
           -Dsonar.host.url=https://sonarcloud.io

.github/workflows/check-jdk-updates.yml

@@ -0,0 +1,64 @@
+name: Checks JDK version for minor updates
+
+on:
+  schedule:
+    - cron: '0 0 1 * *' # run once a month at the first day of month
+
+env:
+  JDK_VERSION: '21.0.1+12'
+  JDK_VENDOR: zulu
+
+jobs:
+  jdk-current:
+    name: Check out current version
+    runs-on: ubuntu-latest
+    outputs:
+      jdk-date: ${{ steps.get-data.outputs.jdk-date}}
+    steps:
+      - uses: actions/setup-java@v4
+        with:
+          java-version: ${{ env.JDK_VERSION }}
+          distribution: ${{ env.JDK_VENDOR }}
+          check-latest: false
+      - name: Read JAVA_VERSION_DATE and store in env variable
+        id: get-data
+        run: |
+          date=$(cat ${JAVA_HOME}/release | grep "JAVA_VERSION_DATE=\"" | awk -F'=' '{print $2}' | tr -d '"')
+          echo "jdk-date=${date}" >> "$GITHUB_OUTPUT"
+  jdk-latest:
+    name: Checkout latest jdk version
+    runs-on: ubuntu-latest
+    outputs:
+      jdk-date: ${{ steps.get-data.outputs.jdk-date}}
+      jdk-version: ${{ steps.get-data.outputs.jdk-version}}
+    steps:
+      - uses: actions/setup-java@v4
+        with:
+          java-version: 21
+          distribution: ${{ env.JDK_VENDOR }}
+          check-latest: true
+      - name: Read JAVA_VERSION_DATE and store in env variable
+        id: get-data
+        run: |
+          date=$(cat ${JAVA_HOME}/release | grep "JAVA_VERSION_DATE=\"" | awk -F'=' '{print $2}' | tr -d '"')
+          echo "jdk-date=${date}" >> "$GITHUB_OUTPUT"
+          version=$(cat ${JAVA_HOME}/release | grep "JAVA_RUNTIME_VERSION=\"" | awk -F'=' '{print $2}' | tr -d '"')
+          echo "jdk-version=${version}" >> "$GITHUB_OUTPUT"
+  notify:
+    name: Notifies for jdk update
+    runs-on: ubuntu-latest
+    needs: [jdk-current, jdk-latest]
+    if: ${{ needs.jdk-latest.outputs.jdk-date }} > ${{ needs.jdk-current.outputs.jdk-date }}
+    steps:
+      - name: Slack Notification
+        uses: rtCamp/action-slack-notify@v2
+        env:
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
+          SLACK_USERNAME: 'Cryptobot'
+          SLACK_ICON: false
+          SLACK_ICON_EMOJI: ':bot:'
+          SLACK_CHANNEL: 'cryptomator-desktop'
+          SLACK_TITLE: "JDK update available"
+          SLACK_MESSAGE: "Cryptomator-CI JDK can be upgraded to ${{ needs.jdk-latest.outputs.jdk-version }}. See https://github.com/cryptomator/cryptomator/wiki/How-to-update-the-build-JDK for instructions."
+          SLACK_FOOTER: false
+          MSG_MINIMAL: true

.github/workflows/debian.yml

@@ -16,19 +16,21 @@ on:
         type: boolean
 
 env:
-  JAVA_DIST: 'temurin'
-  JAVA_VERSION: 20
-  OPENJFX_JMODS_AMD64: 'https://download2.gluonhq.com/openjfx/20.0.2/openjfx-20.0.2_linux-x64_bin-jmods.zip'
-  OPENJFX_JMODS_AMD64_HASH: 'f522ac2ae4bdd61f0219b7b8d2058ff72a22f36a44378453bcfdcd82f8f5e08c'
-  OPENJFX_JMODS_AARCH64: 'https://download2.gluonhq.com/openjfx/20.0.2/openjfx-20.0.2_linux-aarch64_bin-jmods.zip'
-  OPENJFX_JMODS_AARCH64_HASH: 'c0d80ebbe0aab404ef9ad8b46c05bf533a1e40b39b2720eebd9238d81f6326ca'
+  JAVA_DIST: 'zulu'
+  JAVA_VERSION: '21.0.2+13'
+  COFFEELIBS_JDK: 21
+  COFFEELIBS_JDK_VERSION: '21.0.2+13-0ppa1'
+  OPENJFX_JMODS_AMD64: 'https://download2.gluonhq.com/openjfx/21.0.1/openjfx-21.0.1_linux-x64_bin-jmods.zip'
+  OPENJFX_JMODS_AMD64_HASH: '7baed11ca56d5fee85995fa6612d4299f1e8b7337287228f7f12fd50407c56f8'
+  OPENJFX_JMODS_AARCH64: 'https://download2.gluonhq.com/openjfx/21.0.1/openjfx-21.0.1_linux-aarch64_bin-jmods.zip'
+  OPENJFX_JMODS_AARCH64_HASH: '871e7b9d7af16aef2e55c1b7830d0e0b2503b13dd8641374ba7e55ecb81d2ef9'
 
 jobs:
   build:
     name: Build Debian Package
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - id: versions
         name: Get version information
         run: |
@@ -42,16 +44,16 @@ jobs:
         run: |
           sudo add-apt-repository ppa:coffeelibs/openjdk
           sudo apt-get update
-          sudo apt-get install debhelper devscripts dput coffeelibs-jdk-${{ env.JAVA_VERSION }} libgtk2.0-0
+          sudo apt-get install debhelper devscripts dput coffeelibs-jdk-${{ env.COFFEELIBS_JDK }}=${{ env.COFFEELIBS_JDK_VERSION }} libgtk2.0-0
       - name: Setup Java
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
           distribution: ${{ env.JAVA_DIST }}
           java-version: ${{ env.JAVA_VERSION }}
           check-latest: true
           cache: 'maven'
       - name: Run maven
-        run: mvn -B clean package -Pdependency-check,linux -DskipTests
+        run: mvn -B clean package -Plinux -DskipTests
       - name: Download OpenJFX jmods
         id: download-jmods
         run: |
@@ -126,7 +128,7 @@ jobs:
         run: |
           gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a cryptomator_*_amd64.deb
       - name: Upload artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: linux-deb-package
           path: |
@@ -148,4 +150,4 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
         run: |
           artifacts=$(ls | grep cryptomator*.deb)
-          gh release upload ${{ github.ref_name }} $artifacts
+          gh release upload ${{ github.ref_name }} $artifacts

.github/workflows/dependency-check.yml

@@ -0,0 +1,17 @@
+name: OWASP Maven Dependency Check
+on:
+  schedule:
+    - cron: '0 8 * * 0'
+  workflow_dispatch:
+
+
+jobs:
+  check-dependencies:
+    uses: skymatic/workflows/.github/workflows/run-dependency-check.yml@v1
+    with:
+      runner-os: 'ubuntu-latest'
+      java-distribution: 'temurin'
+      java-version: 21
+    secrets:
+      nvd-api-key: ${{ secrets.NVD_API_KEY }}
+      slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}

.github/workflows/dl-stats.yml

@@ -10,7 +10,7 @@ jobs:
     steps:
       - name: Get download count of latest releases
         id: get-stats
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
         with:
           script: |
             const query = `query($owner:String!, $name:String!) {

.github/workflows/error-db.yml

@@ -2,7 +2,7 @@ name: Update Error Database
 
 on:
   discussion:
-    types: [created, edited, category_changed, answered, unanswered]
+    types: [created, edited, deleted, category_changed, answered, unanswered]
   discussion_comment:
     types: [created, edited, deleted]
 
@@ -12,8 +12,9 @@ jobs:
     if: github.event.discussion.category.name == 'Errors'
     steps:
       - name: Query Discussion Data
+        if: github.event_name == 'discussion_comment' || github.event_name == 'discussion' && github.event.action != 'deleted'
         id: query-data
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
         with:
           script: |
             const query = `query ($owner: String!, $name: String!, $discussionNumber: Int!) {
@@ -47,8 +48,13 @@ jobs:
       - name: Merge Error Code Data
         run: |
           jq -c '.' ${{ steps.get-gist.outputs.file }} > original.json
-          echo $DISCUSSION | jq -c '.repository.discussion | .comments = .comments.totalCount | {(.id|tostring) : .}' > new.json
-          jq -s '.[0] * .[1]' original.json new.json > merged.json
+          if [ ! -z "$DISCUSSION" ]
+          then
+            echo $DISCUSSION | jq -c '.repository.discussion | .comments = .comments.totalCount | {(.id|tostring) : .}' > new.json
+            jq -s '.[0] * .[1]' original.json new.json > merged.json
+          else
+            cat original.json | jq 'del(.[] | select(.url=="https://github.com/cryptomator/cryptomator/discussions/${{ github.event.discussion.number }}"))' > merged.json
+          fi
         env:
           DISCUSSION: ${{ steps.query-data.outputs.result }}
       - name: Patch Gist

.github/workflows/get-version.yml

@@ -22,8 +22,8 @@ on:
         value: ${{ jobs.determine-version.outputs.type }}
 
 env:
-  JAVA_DIST: 'temurin'
-  JAVA_VERSION: 20
+  JAVA_DIST: 'zulu'
+  JAVA_VERSION: 21
 
 jobs:
   determine-version:
@@ -35,11 +35,11 @@ jobs:
       revNum: ${{ steps.versions.outputs.revNum }}
       type: ${{ steps.versions.outputs.type}}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Setup Java
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
           distribution: ${{ env.JAVA_DIST }}
           java-version: ${{ env.JAVA_VERSION }}

.github/workflows/mac-dmg.yml

@@ -15,8 +15,8 @@ on:
         type: boolean
 
 env:
-  JAVA_DIST: 'temurin'
-  JAVA_VERSION: 20
+  JAVA_DIST: 'zulu'
+  JAVA_VERSION: '21.0.2+13'
 
 jobs:
   get-version:
@@ -37,19 +37,19 @@ jobs:
           output-suffix: x64
           xcode-path: '/Applications/Xcode_13.2.1.app'
           fuse-lib: macFUSE
-          openjfx-url: 'https://download2.gluonhq.com/openjfx/20.0.2/openjfx-20.0.2_osx-x64_bin-jmods.zip'
-          openjfx-sha: '55b8ff7453d59c89ae129f6c9c5ad7b09a5d359568811b376ac1766c14d6a17c'
+          openjfx-url: 'https://download2.gluonhq.com/openjfx/21.0.1/openjfx-21.0.1_osx-x64_bin-jmods.zip'
+          openjfx-sha: 'bd6abab20da73d5a968dcf2fd915d81b5fb919340e3bb84979ee9a888a829939'
         - os: [self-hosted, macOS, ARM64]
           architecture: aarch64
           output-suffix: arm64
           xcode-path: '/Applications/Xcode_13.2.1.app'
           fuse-lib: FUSE-T
-          openjfx-url: 'https://download2.gluonhq.com/openjfx/20.0.2/openjfx-20.0.2_osx-aarch64_bin-jmods.zip'
-          openjfx-sha: 'c60f5f19aa847e0e620e0b011e5de68f2c6755641c2141cec27a0b89f612beaf'
+          openjfx-url: 'https://download2.gluonhq.com/openjfx/21.0.1/openjfx-21.0.1_osx-aarch64_bin-jmods.zip'
+          openjfx-sha: '7afaa1c57a6cc3c384d636e597b9a5364693e2db4aaec0a6e63d2fa964400b58'
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Setup Java
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
           distribution: ${{ env.JAVA_DIST }}
           java-version: ${{ env.JAVA_VERSION }}
@@ -62,7 +62,7 @@ jobs:
           curl -L ${{ matrix.openjfx-url }} -o openjfx-jmods.zip
           echo "${{ matrix.openjfx-sha }} *openjfx-jmods.zip" | shasum -a256 --check
           mkdir -p openjfx-jmods/
-          unzip -j openjfx-jmods.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d openjfx-jmods
+          unzip -jo openjfx-jmods.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d openjfx-jmods
       - name: Ensure major jfx version in pom and in jmods is the same
         run: |
           JMOD_VERSION=$(jmod describe openjfx-jmods/javafx.base.jmod | head -1)
@@ -72,19 +72,20 @@ jobs:
           POM_JFX_VERSION=${POM_JFX_VERSION#*@}
           POM_JFX_VERSION=${POM_JFX_VERSION%%.*}
 
-          if [ $POM_JFX_VERSION -ne $JMOD_VERSION ]; then
+          if [ "${POM_JFX_VERSION}" -ne "${JMOD_VERSION}" ]; then
             >&2 echo "Major JavaFX version in pom.xml (${POM_JFX_VERSION}) != jmod version (${JMOD_VERSION})"
             exit 1
           fi
       - name: Set version
         run : mvn versions:set -DnewVersion=${{ needs.get-version.outputs.semVerStr }}
       - name: Run maven
-        run: mvn -B clean package -Pdependency-check,mac -DskipTests
+        run: mvn -B clean package -Pmac -DskipTests
       - name: Patch target dir
         run: |
           cp LICENSE.txt target
           cp target/cryptomator-*.jar target/mods
       - name: Run jlink
+        #Remark: no compression is applied for improved build compression later (here dmg)
         run: >
           ${JAVA_HOME}/bin/jlink
           --verbose
@@ -95,7 +96,7 @@ jobs:
           --no-header-files
           --no-man-pages
           --strip-debug
-          --compress=1
+          --compress zip-0
       - name: Run jpackage
         run: >
           ${JAVA_HOME}/bin/jpackage
@@ -108,7 +109,7 @@ jobs:
           --dest appdir
           --name Cryptomator
           --vendor "Skymatic GmbH"
-          --copyright "(C) 2016 - 2023 Skymatic GmbH"
+          --copyright "(C) 2016 - 2024 Skymatic GmbH"
           --app-version "${{ needs.get-version.outputs.semVerNum }}"
           --java-options "--enable-preview"
           --java-options "--enable-native-access=org.cryptomator.jfuse.mac"
@@ -222,7 +223,6 @@ jobs:
           --app-drop-link 512 245
           --eula "dist/mac/dmg/resources/license.rtf"
           --icon ".background" 128 758
-          --icon ".fseventsd" 320 758
           --icon ".VolumeIcon.icns" 512 758
           Cryptomator-${VERSION_NO}-${{ matrix.output-suffix }}.dmg dmg
         env:
@@ -250,7 +250,7 @@ jobs:
         run: security delete-keychain $RUNNER_TEMP/codesign.keychain-db
         continue-on-error: true
       - name: Upload artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: dmg-${{ matrix.output-suffix }}
           path: Cryptomator-*.dmg

.github/workflows/no-response.yml

@@ -12,7 +12,7 @@ jobs:
       issues: write
       pull-requests: write
     steps:
-      - uses: actions/stale@v8
+      - uses: actions/stale@v9
         with:
           days-before-stale: 14
           days-before-close: 0

.github/workflows/pullrequest.yml

@@ -4,8 +4,8 @@ on:
   pull_request:
 
 env:
-  JAVA_DIST: 'temurin'
-  JAVA_VERSION: 20
+  JAVA_DIST: 'zulu'
+  JAVA_VERSION: 21
 
 defaults:
   run:
@@ -17,11 +17,11 @@ jobs:
     runs-on: ubuntu-latest
     if: "!contains(github.event.head_commit.message, '[ci skip]') && !contains(github.event.head_commit.message, '[skip ci]')"
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-java@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-java@v4
         with:
           distribution: ${{ env.JAVA_DIST }}
           java-version: ${{ env.JAVA_VERSION }}
           cache: 'maven'
       - name: Build and Test
-        run: xvfb-run mvn -B clean install jacoco:report -Pcoverage,dependency-check
+        run: xvfb-run mvn -B clean install jacoco:report -Pcoverage

.github/workflows/release-check.yml

@@ -10,12 +10,22 @@ defaults:
   run:
     shell: bash
 
+env:
+  JAVA_DIST: 'zulu'
+  JAVA_VERSION: 21
+
 jobs:
-  release-check-precondition:
+  check-preconditions:
     name: Validate commits pushed to release/hotfix branch to fulfill release requirements
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
+      - name: Setup Java
+        uses: actions/setup-java@v4
+        with:
+          distribution: ${{ env.JAVA_DIST }}
+          java-version: ${{ env.JAVA_VERSION }}
+          cache: 'maven'
       - id: validate-pom-version
         name: Validate POM version
         run: |
@@ -37,4 +47,19 @@ jobs:
           if ! grep -q "<release date=\".*\" version=\"${{ steps.validate-pom-version.outputs.semVerStr }}\"/>" dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml; then
             echo "Release not set in dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml"
             exit 1
-          fi
+          fi
+      - name: Cache NVD DB
+        uses: actions/cache@v4
+        with:
+          path: ~/.m2/repository/org/owasp/dependency-check-data/
+          key: dependency-check-${{ github.run_id }}
+          restore-keys: |
+            dependency-check
+        env:
+          SEGMENT_DOWNLOAD_TIMEOUT_MINS: 5
+      - name: Run org.owasp:dependency-check plugin
+        id: dependency-check
+        continue-on-error: true
+        run: mvn -B verify -Pdependency-check -DskipTests
+        env:
+          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}

.github/workflows/stale.yml

@@ -12,7 +12,7 @@ jobs:
       issues: write
       pull-requests: write
     steps:
-      - uses: actions/stale@v8
+      - uses: actions/stale@v9
         with:
           days-before-stale: 365
           days-before-close: 90

.github/workflows/win-exe.yml

@@ -14,10 +14,12 @@ on:
 
 
 env:
-  JAVA_DIST: 'temurin'
-  JAVA_VERSION: 20
-  OPENJFX_JMODS_AMD64: 'https://download2.gluonhq.com/openjfx/20.0.2/openjfx-20.0.2_windows-x64_bin-jmods.zip'
-  OPENJFX_JMODS_AMD64_HASH: '18625bbc13c57dbf802486564247a8d8cab72ec558c240a401bf6440384ebd77'
+  JAVA_DIST: 'zulu'
+  JAVA_VERSION: '21.0.2+13'
+  OPENJFX_JMODS_AMD64: 'https://download2.gluonhq.com/openjfx/21.0.1/openjfx-21.0.1_windows-x64_bin-jmods.zip'
+  OPENJFX_JMODS_AMD64_HASH: 'daf8acae631c016c24cfe23f88469400274d3441dd890615a42dfb501f3eb94a'
+  WINFSP_MSI: 'https://github.com/winfsp/winfsp/releases/download/v2.0/winfsp-2.0.23075.msi'
+  WINFSP_UNINSTALLER: 'https://github.com/cryptomator/winfsp-uninstaller/releases/latest/download/winfsp-uninstaller.exe'
 
 defaults:
   run:
@@ -37,9 +39,9 @@ jobs:
       LOOPBACK_ALIAS: 'cryptomator-vault'
       WIN_CONSOLE_FLAG: ''
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Setup Java
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
           distribution: ${{ env.JAVA_DIST }}
           java-version: ${{ env.JAVA_VERSION }}
@@ -71,12 +73,13 @@ jobs:
       - name: Set version
         run : mvn versions:set -DnewVersion=${{ needs.get-version.outputs.semVerStr }}
       - name: Run maven
-        run: mvn -B clean package -Pdependency-check,win -DskipTests
+        run: mvn -B clean package -Pwin -DskipTests
       - name: Patch target dir
         run: |
           cp LICENSE.txt target
           cp target/cryptomator-*.jar target/mods
       - name: Run jlink
+        #Remark: no compression is applied for improved build compression later (here msi)
         run: >
           ${JAVA_HOME}/bin/jlink
           --verbose
@@ -87,7 +90,7 @@ jobs:
           --no-header-files
           --no-man-pages
           --strip-debug
-          --compress=1
+          --compress zip-0
       - name: Change win-console flag if debug is active
         if: ${{ inputs.isDebug }}
         run: echo "WIN_CONSOLE_FLAG=--win-console" >> $GITHUB_ENV
@@ -103,7 +106,7 @@ jobs:
           --dest appdir
           --name Cryptomator
           --vendor "Skymatic GmbH"
-          --copyright "(C) 2016 - 2023 Skymatic GmbH"
+          --copyright "(C) 2016 - 2024 Skymatic GmbH"
           --app-version "${{ needs.get-version.outputs.semVerNum }}.${{ needs.get-version.outputs.revNum }}"
           --java-options "--enable-preview"
           --java-options "--enable-native-access=org.cryptomator.jfuse.win"
@@ -143,9 +146,29 @@ jobs:
       - name: Fix permissions
         run: attrib -r appdir/Cryptomator/Cryptomator.exe
         shell: pwsh
-      - name: Extract integrations DLL for code signing
+      - name: Extract jars with DLLs for Codesigning
         shell: pwsh
-        run: gci ./appdir/Cryptomator/app/mods/ -File integrations-win-*.jar | ForEach-Object {Set-Location -Path $_.Directory; jar --file=$($_.FullName) --extract integrations.dll }
+        run: |
+          Add-Type -AssemblyName "System.io.compression.filesystem"
+          $jarFolder = Resolve-Path ".\appdir\Cryptomator\app\mods"
+          $jarExtractDir = New-Item -Path ".\appdir\jar-extract" -ItemType Directory
+
+          #for all jars inspect
+          Get-ChildItem -Path $jarFolder -Filter "*.jar" | ForEach-Object {
+              $jar = [Io.compression.zipfile]::OpenRead($_.FullName)
+              if (@($jar.Entries | Where-Object {$_.Name.ToString().EndsWith(".dll")} | Select-Object -First 1).Count -gt 0) {
+                  #jars containing dlls extract
+                  Set-Location $jarExtractDir
+                  Expand-Archive -Path $_.FullName
+              }
+              $jar.Dispose()
+          }
+      - name: Extract wixhelper.dll for Codesigning #see https://github.com/cryptomator/cryptomator/issues/3130
+        shell: pwsh
+        run: |
+          New-Item -Path appdir/jpackage-jmod -ItemType Directory
+          & $env:JAVA_HOME\bin\jmod.exe extract --dir jpackage-jmod "${env:JAVA_HOME}\jmods\jdk.jpackage.jmod"
+          Get-ChildItem -Recurse -Path "jpackage-jmod" -File wixhelper.dll | Select-Object -Last 1 | Copy-Item -Destination "appdir"
       - name: Codesign
         uses: skymatic/code-sign-action@v2
         with:
@@ -154,12 +177,22 @@ jobs:
           certificatesha1: 5FC94CE149E5B511E621F53A060AC67CBD446B3A
           description: Cryptomator
           timestampUrl: 'http://timestamp.digicert.com'
-          folder: appdir/Cryptomator
+          folder: appdir
           recursive: true
-      - name: Repack signed DLL into jar
+      - name: Replace DLLs inside jars with signed ones
         shell: pwsh
         run: |
-          gci ./appdir/Cryptomator/app/mods/ -File integrations-win-*.jar | ForEach-Object {Set-Location -Path $_.Directory; jar --file=$($_.FullName) --update integrations.dll; Remove-Item integrations.dll}
+          $jarExtractDir = Resolve-Path ".\appdir\jar-extract"
+          $jarFolder = Resolve-Path ".\appdir\Cryptomator\app\mods"
+          Get-ChildItem -Path $jarExtractDir | ForEach-Object {
+              $jarName = $_.Name
+              $jarFile = "${jarFolder}\${jarName}.jar"
+              Set-Location $_
+              Get-ChildItem -Path $_ -Recurse -File "*.dll" | ForEach-Object {
+                  # update jar with signed dll
+                  jar --file="$jarFile" --update $(Resolve-Path -Relative -Path $_)
+              }
+          }
       - name: Generate license for MSI
         run: >
           mvn -B license:add-third-party
@@ -181,7 +214,7 @@ jobs:
           --dest installer
           --name Cryptomator
           --vendor "Skymatic GmbH"
-          --copyright "(C) 2016 - 2023 Skymatic GmbH"
+          --copyright "(C) 2016 - 2024 Skymatic GmbH"
           --app-version "${{ needs.get-version.outputs.semVerNum }}.${{ needs.get-version.outputs.revNum}}"
           --win-menu
           --win-dir-chooser
@@ -193,6 +226,7 @@ jobs:
           --file-associations dist/win/resources/FAvaultFile.properties
         env:
           JP_WIXWIZARD_RESOURCES: ${{ github.workspace }}/dist/win/resources # requires abs path, used in resources/main.wxs
+          JP_WIXHELPER_DIR: ${{ github.workspace }}\appdir
       - name: Codesign MSI
         uses: skymatic/code-sign-action@v2
         with:
@@ -212,7 +246,7 @@ jobs:
           GPG_PRIVATE_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }}
           GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
       - name: Upload artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: msi
           path: |
@@ -234,15 +268,15 @@ jobs:
     runs-on: windows-latest
     needs: [get-version, build-msi]
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Download .msi
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: msi
           path: dist/win/bundle/resources
       - name: Strip version info from msi file name
         run: mv dist/win/bundle/resources/Cryptomator*.msi dist/win/bundle/resources/Cryptomator.msi
-      - uses: actions/setup-java@v3
+      - uses: actions/setup-java@v4
         with:
           distribution: ${{ env.JAVA_DIST }}
           java-version: ${{ env.JAVA_VERSION }}
@@ -261,8 +295,11 @@ jobs:
         shell: pwsh
       - name: Download WinFsp
         run: |
-          $winfspUrl = (Select-String -Path ".\dist\win\bundle\resources\winFspMetaData.wxi" -Pattern '<\?define BundledWinFspDownloadLink="(.+)".*?>').Matches.Groups[1].Value
-          curl --output dist/win/bundle/resources/winfsp.msi -L $winfspUrl
+          curl --output dist/win/bundle/resources/winfsp.msi -L ${{ env.WINFSP_MSI }}
+        shell: pwsh
+      - name: Download Legacy-WinFsp uninstaller
+        run: |
+          curl --output dist/win/bundle/resources/winfsp-uninstaller.exe -L ${{ env.WINFSP_UNINSTALLER }}
         shell: pwsh
       - name: Compile to wixObj file
         run: >
@@ -272,7 +309,7 @@ jobs:
           -out dist/win/bundle/
           -dBundleVersion="${{ needs.get-version.outputs.semVerNum }}.${{ needs.get-version.outputs.revNum }}"
           -dBundleVendor="Skymatic GmbH"
-          -dBundleCopyright="(C) 2016 - 2023 Skymatic GmbH"
+          -dBundleCopyright="(C) 2016 - 2024 Skymatic GmbH"
           -dAboutUrl="https://cryptomator.org"
           -dHelpUrl="https://cryptomator.org/contact"
           -dUpdateUrl="https://cryptomator.org/downloads/"
@@ -320,7 +357,7 @@ jobs:
           GPG_PRIVATE_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }}
           GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
       - name: Upload artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: exe
           path: |
@@ -344,12 +381,12 @@ jobs:
     needs: [build-msi, build-exe]
     steps:
       - name: Download .msi
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: msi
           path: msi
       - name: Download .exe
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: exe
           path: exe
@@ -376,3 +413,21 @@ jobs:
           username: ${{ secrets.ALLOWLIST_AVAST_USERNAME }}
           password: ${{ secrets.ALLOWLIST_AVAST_PASSWORD }}
           local-dir: files/
+  notify-winget:
+    name: Notify for winget-release
+    if: startsWith(github.ref, 'refs/tags/')
+    needs: [build-msi]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Slack Notification
+        uses: rtCamp/action-slack-notify@v2
+        env:
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
+          SLACK_USERNAME: 'Cryptobot'
+          SLACK_ICON: false
+          SLACK_ICON_EMOJI: ':bot:'
+          SLACK_CHANNEL: 'cryptomator-desktop'
+          SLACK_TITLE: "MSI of ${{ github.event.repository.name }} ${{ github.event.release.tag_name }} published."
+          SLACK_MESSAGE: "Ready to <https://github.com/${{ github.repository }}/actions/workflows/winget.yml| release to winget>."
+          SLACK_FOOTER: false
+          MSG_MINIMAL: true

.github/workflows/winget.yml

@@ -0,0 +1,27 @@
+name: Publish  MSI to winget-pkgs
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Release tag'
+        required: true
+
+jobs:
+  winget:
+    name: Publish winget package
+    runs-on: windows-latest
+    steps:
+      - name: Sync winget-pkgs fork
+        run: |
+          gh repo sync cryptomator/winget-pkgs -b master --force
+        env:
+          GH_TOKEN: ${{ secrets.CRYPTOBOT_WINGET_TOKEN }}
+      - name: Submit package
+        uses: vedantmgoyal2009/winget-releaser@v2
+        with:
+          identifier: Cryptomator.Cryptomator
+          version: ${{ inputs.tag }}
+          release-tag: ${{ inputs.tag }}
+          installers-regex: '\.msi$'
+          token: ${{ secrets.CRYPTOBOT_WINGET_TOKEN }}

.idea/compiler.xml

@@ -14,10 +14,10 @@
         <option name="dagger.fastInit" value="enabled" />
         <option name="dagger.formatGeneratedSource" value="enabled" />
         <processorPath useClasspath="false">
-          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger-compiler/2.45/dagger-compiler-2.45.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger/2.45/dagger-2.45.jar" />
+          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger-compiler/2.48.1/dagger-compiler-2.48.1.jar" />
+          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger/2.48.1/dagger-2.48.1.jar" />
           <entry name="$MAVEN_REPOSITORY$/javax/inject/javax.inject/1/javax.inject-1.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger-producers/2.45/dagger-producers-2.45.jar" />
+          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger-producers/2.48.1/dagger-producers-2.48.1.jar" />
           <entry name="$MAVEN_REPOSITORY$/com/google/guava/failureaccess/1.0.1/failureaccess-1.0.1.jar" />
           <entry name="$MAVEN_REPOSITORY$/com/google/guava/guava/31.0.1-jre/guava-31.0.1-jre.jar" />
           <entry name="$MAVEN_REPOSITORY$/com/google/guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar" />
@@ -26,20 +26,19 @@
           <entry name="$MAVEN_REPOSITORY$/com/google/errorprone/error_prone_annotations/2.7.1/error_prone_annotations-2.7.1.jar" />
           <entry name="$MAVEN_REPOSITORY$/com/google/j2objc/j2objc-annotations/1.3/j2objc-annotations-1.3.jar" />
           <entry name="$MAVEN_REPOSITORY$/org/checkerframework/checker-compat-qual/2.5.5/checker-compat-qual-2.5.5.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger-spi/2.45/dagger-spi-2.45.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/devtools/ksp/symbol-processing-api/1.7.0-1.0.6/symbol-processing-api-1.7.0-1.0.6.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-stdlib/1.7.0/kotlin-stdlib-1.7.0.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-stdlib-common/1.7.0/kotlin-stdlib-common-1.7.0.jar" />
+          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger-spi/2.48.1/dagger-spi-2.48.1.jar" />
+          <entry name="$MAVEN_REPOSITORY$/com/google/devtools/ksp/symbol-processing-api/1.9.0-1.0.12/symbol-processing-api-1.9.0-1.0.12.jar" />
+          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-stdlib/1.9.0/kotlin-stdlib-1.9.0.jar" />
+          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-stdlib-common/1.9.0/kotlin-stdlib-common-1.9.0.jar" />
           <entry name="$MAVEN_REPOSITORY$/org/jetbrains/annotations/13.0/annotations-13.0.jar" />
           <entry name="$MAVEN_REPOSITORY$/com/squareup/javapoet/1.13.0/javapoet-1.13.0.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/squareup/kotlinpoet/1.11.0/kotlinpoet-1.11.0.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-stdlib-jdk8/1.7.0/kotlin-stdlib-jdk8-1.7.0.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-stdlib-jdk7/1.7.0/kotlin-stdlib-jdk7-1.7.0.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-reflect/1.6.10/kotlin-reflect-1.6.10.jar" />
           <entry name="$MAVEN_REPOSITORY$/com/google/googlejavaformat/google-java-format/1.5/google-java-format-1.5.jar" />
           <entry name="$MAVEN_REPOSITORY$/com/google/errorprone/javac-shaded/9-dev-r4023-3/javac-shaded-9-dev-r4023-3.jar" />
+          <entry name="$MAVEN_REPOSITORY$/com/squareup/kotlinpoet/1.11.0/kotlinpoet-1.11.0.jar" />
+          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-stdlib-jdk8/1.6.10/kotlin-stdlib-jdk8-1.6.10.jar" />
+          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-stdlib-jdk7/1.6.10/kotlin-stdlib-jdk7-1.6.10.jar" />
+          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-reflect/1.6.10/kotlin-reflect-1.6.10.jar" />
           <entry name="$MAVEN_REPOSITORY$/net/ltgt/gradle/incap/incap/0.2/incap-0.2.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlinx/kotlinx-metadata-jvm/0.5.0/kotlinx-metadata-jvm-0.5.0.jar" />
         </processorPath>
         <module name="cryptomator" />
       </profile>

.idea/misc.xml

@@ -8,7 +8,7 @@
       </list>
     </option>
   </component>
-  <component name="ProjectRootManager" version="2" languageLevel="JDK_20_PREVIEW" project-jdk-name="20" project-jdk-type="JavaSDK">
+  <component name="ProjectRootManager" version="2" languageLevel="JDK_21_PREVIEW" project-jdk-name="21" project-jdk-type="JavaSDK">
     <output url="file://$PROJECT_DIR$/out" />
   </component>
 </project>

README.md

@@ -30,9 +30,10 @@ Cryptomator is provided free of charge as an open-source project despite the hig
 <table>
   <tbody>
     <tr>
-      <td><a href="https://mowcapital.com/"><img src="https://cryptomator.org/img/sponsors/mowcapital.svg" alt="Mow Capital" height="40"></a></td>
+      <td><a href="https://mowcapital.com/"><img src="https://cryptomator.org/img/sponsors/mowcapital.svg" alt="Mow Capital" height="28"></a></td>
       <td><a href="https://www.easeus.com/"><img src="https://cryptomator.org/img/sponsors/easeus.png" alt="EaseUS" height="40"></a></td>
       <td><a href="https://www.hassmann-it-forensik.de/"><img src="https://cryptomator.org/img/sponsors/hassmannitforensik.png" alt="Hassmann IT-Forensik" height="40"></a></td>
+      <td><a href="https://ente.io/"><img src="https://cryptomator.org/img/sponsors/ente.svg" alt="Ente" height="58"></a></td>
     </tr>
   </tbody>
 </table>
@@ -85,7 +86,7 @@ For more information on the security details visit [cryptomator.org](https://doc
 
 ### Dependencies
 
-* JDK 19 (e.g. temurin)
+* JDK 21 (e.g. temurin, zulu)
 * Maven 3
 
 ### Run Maven

dist/linux/appimage/build.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
+set -e
 
 cd $(dirname $0)
 REVISION_NO=`git rev-list --count HEAD`
@@ -7,9 +8,13 @@ REVISION_NO=`git rev-list --count HEAD`
 if [ -z "${JAVA_HOME}" ]; then echo "JAVA_HOME not set. Run using JAVA_HOME=/path/to/jdk ./build.sh"; exit 1; fi
 command -v mvn >/dev/null 2>&1 || { echo >&2 "mvn not found."; exit 1; }
 command -v curl >/dev/null 2>&1 || { echo >&2 "curl not found."; exit 1; }
+command -v unzip >/dev/null 2>&1 || { echo >&2 "unzip not found."; exit 1; }
 
 VERSION=$(mvn -f ../../../pom.xml help:evaluate -Dexpression=project.version -q -DforceStdout)
 SEMVER_STR=${VERSION}
+MACHINE_TYPE=$(uname -m)
+
+if [[ ! "${MACHINE_TYPE}" =~ x86_64|aarch64 ]]; then echo "Platform ${MACHINE_TYPE} not supported"; exit 1; fi
 
 mvn -f ../../../pom.xml versions:set -DnewVersion=${SEMVER_STR}
 
@@ -18,17 +23,45 @@ mvn -B -f ../../../pom.xml clean package -Plinux -DskipTests
 cp ../../../LICENSE.txt ../../../target
 cp ../../../target/cryptomator-*.jar ../../../target/mods
 
+
+# download javaFX jmods
+OPENJFX_URL='https://download2.gluonhq.com/openjfx/21.0.1/openjfx-21.0.1_linux-x64_bin-jmods.zip'
+OPENJFX_SHA='7baed11ca56d5fee85995fa6612d4299f1e8b7337287228f7f12fd50407c56f8'
+OPENJFX_URL_aarch64='https://download2.gluonhq.com/openjfx/21.0.1/openjfx-21.0.1_linux-aarch64_bin-jmods.zip'
+OPENJFX_SHA_aarch64='871e7b9d7af16aef2e55c1b7830d0e0b2503b13dd8641374ba7e55ecb81d2ef9'
+
+if [[ "${MACHINE_TYPE}" = "aarch64" ]]; then
+	OPENJFX_URL="${OPENJFX_URL_aarch64}";
+	OPENJFX_SHA="${OPENJFX_SHA_aarch64}";
+fi
+
+curl -L ${OPENJFX_URL} -o openjfx-jmods.zip
+echo "${OPENJFX_SHA}  openjfx-jmods.zip" | shasum -a256 --check
+mkdir -p openjfx-jmods
+unzip -j openjfx-jmods.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d openjfx-jmods
+JMOD_VERSION=$(jmod describe openjfx-jmods/javafx.base.jmod | head -1)
+JMOD_VERSION=${JMOD_VERSION#*@}
+JMOD_VERSION=${JMOD_VERSION%%.*}
+POM_JFX_VERSION=$(mvn help:evaluate "-Dexpression=javafx.version" -q -DforceStdout)
+POM_JFX_VERSION=${POM_JFX_VERSION#*@}
+POM_JFX_VERSION=${POM_JFX_VERSION%%.*}
+if [ $POM_JFX_VERSION -ne $JMOD_VERSION_AMD64 ]; then
+	>&2 echo "Major JavaFX version in pom.xml (${POM_JFX_VERSION}) != amd64 jmod version (${JMOD_VERSION})"
+	exit 1
+fi
+
+
 # add runtime
 ${JAVA_HOME}/bin/jlink \
     --verbose \
     --output runtime \
-    --module-path "${JAVA_HOME}/jmods" \
+    --module-path "${JAVA_HOME}/jmods:openjfx-jmods" \
     --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,javafx.base,javafx.graphics,javafx.controls,javafx.fxml,jdk.unsupported,jdk.crypto.ec,jdk.security.auth,jdk.accessibility,jdk.management.jfr,jdk.net \
     --strip-native-commands \
     --no-header-files \
     --no-man-pages \
     --strip-debug \
-    --compress=1
+    --compress zip-0
 
 # create app dir
 envsubst '${SEMVER_STR} ${REVISION_NUM}' < ../launcher-gtk2.properties > launcher-gtk2.properties
@@ -44,7 +77,7 @@ ${JAVA_HOME}/bin/jpackage \
     --vendor "Skymatic GmbH" \
     --java-options "--enable-preview" \
     --java-options "--enable-native-access=org.cryptomator.jfuse.linux.amd64,org.cryptomator.jfuse.linux.aarch64,org.purejava.appindicator" \
-    --copyright "(C) 2016 - 2023 Skymatic GmbH" \
+    --copyright "(C) 2016 - 2024 Skymatic GmbH" \
     --java-options "-Xss5m" \
     --java-options "-Xmx256m" \
     --app-version "${VERSION}.${REVISION_NO}" \
@@ -83,17 +116,17 @@ ln -s usr/share/applications/org.cryptomator.Cryptomator.desktop Cryptomator.App
 ln -s bin/cryptomator.sh Cryptomator.AppDir/AppRun
 
 # load AppImageTool
-curl -L https://github.com/AppImage/AppImageKit/releases/download/13/appimagetool-x86_64.AppImage -o /tmp/appimagetool.AppImage
+curl -L https://github.com/AppImage/AppImageKit/releases/download/13/appimagetool-${MACHINE_TYPE}.AppImage -o /tmp/appimagetool.AppImage
 chmod +x /tmp/appimagetool.AppImage
 
 # create AppImage
 /tmp/appimagetool.AppImage \
     Cryptomator.AppDir \
-    cryptomator-${SEMVER_STR}-x86_64.AppImage  \
-    -u 'gh-releases-zsync|cryptomator|cryptomator|latest|cryptomator-*-x86_64.AppImage.zsync'
+    cryptomator-${SEMVER_STR}-${MACHINE_TYPE}.AppImage  \
+    -u 'gh-releases-zsync|cryptomator|cryptomator|latest|cryptomator-*-${MACHINE_TYPE}.AppImage.zsync'
 
 echo ""
-echo "Done. AppImage successfully created: cryptomator-${SEMVER_STR}-x86_64.AppImage"
+echo "Done. AppImage successfully created: cryptomator-${SEMVER_STR}-${MACHINE_TYPE}.AppImage"
+echo ""
+echo >&2 "To clean up, run: rm -rf Cryptomator.AppDir appdir runtime squashfs-root openjfx-jmods; rm launcher-gtk2.properties /tmp/appimagetool.AppImage openjfx-jmods.zip"
 echo ""
-echo >&2 "To clean up, run: rm -rf Cryptomator.AppDir appdir jni runtime squashfs-root; rm launcher-gtk2.properties /tmp/appimagetool.AppImage"
-echo ""

dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml

@@ -66,6 +66,11 @@
 	</content_rating>
 
 	<releases>
+		<release date="2024-02-09" version="1.12.2"/>
+		<release date="2024-02-07" version="1.12.1"/>
+		<release date="2024-02-06" version="1.12.0"/>
+		<release date="2023-12-05" version="1.11.1"/>
+		<release date="2023-11-08" version="1.11.0"/>
 		<release date="2023-09-20" version="1.10.1"/>
 		<release date="2023-09-11" version="1.10.0"/>
 		<release date="2023-08-11" version="1.9.4"/>

dist/linux/debian/control

@@ -2,7 +2,7 @@ Source: cryptomator
 Maintainer: Cryptobot <releases@cryptomator.org>
 Section: utils
 Priority: optional
-Build-Depends: debhelper (>=10), coffeelibs-jdk-20, libgtk2.0-0, libgtk-3-0,  libxxf86vm1, libgl1
+Build-Depends: debhelper (>=10), coffeelibs-jdk-21 (>= 21.0.2+12-0ppa1), libgtk2.0-0, libgtk-3-0,  libxxf86vm1, libgl1
 Standards-Version: 4.5.0
 Homepage: https://cryptomator.org
 Vcs-Git: https://github.com/cryptomator/cryptomator.git

dist/linux/debian/copyright

@@ -4,11 +4,11 @@ Upstream-Contact: Cryptomator <info@cryptomator.org>
 Source: https://cryptomator.org
 
 Files: *
-Copyright: 2016-2023 Skymatic GmbH
+Copyright: 2016-2024 Skymatic GmbH
 License: GPL-3+
 
 Files: debian/org.cryptomator.Cryptomator.appdata.xml
-Copyright: 2016-2023 Skymatic GmbH
+Copyright: 2016-2024 Skymatic GmbH
 License: FSFAP
 
 License: GPL-3+

dist/linux/debian/rules

@@ -4,7 +4,7 @@
 # Uncomment this to turn on verbose mode.
 #export DH_VERBOSE=1
 
-JAVA_HOME = /usr/lib/jvm/java-20-coffeelibs
+JAVA_HOME = /usr/lib/jvm/java-21-coffeelibs
 DEB_BUILD_ARCH ?= $(shell dpkg-architecture -qDEB_BUILD_ARCH)
 ifeq ($(DEB_BUILD_ARCH),amd64)
 JMODS_PATH = jmods/amd64:${JAVA_HOME}/jmods
@@ -24,6 +24,7 @@ override_dh_auto_clean:
 override_dh_auto_build:
 	mkdir resources
 	ln -s ../common/org.cryptomator.Cryptomator512.png resources/cryptomator.png
+# Remark: no compression is applied for improved build compression later (here deb)
 	$(JAVA_HOME)/bin/jlink \
 		--output runtime \
 		--module-path "${JMODS_PATH}" \
@@ -32,7 +33,7 @@ override_dh_auto_build:
 		--no-header-files \
 		--no-man-pages \
 		--strip-debug \
-		--compress=2
+		--compress zip-0
 	$(JAVA_HOME)/bin/jpackage \
 		--type app-image \
 		--runtime-image runtime \
@@ -44,7 +45,7 @@ override_dh_auto_build:
 		--vendor "Skymatic GmbH" \
 		--java-options "--enable-preview" \
 		--java-options "--enable-native-access=org.cryptomator.jfuse.linux.amd64,org.cryptomator.jfuse.linux.aarch64,org.purejava.appindicator" \
-		--copyright "(C) 2016 - 2023 Skymatic GmbH" \
+		--copyright "(C) 2016 - 2024 Skymatic GmbH" \
 		--java-options "-Xss5m" \
 		--java-options "-Xmx256m" \
 		--java-options "-Dfile.encoding=\"utf-8\"" \

dist/mac/dmg/build.sh

@@ -21,7 +21,7 @@ rm -rf runtime dmg *.app *.dmg
 # set variables
 APP_NAME="Cryptomator"
 VENDOR="Skymatic GmbH"
-COPYRIGHT_YEARS="2016 - 2023"
+COPYRIGHT_YEARS="2016 - 2024"
 PACKAGE_IDENTIFIER="org.cryptomator"
 MAIN_JAR_GLOB="cryptomator-*.jar"
 MODULE_AND_MAIN_CLASS="org.cryptomator.desktop/org.cryptomator.launcher.Cryptomator"
@@ -35,7 +35,7 @@ if [ "$(machine)" = "arm64e" ]; then
 else
     ARCH="x64"
 fi
-OPENJFX_JMODS="https://download2.gluonhq.com/openjfx/20.0.2/openjfx-20.0.2_osx-${ARCH}_bin-jmods.zip"
+OPENJFX_JMODS="https://download2.gluonhq.com/openjfx/21.0.1/openjfx-21.0.1_osx-${ARCH}_bin-jmods.zip"
 
 # check preconditions
 if [ -z "${JAVA_HOME}" ]; then echo "JAVA_HOME not set. Run using JAVA_HOME=/path/to/jdk ./build.sh"; exit 1; fi
@@ -49,21 +49,22 @@ fi
 # download and check jmods
 curl -L ${OPENJFX_JMODS} -o openjfx-jmods.zip
 mkdir -p openjfx-jmods/
-unzip -j openjfx-jmods.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d openjfx-jmods/
+unzip -jo openjfx-jmods.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d openjfx-jmods
 JMOD_VERSION=$(jmod describe openjfx-jmods/javafx.base.jmod | head -1)
 JMOD_VERSION=${JMOD_VERSION#*@}
 JMOD_VERSION=${JMOD_VERSION%%.*}
-POM_JFX_VERSION=$(mvn help:evaluate "-Dexpression=javafx.version" -q -DforceStdout)
+POM_JFX_VERSION=$(mvn -f../../../pom.xml help:evaluate "-Dexpression=javafx.version" -q -DforceStdout)
 POM_JFX_VERSION=${POM_JFX_VERSION#*@}
 POM_JFX_VERSION=${POM_JFX_VERSION%%.*}
 
-if [ $POM_JFX_VERSION -ne $JMOD_VERSION ]; then
->&2 echo "Major JavaFX version in pom.xml (${POM_JFX_VERSION}) != jmod version (${JMOD_VERSION})"
-exit 1
+if [ "${POM_JFX_VERSION}" -ne "${JMOD_VERSION}" ]; then
+    >&2 echo "Major JavaFX version in pom.xml (${POM_JFX_VERSION}) != jmod version (${JMOD_VERSION})"
+    exit 1
 fi
 
 # compile
 mvn -B -f../../../pom.xml clean package -DskipTests -Pmac
+cp ../../../LICENSE.txt ../../../target
 cp ../../../target/${MAIN_JAR_GLOB} ../../../target/mods
 
 # add runtime
@@ -75,7 +76,7 @@ ${JAVA_HOME}/bin/jlink \
     --no-header-files \
     --no-man-pages \
     --strip-debug \
-    --compress=1
+    --compress zip-0
 
 # create app dir
 ${JAVA_HOME}/bin/jpackage \
@@ -168,6 +169,5 @@ create-dmg \
     --app-drop-link 512 245 \
     --eula "resources/license.rtf" \
     --icon ".background" 128 758 \
-    --icon ".fseventsd" 320 758 \
     --icon ".VolumeIcon.icns" 512 758 \
     ${APP_NAME}-${VERSION_NO}.dmg dmg

dist/mac/dmg/resources/licenseTemplate.ftl

@@ -17,7 +17,7 @@
 \f1\b0 \
 \
 
-\f0\b \'a9 2016 \'96 2023 Skymatic GmbH
+\f0\b \'a9 2016 \'96 2024 Skymatic GmbH
 \f1\b0 \
 \
 This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.\

dist/win/.gitignore

@@ -4,4 +4,6 @@ installer
 *.wixobj
 *.pdb
 *.msi
+*.exe
+*.jmod
 license.rtf

dist/win/build.ps1

@@ -51,9 +51,9 @@ if ($clean -and (Test-Path -Path $runtimeImagePath)) {
 }
 
 ## download jfx jmods
-$jmodsVersion='20.0.2'
+$jmodsVersion='21.0.1'
 $jmodsUrl = "https://download2.gluonhq.com/openjfx/${jmodsVersion}/openjfx-${jmodsVersion}_windows-x64_bin-jmods.zip"
-$jfxJmodsChecksum = '18625bbc13c57dbf802486564247a8d8cab72ec558c240a401bf6440384ebd77'
+$jfxJmodsChecksum = 'daf8acae631c016c24cfe23f88469400274d3441dd890615a42dfb501f3eb94a'
 $jfxJmodsZip = '.\resources\jfxJmods.zip'
 if( !(Test-Path -Path $jfxJmodsZip) ) {
 	Write-Output "Downloading ${jmodsUrl}..."
@@ -63,12 +63,13 @@ if( !(Test-Path -Path $jfxJmodsZip) ) {
 $jmodsChecksumActual = $(Get-FileHash -Path $jfxJmodsZip -Algorithm SHA256).Hash
 if( $jmodsChecksumActual -ne $jfxJmodsChecksum ) {
 	Write-Error "Checksum mismatch for jfxJmods.zip. Expected: $jfxJmodsChecksum, actual: $jmodsChecksumActual"
-	exit 1;	
+	exit 1;
 }
-Expand-Archive -Path $jfxJmodsZip -DestinationPath ".\resources\"
+Expand-Archive -Path $jfxJmodsZip -Force -DestinationPath ".\resources\"
+Remove-Item -Recurse -Force -Path ".\resources\javafx-jmods"
 Move-Item -Force -Path ".\resources\javafx-jmods-*" -Destination ".\resources\javafx-jmods" -ErrorAction Stop
 
-
+## create custom runtime
 & "$Env:JAVA_HOME\bin\jlink" `
 	--verbose `
 	--output runtime `
@@ -78,7 +79,7 @@ Move-Item -Force -Path ".\resources\javafx-jmods-*" -Destination ".\resources\ja
 	--no-header-files `
 	--no-man-pages `
 	--strip-debug `
-	--compress=1
+	--compress "zip-0" #do not compress to have improved msi compression
 
 $appPath = ".\$AppName"
 if ($clean -and (Test-Path -Path $appPath)) {
@@ -143,6 +144,7 @@ try {
 
 # create .msi
 $Env:JP_WIXWIZARD_RESOURCES = "$buildDir\resources"
+$Env:JP_WIXHELPER_DIR = "."
 & "$Env:JAVA_HOME\bin\jpackage" `
 	--verbose `
 	--type msi `
@@ -174,10 +176,15 @@ $Env:JP_WIXWIZARD_RESOURCES = "$buildDir\resources"
  "-Dlicense.licenseMergesUrl=file:///$buildDir/../../license/merges"
 
 # download Winfsp
-$winfspMsiUrl= (Select-String -Path ".\bundle\resources\winFspMetaData.wxi" -Pattern '<\?define BundledWinFspDownloadLink="(.+)".*?>').Matches.Groups[1].Value
+$winfspMsiUrl= 'https://github.com/winfsp/winfsp/releases/download/v2.0/winfsp-2.0.23075.msi'
 Write-Output "Downloading ${winfspMsiUrl}..."
 Invoke-WebRequest $winfspMsiUrl -OutFile ".\bundle\resources\winfsp.msi" # redirects are followed by default
 
+# download legacy-winfsp uninstaller
+$winfspUninstaller= 'https://github.com/cryptomator/winfsp-uninstaller/releases/latest/download/winfsp-uninstaller.exe'
+Write-Output "Downloading ${winfspUninstaller}..."
+Invoke-WebRequest $winfspUninstaller -OutFile ".\bundle\resources\winfsp-uninstaller.exe" # redirects are followed by default
+
 # copy MSI to bundle resources
 Copy-Item ".\installer\$AppName-*.msi" -Destination ".\bundle\resources\$AppName.msi"
 

dist/win/bundle/bundleWithWinfsp.wxs

@@ -1,5 +1,6 @@
 <?xml version="1.0"?>
 
+<!-- For Built in variables, see https://wixtoolset.org/docs/tools/burn/builtin-variables/-->
 <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi" xmlns:bal="http://schemas.microsoft.com/wix/BalExtension" xmlns:util="http://schemas.microsoft.com/wix/UtilExtension">
     <!-- see https://wixtoolset.org/documentation/manual/v3/xsd/wix/bundle.html-->
     <!-- Attributes explicitly not used:
@@ -10,21 +11,10 @@
      AboutUrl="$(var.AboutUrl)" HelpUrl="$(var.HelpUrl)" UpdateUrl="$(var.UpdateUrl)" Copyright="$(var.BundleCopyright)" IconSourceFile="bundle\resources\Cryptomator.ico">
 
         <!-- detect outdated WinFsp installations -->
-        <?include "resources\winFspMetaData.wxi" ?>
         <util:ProductSearch
-            Variable="InstalledWinFspVersion"
+            Variable="InstalledLegacyWinFspVersion"
             Result="version"
-            UpgradeCode="82F812D9-4083-4EF1-8BC8-0F1EDA05B46B"
-        />
-        <!-- Note: The bundle engine takes the Message format literaly -->
-        <bal:Condition Message=
-"The WinFsp driver used by Cryptomator is outdated and must be removed before the installation.
-
-1. Open the view of installed apps
-2. Search for &quot;WinFsp&quot;
-3. Uninstall the listed application
-4. Reboot your device
-5. Restart this installer">(InstalledWinFspVersion = v0.0.0.0) OR ($(var.BundledWinFspVersion) &lt;= InstalledWinFspVersion)</bal:Condition>
+            UpgradeCode="82F812D9-4083-4EF1-8BC8-0F1EDA05B46B"/>
 
         <!-- for definition of the standard themes, see https://github.com/wixtoolset/wix3/blob/master/src/ext/BalExtension/wixstdba/Resources/-->
         <BootstrapperApplicationRef Id="WixStandardBootstrapperApplication.RtfLargeLicense">
@@ -36,26 +26,41 @@
                 SuppressOptionsUI="yes"
                 ThemeFile="bundle\customBootstrapperTheme.xml"
                 LocalizationFile="bundle\customBootstrapperTheme.wxl"
-                LogoFile="bundle\resources\logo.png"
-            />
+                LogoFile="bundle\resources\logo.png"/>
             <Payload SourceFile="bundle\resources\logoSide.png" />
         </BootstrapperApplicationRef>
+
         <Chain>
+            <ExePackage Cache="yes" PerMachine="yes" Permanent="no"
+              SourceFile="resources\winfsp-uninstaller.exe"
+              DisplayName="Removing outdated WinFsp Driver"
+              Description="Executable to remove old winfsp"
+              DetectCondition="false"
+              InstallCondition="(InstalledLegacyWinFspVersion &lt;&gt; v0.0.0.0) AND ((WixBundleAction = 7) OR (WixBundleAction = 5))">
+                <CommandLine Condition="WixBundleUILevel &lt;= 3" InstallArgument="-q -l &quot;[WixBundleLog].winfsp-uninstaller.log&quot;" RepairArgument="-q" UninstallArgument="-s" />
+                <!-- XML allows line breaks in attributes, hence keep the line breaks here -->
+                <CommandLine Condition="WixBundleUILevel &gt; 3" InstallArgument="-l &quot;[WixBundleLog].winfsp-uninstaller.log&quot; -t &quot;Cryptomator Installer&quot; -m &quot;Cryptomator requires a newer version of the WinFsp driver. The installer will now uninstall WinFsp, possibly reboot, and afterwards proceed with the installation.
+
+Do you want to continue?&quot;" RepairArgument="-q" UninstallArgument="-s" />
+                <ExitCode Behavior="success" Value="0"/>
+                <ExitCode Behavior="success" Value="1"/>
+                <ExitCode Behavior="error" Value="2"/>
+                <ExitCode Behavior="error" Value="3"/>
+                <ExitCode Behavior="forceReboot" Value="4"/>
+                <ExitCode Behavior="success" Value="5"/>
+            </ExePackage>
             <!-- see https://wixtoolset.org/documentation/manual/v3/xsd/wix/msipackage.html-->
             <MsiPackage
                 SourceFile="resources\Cryptomator.msi"
                 CacheId="cryptomator-bundle-cryptomator"
                 DisplayInternalUI="no"
-                Visible="no"
-            />
+                Visible="no"/>
             <MsiPackage
                 SourceFile="resources\winfsp.msi"
                 CacheId="cryptomator-bundle-winfsp"
                 Visible="yes"
                 DisplayInternalUI="no"
-                Vital="no"
-                Permanent="yes"
-            />
+                Permanent="yes"/>
         </Chain>
     </Bundle>
 </Wix>

dist/win/bundle/resources/licenseTemplate.ftl

@@ -10,7 +10,7 @@
 \vieww12000\viewh15840\viewkind0
 \pard\tx283\tx567\tx850\tx2267\tx2834\tx3401\tx3968\tx4535\tx5102\tx5669\tx6236\tx6803\b\fs16\lang7 Cryptomator is distributed under the GPLv3 License, found below. Please see the bottom of this document for any other license applicable to code used within Cryptomator.\b0\par
 \par
-\b\'a9 2016 \'96 2023 Skymatic GmbH \b0\par
+\b\'a9 2016 \'96 2024 Skymatic GmbH \b0\par
 \par
 This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.\par
 \par

dist/win/bundle/resources/winFspMetaData.wxi

@@ -1,7 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-
-<Include xmlns="http://schemas.microsoft.com/wix/2006/wi">
-  <!-- A version number MUST be prefixed with letter "v", otherwise it is considered a normal string -->
-  <?define BundledWinFspVersion="v1.12.22339" ?>
-  <?define BundledWinFspDownloadLink="https://github.com/winfsp/winfsp/releases/download/v1.12.22339/winfsp-1.12.22339.msi" ?> <!-- Only used by external build scripts -->
-</Include>

dist/win/resources/licenseTemplate.ftl

@@ -10,7 +10,7 @@
 \vieww12000\viewh15840\viewkind0
 \pard\tx283\tx567\tx850\tx2267\tx2834\tx3401\tx3968\tx4535\tx5102\tx5669\tx6236\tx6803\b\fs16\lang7 Cryptomator is distributed under the GPLv3 License, found below. Please see the bottom of this document for any other license applicable to code used within Cryptomator.\b0\par
 \par
-\b\'a9 2016 \'96 2023 Skymatic GmbH \b0\par
+\b\'a9 2016 \'96 2024 Skymatic GmbH \b0\par
 \par
 This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.\par
 \par

dist/win/resources/main.wxs

@@ -70,7 +70,7 @@
     <CustomAction Id="JpDisallowDowngrade" Error="!(loc.DowngradeErrorMessage)" />
     <?endif?>
 
-    <Binary Id="JpCaDll" SourceFile="wixhelper.dll"/>
+    <Binary Id="JpCaDll" SourceFile="$(env.JP_WIXHELPER_DIR)\wixhelper.dll"/>
     <CustomAction Id="JpFindRelatedProducts" BinaryKey="JpCaDll" DllEntry="FindRelatedProductsEx" />
 
     <?ifndef SkipCryptomatorLegacyCheck ?>

pom.xml

@@ -3,7 +3,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>org.cryptomator</groupId>
 	<artifactId>cryptomator</artifactId>
-	<version>1.10.1</version>
+	<version>1.12.2</version>
 	<name>Cryptomator Desktop App</name>
 
 	<organization>
@@ -26,51 +26,51 @@
 
 	<properties>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-		<project.jdk.version>20</project.jdk.version>
+		<project.jdk.version>21</project.jdk.version>
 
 		<!-- Group IDs of jars that need to stay on the class path for now -->
 		<!-- remove them, as soon they got modularized or support is dropped (i.e., WebDAV) -->
 		<nonModularGroupIds>org.ow2.asm,org.apache.jackrabbit,org.apache.httpcomponents</nonModularGroupIds>
 
 		<!-- cryptomator dependencies -->
-		<cryptomator.cryptofs.version>2.6.7</cryptomator.cryptofs.version>
+		<cryptomator.cryptofs.version>2.6.8</cryptomator.cryptofs.version>
 		<cryptomator.integrations.version>1.3.0</cryptomator.integrations.version>
-		<cryptomator.integrations.win.version>1.2.3</cryptomator.integrations.win.version>
-		<cryptomator.integrations.mac.version>1.2.2</cryptomator.integrations.mac.version>
-		<cryptomator.integrations.linux.version>1.3.0</cryptomator.integrations.linux.version>
-		<cryptomator.fuse.version>3.0.0</cryptomator.fuse.version>
+		<cryptomator.integrations.win.version>1.2.5</cryptomator.integrations.win.version>
+		<cryptomator.integrations.mac.version>1.2.3</cryptomator.integrations.mac.version>
+		<cryptomator.integrations.linux.version>1.4.4</cryptomator.integrations.linux.version>
+		<cryptomator.fuse.version>4.0.0</cryptomator.fuse.version>
 		<cryptomator.dokany.version>2.0.0</cryptomator.dokany.version>
-		<cryptomator.webdav.version>2.0.4</cryptomator.webdav.version>
+		<cryptomator.webdav.version>2.0.6</cryptomator.webdav.version>
 
 		<!-- 3rd party dependencies -->
-		<commons-lang3.version>3.13.0</commons-lang3.version>
-		<dagger.version>2.48</dagger.version>
+		<commons-lang3.version>3.14.0</commons-lang3.version>
+		<dagger.version>2.50</dagger.version>
 		<easybind.version>2.2</easybind.version>
-		<guava.version>32.1.2-jre</guava.version>
-		<jackson.version>2.15.2</jackson.version>
-		<javafx.version>20.0.2</javafx.version>
+		<guava.version>33.0.0-jre</guava.version>
+		<jackson.version>2.16.1</jackson.version>
+		<javafx.version>21.0.1</javafx.version>
 		<jwt.version>4.4.0</jwt.version>
-		<nimbus-jose.version>9.31</nimbus-jose.version>
-		<logback.version>1.4.11</logback.version>
-		<slf4j.version>2.0.9</slf4j.version>
-		<tinyoauth2.version>0.6.0</tinyoauth2.version>
+		<nimbus-jose.version>9.37.3</nimbus-jose.version>
+		<logback.version>1.4.14</logback.version>
+		<slf4j.version>2.0.11</slf4j.version>
+		<tinyoauth2.version>0.8.0</tinyoauth2.version>
 		<zxcvbn.version>1.8.2</zxcvbn.version>
 
 		<!-- test dependencies -->
-		<junit.jupiter.version>5.10.0</junit.jupiter.version>
-		<mockito.version>5.5.0</mockito.version>
+		<junit.jupiter.version>5.10.2</junit.jupiter.version>
+		<mockito.version>5.10.0</mockito.version>
 		<hamcrest.version>2.2</hamcrest.version>
 
 		<!-- build-time dependencies -->
-		<jetbrains.annotations.version>24.0.1</jetbrains.annotations.version>
-		<dependency-check.version>8.4.0</dependency-check.version>
-		<jacoco.version>0.8.10</jacoco.version>
-		<license-generator.version>2.2.0</license-generator.version>
+		<jetbrains.annotations.version>24.1.0</jetbrains.annotations.version>
+		<dependency-check.version>9.0.9</dependency-check.version>
+		<jacoco.version>0.8.11</jacoco.version>
+		<license-generator.version>2.4.0</license-generator.version>
 		<junit-tree-reporter.version>1.2.1</junit-tree-reporter.version>
-		<mvn-compiler.version>3.11.0</mvn-compiler.version>
+		<mvn-compiler.version>3.12.1</mvn-compiler.version>
 		<mvn-resources.version>3.3.1</mvn-resources.version>
-		<mvn-dependency.version>3.6.0</mvn-dependency.version>
-		<mvn-surefire.version>3.1.2</mvn-surefire.version>
+		<mvn-dependency.version>3.6.1</mvn-dependency.version>
+		<mvn-surefire.version>3.2.5</mvn-surefire.version>
 		<mvn-jar.version>3.3.0</mvn-jar.version>
 	</properties>
 
@@ -460,17 +460,19 @@
 						<groupId>org.owasp</groupId>
 						<artifactId>dependency-check-maven</artifactId>
 						<configuration>
-							<cveValidForHours>24</cveValidForHours>
+							<nvdValidForHours>24</nvdValidForHours>
 							<failBuildOnCVSS>0</failBuildOnCVSS>
 							<skipTestScope>true</skipTestScope>
 							<detail>true</detail>
 							<suppressionFile>suppression.xml</suppressionFile>
+							<nvdApiKey>${env.NVD_API_KEY}</nvdApiKey>
 						</configuration>
 						<executions>
 							<execution>
 								<goals>
 									<goal>check</goal>
 								</goals>
+								<phase>validate</phase>
 							</execution>
 						</executions>
 					</plugin>

src/main/java/org/cryptomator/common/CommonsModule.java

@@ -5,10 +5,8 @@
  *******************************************************************************/
 package org.cryptomator.common;
 
-import com.tobiasdiez.easybind.EasyBind;
 import dagger.Module;
 import dagger.Provides;
-import org.apache.commons.lang3.SystemUtils;
 import org.cryptomator.common.keychain.KeychainModule;
 import org.cryptomator.common.mount.MountModule;
 import org.cryptomator.common.settings.Settings;
@@ -22,8 +20,6 @@ import org.slf4j.LoggerFactory;
 
 import javax.inject.Named;
 import javax.inject.Singleton;
-import javafx.beans.value.ObservableValue;
-import java.net.InetSocketAddress;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 import java.util.Comparator;
@@ -136,13 +132,4 @@ public abstract class CommonsModule {
 		LOG.error("Uncaught exception in " + thread.getName(), throwable);
 	}
 
-	@Provides
-	@Singleton
-	static ObservableValue<InetSocketAddress> provideServerSocketAddressBinding(Settings settings) {
-		return settings.port.map(port -> {
-			String host = SystemUtils.IS_OS_WINDOWS ? "127.0.0.1" : "localhost";
-			return InetSocketAddress.createUnresolved(host, settings.port.intValue());
-		});
-	}
-
 }

src/main/java/org/cryptomator/common/locationpresets/OneDriveWindowsLocationPresetsProvider.java

@@ -62,7 +62,7 @@ public final class OneDriveWindowsLocationPresetsProvider implements LocationPre
 		ProcessBuilder command = new ProcessBuilder(args);
 		Process p = command.start();
 		waitForSuccess(p, 3, "`reg query`");
-		return p.inputReader(StandardCharsets.UTF_8).lines().filter(outputFilter);
+		return p.inputReader(StandardCharsets.ISO_8859_1).lines().filter(outputFilter);
 	}
 
 

src/main/java/org/cryptomator/common/mount/ActualMountService.java

@@ -1,6 +0,0 @@
-package org.cryptomator.common.mount;
-
-import org.cryptomator.integrations.mount.MountService;
-
-public record ActualMountService(MountService service, boolean isDesired) {
-}

src/main/java/org/cryptomator/common/mount/ConflictingMountServiceException.java

@@ -0,0 +1,14 @@
+package org.cryptomator.common.mount;
+
+import org.cryptomator.integrations.mount.MountFailedException;
+
+/**
+ * Thrown by {@link Mounter} to indicate that the selected mount service can not be used
+ * due to incompatibilities with a different mount service that is already in use.
+ */
+public class ConflictingMountServiceException extends MountFailedException {
+
+	public ConflictingMountServiceException(String msg) {
+		super(msg);
+	}
+}

src/main/java/org/cryptomator/common/mount/MountModule.java

@@ -4,21 +4,18 @@ import dagger.Module;
 import dagger.Provides;
 import org.cryptomator.common.ObservableUtil;
 import org.cryptomator.common.settings.Settings;
-import org.cryptomator.integrations.mount.Mount;
 import org.cryptomator.integrations.mount.MountService;
 
 import javax.inject.Named;
 import javax.inject.Singleton;
 import javafx.beans.value.ObservableValue;
 import java.util.List;
-import java.util.concurrent.atomic.AtomicReference;
+import java.util.Set;
+import java.util.concurrent.ConcurrentHashMap;
 
 @Module
 public class MountModule {
 
-	private static final AtomicReference<MountService> formerSelectedMountService = new AtomicReference<>(null);
-	private static final List<String> problematicFuseMountServices = List.of("org.cryptomator.frontend.fuse.mount.MacFuseMountProvider", "org.cryptomator.frontend.fuse.mount.FuseTMountProvider");
-
 	@Provides
 	@Singleton
 	static List<MountService> provideSupportedMountServices() {
@@ -27,46 +24,18 @@ public class MountModule {
 
 	@Provides
 	@Singleton
-	@Named("FUPFMS")
-	static AtomicReference<MountService> provideFirstUsedProblematicFuseMountService() {
-		return new AtomicReference<>(null);
+	static ObservableValue<MountService> provideDefaultMountService(List<MountService> mountProviders, Settings settings) {
+		var fallbackProvider = mountProviders.stream().findFirst().get(); //there should always be a mount provider, at least webDAV
+		return ObservableUtil.mapWithDefault(settings.mountService, //
+				serviceName -> mountProviders.stream().filter(s -> s.getClass().getName().equals(serviceName)).findFirst().orElse(fallbackProvider), //
+				fallbackProvider);
 	}
 
 	@Provides
 	@Singleton
-	static ObservableValue<ActualMountService> provideMountService(Settings settings, List<MountService> serviceImpls, @Named("FUPFMS") AtomicReference<MountService> fupfms) {
-		var fallbackProvider = serviceImpls.stream().findFirst().orElse(null);
-
-		var observableMountService = ObservableUtil.mapWithDefault(settings.mountService, //
-				desiredServiceImpl -> { //
-					var serviceFromSettings = serviceImpls.stream().filter(serviceImpl -> serviceImpl.getClass().getName().equals(desiredServiceImpl)).findAny(); //
-					var targetedService = serviceFromSettings.orElse(fallbackProvider);
-					return applyWorkaroundForProblematicFuse(targetedService, serviceFromSettings.isPresent(), fupfms);
-				}, //
-				() -> { //
-					return applyWorkaroundForProblematicFuse(fallbackProvider, true, fupfms);
-				});
-		return observableMountService;
+	@Named("usedMountServices")
+	static Set<MountService> provideSetOfUsedMountServices() {
+		return ConcurrentHashMap.newKeySet();
 	}
 
-	//see https://github.com/cryptomator/cryptomator/issues/2786
-	private synchronized static ActualMountService applyWorkaroundForProblematicFuse(MountService targetedService, boolean isDesired, AtomicReference<MountService> firstUsedProblematicFuseMountService) {
-		//set the first used problematic fuse service if applicable
-		var targetIsProblematicFuse = isProblematicFuseService(targetedService);
-		if (targetIsProblematicFuse && firstUsedProblematicFuseMountService.get() == null) {
-			firstUsedProblematicFuseMountService.set(targetedService);
-		}
-
-		//do not use the targeted mount service and fallback to former one, if the service is problematic _and_ not the first problematic one used.
-		if (targetIsProblematicFuse && !firstUsedProblematicFuseMountService.get().equals(targetedService)) {
-			return new ActualMountService(formerSelectedMountService.get(), false);
-		} else {
-			formerSelectedMountService.set(targetedService);
-			return new ActualMountService(targetedService, isDesired);
-		}
-	}
-
-	public static boolean isProblematicFuseService(MountService service) {
-		return problematicFuseMountServices.contains(service.getClass().getName());
-	}
-}
+}

src/main/java/org/cryptomator/common/mount/Mounter.java

@@ -9,11 +9,15 @@ import org.cryptomator.integrations.mount.MountFailedException;
 import org.cryptomator.integrations.mount.MountService;
 
 import javax.inject.Inject;
+import javax.inject.Named;
 import javax.inject.Singleton;
 import javafx.beans.value.ObservableValue;
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
 
 import static org.cryptomator.integrations.mount.MountCapability.MOUNT_AS_DRIVE_LETTER;
 import static org.cryptomator.integrations.mount.MountCapability.MOUNT_TO_EXISTING_DIR;
@@ -24,24 +28,39 @@ import static org.cryptomator.integrations.mount.MountCapability.UNMOUNT_FORCED;
 @Singleton
 public class Mounter {
 
-	private final Settings settings;
+	// mount providers (key) can not be used if any of the conflicting mount providers (values) are already in use
+	private static final Map<String, Set<String>> CONFLICTING_MOUNT_SERVICES = Map.of(
+			"org.cryptomator.frontend.fuse.mount.MacFuseMountProvider", Set.of("org.cryptomator.frontend.fuse.mount.FuseTMountProvider"),
+			"org.cryptomator.frontend.fuse.mount.FuseTMountProvider", Set.of("org.cryptomator.frontend.fuse.mount.MacFuseMountProvider")
+	);
+
 	private final Environment env;
+	private final Settings settings;
 	private final WindowsDriveLetters driveLetters;
-	private final ObservableValue<ActualMountService> mountServiceObservable;
+	private final List<MountService> mountProviders;
+	private final Set<MountService> usedMountServices;
+	private final ObservableValue<MountService> defaultMountService;
 
 	@Inject
-	public Mounter(Settings settings, Environment env, WindowsDriveLetters driveLetters, ObservableValue<ActualMountService> mountServiceObservable) {
-		this.settings = settings;
+	public Mounter(Environment env, //
+				   Settings settings, //
+				   WindowsDriveLetters driveLetters, //
+				   List<MountService> mountProviders, //
+				   @Named("usedMountServices") Set<MountService> usedMountServices, //
+				   ObservableValue<MountService> defaultMountService) {
 		this.env = env;
+		this.settings = settings;
 		this.driveLetters = driveLetters;
-		this.mountServiceObservable = mountServiceObservable;
+		this.mountProviders = mountProviders;
+		this.usedMountServices = usedMountServices;
+		this.defaultMountService = defaultMountService;
 	}
 
 	private class SettledMounter {
 
-		private MountService service;
-		private MountBuilder builder;
-		private VaultSettings vaultSettings;
+		private final MountService service;
+		private final MountBuilder builder;
+		private final VaultSettings vaultSettings;
 
 		public SettledMounter(MountService service, MountBuilder builder, VaultSettings vaultSettings) {
 			this.service = service;
@@ -53,8 +72,13 @@ public class Mounter {
 			for (var capability : service.capabilities()) {
 				switch (capability) {
 					case FILE_SYSTEM_NAME -> builder.setFileSystemName("cryptoFs");
-					case LOOPBACK_PORT ->
-							builder.setLoopbackPort(settings.port.get()); //TODO: move port from settings to vaultsettings (see https://github.com/cryptomator/cryptomator/tree/feature/mount-setting-per-vault)
+					case LOOPBACK_PORT -> {
+						if (vaultSettings.mountService.getValue() == null) {
+							builder.setLoopbackPort(settings.port.get());
+						} else {
+							builder.setLoopbackPort(vaultSettings.port.get());
+						}
+					}
 					case LOOPBACK_HOST_NAME -> env.getLoopbackAlias().ifPresent(builder::setLoopbackHostName);
 					case READ_ONLY -> builder.setReadOnly(vaultSettings.usesReadOnlyMode.get());
 					case MOUNT_FLAGS -> {
@@ -131,13 +155,26 @@ public class Mounter {
 	}
 
 	public MountHandle mount(VaultSettings vaultSettings, Path cryptoFsRoot) throws IOException, MountFailedException {
-		var mountService = this.mountServiceObservable.getValue().service();
+		var mountService = mountProviders.stream().filter(s -> s.getClass().getName().equals(vaultSettings.mountService.getValue())).findFirst().orElse(defaultMountService.getValue());
+
+		if (isConflictingMountService(mountService)) {
+			var msg = STR."\{mountService.getClass()} unavailable due to conflict with either of \{CONFLICTING_MOUNT_SERVICES.get(mountService.getClass().getName())}";
+			throw new ConflictingMountServiceException(msg);
+		}
+
+		usedMountServices.add(mountService);
+
 		var builder = mountService.forFileSystem(cryptoFsRoot);
-		var internal = new SettledMounter(mountService, builder, vaultSettings);
+		var internal = new SettledMounter(mountService, builder, vaultSettings); // FIXME: no need for an inner class
 		var cleanup = internal.prepare();
 		return new MountHandle(builder.mount(), mountService.hasCapability(UNMOUNT_FORCED), cleanup);
 	}
 
+	public boolean isConflictingMountService(MountService service) {
+		var conflictingServices = CONFLICTING_MOUNT_SERVICES.getOrDefault(service.getClass().getName(), Set.of());
+		return usedMountServices.stream().map(MountService::getClass).map(Class::getName).anyMatch(conflictingServices::contains);
+	}
+
 	public record MountHandle(Mount mountObj, boolean supportsUnmountForced, Runnable specialCleanup) {
 
 	}

src/main/java/org/cryptomator/common/settings/VaultSettings.java

@@ -8,7 +8,6 @@ package org.cryptomator.common.settings;
 import com.google.common.base.CharMatcher;
 import com.google.common.base.Strings;
 import com.google.common.io.BaseEncoding;
-import org.apache.commons.lang3.SystemUtils;
 import org.jetbrains.annotations.VisibleForTesting;
 
 import javafx.beans.Observable;
@@ -40,6 +39,7 @@ public class VaultSettings {
 	static final WhenUnlocked DEFAULT_ACTION_AFTER_UNLOCK = WhenUnlocked.ASK;
 	static final boolean DEFAULT_AUTOLOCK_WHEN_IDLE = false;
 	static final int DEFAULT_AUTOLOCK_IDLE_SECONDS = 30 * 60;
+	static final int DEFAULT_PORT = 42427;
 
 	private static final Random RNG = new Random();
 
@@ -56,6 +56,8 @@ public class VaultSettings {
 	public final IntegerProperty autoLockIdleSeconds;
 	public final ObjectProperty<Path> mountPoint;
 	public final StringExpression mountName;
+	public final StringProperty mountService;
+	public final IntegerProperty port;
 
 	VaultSettings(VaultSettingsJson json) {
 		this.id = json.id;
@@ -70,6 +72,8 @@ public class VaultSettings {
 		this.autoLockWhenIdle = new SimpleBooleanProperty(this, "autoLockWhenIdle", json.autoLockWhenIdle);
 		this.autoLockIdleSeconds = new SimpleIntegerProperty(this, "autoLockIdleSeconds", json.autoLockIdleSeconds);
 		this.mountPoint = new SimpleObjectProperty<>(this, "mountPoint", json.mountPoint == null ? null : Path.of(json.mountPoint));
+		this.mountService = new SimpleStringProperty(this, "mountService", json.mountService);
+		this.port = new SimpleIntegerProperty(this, "port", json.port);
 		// mount name is no longer an explicit setting, see https://github.com/cryptomator/cryptomator/pull/1318
 		this.mountName = StringExpression.stringExpression(Bindings.createStringBinding(() -> {
 			final String name;
@@ -95,7 +99,7 @@ public class VaultSettings {
 	}
 
 	Observable[] observables() {
-		return new Observable[]{actionAfterUnlock, autoLockIdleSeconds, autoLockWhenIdle, displayName, maxCleartextFilenameLength, mountFlags, mountPoint, path, revealAfterMount, unlockAfterStartup, usesReadOnlyMode};
+		return new Observable[]{actionAfterUnlock, autoLockIdleSeconds, autoLockWhenIdle, displayName, maxCleartextFilenameLength, mountFlags, mountPoint, path, revealAfterMount, unlockAfterStartup, usesReadOnlyMode, port, mountService};
 	}
 
 	public static VaultSettings withRandomId() {
@@ -124,6 +128,8 @@ public class VaultSettings {
 		json.autoLockWhenIdle = autoLockWhenIdle.get();
 		json.autoLockIdleSeconds = autoLockIdleSeconds.get();
 		json.mountPoint = mountPoint.map(Path::toString).getValue();
+		json.mountService = mountService.get();
+		json.port = port.get();
 		return json;
 	}
 

src/main/java/org/cryptomator/common/settings/VaultSettingsJson.java

@@ -45,6 +45,12 @@ class VaultSettingsJson {
 	@JsonProperty("autoLockIdleSeconds")
 	int autoLockIdleSeconds = VaultSettings.DEFAULT_AUTOLOCK_IDLE_SECONDS;
 
+	@JsonProperty("mountService")
+	String mountService;
+
+	@JsonProperty("port")
+	int port = VaultSettings.DEFAULT_PORT;
+
 	@Deprecated(since = "1.7.0")
 	@JsonProperty(value = "winDriveLetter", access = JsonProperty.Access.WRITE_ONLY) // WRITE_ONLY means value is "written" into the java object during deserialization. Upvote this: https://github.com/FasterXML/jackson-annotations/issues/233
 	String winDriveLetter;

src/main/java/org/cryptomator/common/vaults/Vault.java

@@ -11,7 +11,6 @@ package org.cryptomator.common.vaults;
 import org.apache.commons.lang3.SystemUtils;
 import org.cryptomator.common.Constants;
 import org.cryptomator.common.mount.Mounter;
-import org.cryptomator.common.mount.WindowsDriveLetters;
 import org.cryptomator.common.settings.VaultSettings;
 import org.cryptomator.cryptofs.CryptoFileSystem;
 import org.cryptomator.cryptofs.CryptoFileSystemProperties;
@@ -73,7 +72,13 @@ public class Vault {
 	private final AtomicReference<Mounter.MountHandle> mountHandle = new AtomicReference<>(null);
 
 	@Inject
-	Vault(VaultSettings vaultSettings, VaultConfigCache configCache, AtomicReference<CryptoFileSystem> cryptoFileSystem, VaultState state, @Named("lastKnownException") ObjectProperty<Exception> lastKnownException, VaultStats stats, WindowsDriveLetters windowsDriveLetters, Mounter mounter) {
+	Vault(VaultSettings vaultSettings, //
+		  VaultConfigCache configCache, //
+		  AtomicReference<CryptoFileSystem> cryptoFileSystem, //
+		  VaultState state, //
+		  @Named("lastKnownException") ObjectProperty<Exception> lastKnownException, //
+		  VaultStats stats, //
+		  Mounter mounter) {
 		this.vaultSettings = vaultSettings;
 		this.configCache = configCache;
 		this.cryptoFileSystem = cryptoFileSystem;

src/main/java/org/cryptomator/logging/LogbackConfigurator.java

@@ -5,6 +5,7 @@ import ch.qos.logback.classic.Logger;
 import ch.qos.logback.classic.LoggerContext;
 import ch.qos.logback.classic.encoder.PatternLayoutEncoder;
 import ch.qos.logback.classic.spi.Configurator;
+import ch.qos.logback.classic.spi.ConfiguratorRank;
 import ch.qos.logback.classic.spi.ILoggingEvent;
 import ch.qos.logback.core.Appender;
 import ch.qos.logback.core.ConsoleAppender;
@@ -19,6 +20,7 @@ import org.cryptomator.common.Environment;
 import java.nio.file.Path;
 import java.util.Map;
 
+@ConfiguratorRank(ConfiguratorRank.CUSTOM_NORMAL_PRIORITY)
 public class LogbackConfigurator extends ContextAwareBase implements Configurator {
 
 	private static final String LOG_PATTERN = "%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n";

src/main/java/org/cryptomator/ui/common/FxmlFile.java

@@ -20,10 +20,14 @@ public enum FxmlFile {
 	HUB_AUTH_FLOW("/fxml/hub_auth_flow.fxml"), //
 	HUB_INVALID_LICENSE("/fxml/hub_invalid_license.fxml"), //
 	HUB_RECEIVE_KEY("/fxml/hub_receive_key.fxml"), //
-	HUB_REGISTER_DEVICE("/fxml/hub_register_device.fxml"), //
+	HUB_LEGACY_REGISTER_DEVICE("/fxml/hub_legacy_register_device.fxml"), //
+	HUB_LEGACY_REGISTER_SUCCESS("/fxml/hub_legacy_register_success.fxml"), //
 	HUB_REGISTER_SUCCESS("/fxml/hub_register_success.fxml"), //
-	HUB_REGISTER_FAILED("/fxml/hub_register_failed.fxml"),
+	HUB_REGISTER_DEVICE_ALREADY_EXISTS("/fxml/hub_register_device_already_exists.fxml"), //
+	HUB_REGISTER_FAILED("/fxml/hub_register_failed.fxml"), //
+	HUB_REGISTER_DEVICE("/fxml/hub_register_device.fxml"), //
 	HUB_UNAUTHORIZED_DEVICE("/fxml/hub_unauthorized_device.fxml"), //
+	HUB_REQUIRE_ACCOUNT_INIT("/fxml/hub_require_account_init.fxml"), //
 	LOCK_FORCED("/fxml/lock_forced.fxml"), //
 	LOCK_FAILED("/fxml/lock_failed.fxml"), //
 	MAIN_WINDOW("/fxml/main_window.fxml"), //
@@ -41,8 +45,10 @@ public enum FxmlFile {
 	RECOVERYKEY_RESET_PASSWORD_SUCCESS("/fxml/recoverykey_reset_password_success.fxml"), //
 	RECOVERYKEY_SUCCESS("/fxml/recoverykey_success.fxml"), //
 	REMOVE_VAULT("/fxml/remove_vault.fxml"), //
+	SHARE_VAULT("/fxml/share_vault.fxml"), //
 	UPDATE_REMINDER("/fxml/update_reminder.fxml"), //
 	UNLOCK_ENTER_PASSWORD("/fxml/unlock_enter_password.fxml"),
+	UNLOCK_REQUIRES_RESTART("/fxml/unlock_requires_restart.fxml"), //
 	UNLOCK_INVALID_MOUNT_POINT("/fxml/unlock_invalid_mount_point.fxml"), //
 	UNLOCK_SELECT_MASTERKEYFILE("/fxml/unlock_select_masterkeyfile.fxml"), //
 	UNLOCK_SUCCESS("/fxml/unlock_success.fxml"), //

src/main/java/org/cryptomator/ui/controls/FontAwesome5Icon.java

@@ -47,12 +47,14 @@ public enum FontAwesome5Icon {
 	QUESTION_CIRCLE("\uf059"), //
 	REDO("\uF01E"), //
 	SEARCH("\uF002"), //
+	SHARE("\uF064"), //
 	SPINNER("\uF110"), //
 	STETHOSCOPE("\uF0f1"), //
 	SYNC("\uF021"), //
 	TIMES("\uF00D"), //
 	TRASH("\uF1F8"), //
 	UNLINK("\uf127"), //
+	USER_COG("\uf4fe"), //
 	WRENCH("\uF0AD"), //
 	WINDOW_MINIMIZE("\uF2D1"), //
 	;

src/main/java/org/cryptomator/ui/error/ErrorController.java

@@ -31,6 +31,7 @@ import java.net.http.HttpClient;
 import java.net.http.HttpRequest;
 import java.net.http.HttpResponse;
 import java.nio.charset.StandardCharsets;
+import java.time.Duration;
 import java.util.Comparator;
 import java.util.Map;
 import java.util.Optional;
@@ -154,6 +155,7 @@ public class ErrorController implements FxController {
 		HttpClient httpClient = HttpClient.newBuilder().version(HttpClient.Version.HTTP_1_1).build();
 		HttpRequest httpRequest = HttpRequest.newBuilder()//
 				.header("User-Agent", userAgent)
+				.timeout(Duration.ofSeconds(10))
 				.uri(URI.create(ERROR_CODES_URL_FORMAT.formatted(URLEncoder.encode(errorCode.toString(),StandardCharsets.UTF_8))))//
 				.build();
 		httpClient.sendAsync(httpRequest, HttpResponse.BodyHandlers.ofInputStream())//

src/main/java/org/cryptomator/ui/fxapp/FxApplicationModule.java

@@ -13,6 +13,7 @@ import org.cryptomator.ui.lock.LockComponent;
 import org.cryptomator.ui.mainwindow.MainWindowComponent;
 import org.cryptomator.ui.preferences.PreferencesComponent;
 import org.cryptomator.ui.quit.QuitComponent;
+import org.cryptomator.ui.sharevault.ShareVaultComponent;
 import org.cryptomator.ui.traymenu.TrayMenuComponent;
 import org.cryptomator.ui.unlock.UnlockComponent;
 import org.cryptomator.ui.updatereminder.UpdateReminderComponent;
@@ -22,7 +23,17 @@ import javafx.scene.image.Image;
 import java.io.IOException;
 import java.io.InputStream;
 
-@Module(includes = {UpdateCheckerModule.class}, subcomponents = {TrayMenuComponent.class, MainWindowComponent.class, PreferencesComponent.class, VaultOptionsComponent.class, UnlockComponent.class, LockComponent.class, QuitComponent.class, ErrorComponent.class, HealthCheckComponent.class, UpdateReminderComponent.class})
+@Module(includes = {UpdateCheckerModule.class}, subcomponents = {TrayMenuComponent.class, //
+		MainWindowComponent.class, //
+		PreferencesComponent.class, //
+		VaultOptionsComponent.class, //
+		UnlockComponent.class, //
+		LockComponent.class, //
+		QuitComponent.class, //
+		ErrorComponent.class, //
+		HealthCheckComponent.class, //
+		UpdateReminderComponent.class, //
+		ShareVaultComponent.class})
 abstract class FxApplicationModule {
 
 	private static Image createImageFromResource(String resourceName) throws IOException {

src/main/java/org/cryptomator/ui/fxapp/FxApplicationWindows.java

@@ -11,6 +11,7 @@ import org.cryptomator.ui.mainwindow.MainWindowComponent;
 import org.cryptomator.ui.preferences.PreferencesComponent;
 import org.cryptomator.ui.preferences.SelectedPreferencesTab;
 import org.cryptomator.ui.quit.QuitComponent;
+import org.cryptomator.ui.sharevault.ShareVaultComponent;
 import org.cryptomator.ui.unlock.UnlockComponent;
 import org.cryptomator.ui.unlock.UnlockWorkflow;
 import org.cryptomator.ui.updatereminder.UpdateReminderComponent;
@@ -51,6 +52,7 @@ public class FxApplicationWindows {
 	private final ErrorComponent.Factory errorWindowFactory;
 	private final ExecutorService executor;
 	private final VaultOptionsComponent.Factory vaultOptionsWindow;
+	private final ShareVaultComponent.Factory shareVaultWindow;
 	private final FilteredList<Window> visibleWindows;
 
 	@Inject
@@ -64,6 +66,7 @@ public class FxApplicationWindows {
 								LockComponent.Factory lockWorkflowFactory, //
 								ErrorComponent.Factory errorWindowFactory, //
 								VaultOptionsComponent.Factory vaultOptionsWindow, //
+								ShareVaultComponent.Factory shareVaultWindow, //
 								ExecutorService executor) {
 		this.primaryStage = primaryStage;
 		this.trayIntegration = trayIntegration;
@@ -76,6 +79,7 @@ public class FxApplicationWindows {
 		this.errorWindowFactory = errorWindowFactory;
 		this.executor = executor;
 		this.vaultOptionsWindow = vaultOptionsWindow;
+		this.shareVaultWindow = shareVaultWindow;
 		this.visibleWindows = Window.getWindows().filtered(Window::isShowing);
 	}
 
@@ -122,6 +126,10 @@ public class FxApplicationWindows {
 		return CompletableFuture.supplyAsync(() -> preferencesWindow.get().showPreferencesWindow(selectedTab), Platform::runLater).whenComplete(this::reportErrors);
 	}
 
+	public void showShareVaultWindow(Vault vault) {
+		CompletableFuture.runAsync(() -> shareVaultWindow.create(vault).showShareVaultWindow(), Platform::runLater);
+	}
+
 	public CompletionStage<Stage> showVaultOptionsWindow(Vault vault, SelectedVaultOptionsTab tab) {
 		return showMainWindow().thenApplyAsync((window) -> vaultOptionsWindow.create(vault).showVaultOptionsWindow(tab), Platform::runLater).whenComplete(this::reportErrors);
 	}

src/main/java/org/cryptomator/ui/fxapp/UpdateCheckerModule.java

@@ -63,6 +63,7 @@ public abstract class UpdateCheckerModule {
 		return HttpRequest.newBuilder() //
 				.uri(LATEST_VERSION_URI) //
 				.header("User-Agent", userAgent) //
+				.timeout(java.time.Duration.ofSeconds(10))
 				.build();
 	}
 

src/main/java/org/cryptomator/ui/health/StartController.java

@@ -101,16 +101,16 @@ public class StartController implements FxController {
 		}
 	}
 
-	private void loadingKeyFailed(Throwable e) {
-		switch (e) {
-			case UnlockCancelledException uce -> {} //ok
-			case VaultKeyInvalidException vkie -> {
-				LOG.error("Invalid key"); //TODO: specific error screen
+	private void loadingKeyFailed(Throwable t) {
+		switch (t) {
+			case UnlockCancelledException e -> {} // ok // TODO: rename to _ with JEP 443
+			case VaultKeyInvalidException e -> { // TODO: rename to _ with JEP 443
+				LOG.error("Invalid key"); // TODO: specific error screen
 				appWindows.showErrorWindow(e, window, null);
 			}
 			default -> {
-				LOG.error("Failed to load key.", e);
-				appWindows.showErrorWindow(e, window, null);
+				LOG.error("Failed to load key.", t);
+				appWindows.showErrorWindow(t, window, null);
 			}
 		}
 	}

src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowController.java

@@ -35,13 +35,13 @@ public class AuthFlowController implements FxController {
 	private final String deviceId;
 	private final HubConfig hubConfig;
 	private final AtomicReference<String> tokenRef;
-	private final CompletableFuture<JWEObject> result;
+	private final CompletableFuture<ReceivedKey> result;
 	private final Lazy<Scene> receiveKeyScene;
 	private final ObjectProperty<URI> authUri;
 	private AuthFlowTask task;
 
 	@Inject
-	public AuthFlowController(Application application, @KeyLoading Stage window, ExecutorService executor, @Named("deviceId") String deviceId, HubConfig hubConfig, @Named("bearerToken") AtomicReference<String> tokenRef, CompletableFuture<JWEObject> result, @FxmlScene(FxmlFile.HUB_RECEIVE_KEY) Lazy<Scene> receiveKeyScene) {
+	public AuthFlowController(Application application, @KeyLoading Stage window, ExecutorService executor, @Named("deviceId") String deviceId, HubConfig hubConfig, @Named("bearerToken") AtomicReference<String> tokenRef, CompletableFuture<ReceivedKey> result, @FxmlScene(FxmlFile.HUB_RECEIVE_KEY) Lazy<Scene> receiveKeyScene) {
 		this.application = application;
 		this.window = window;
 		this.executor = executor;

src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java

@@ -1,13 +1,14 @@
 package org.cryptomator.ui.keyloading.hub;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
-import io.github.coffeelibs.tinyoauth2client.AuthFlow;
 import io.github.coffeelibs.tinyoauth2client.TinyOAuth2;
 import io.github.coffeelibs.tinyoauth2client.http.response.Response;
 
 import javafx.concurrent.Task;
 import java.io.IOException;
 import java.net.URI;
+import java.net.http.HttpClient;
+import java.time.Duration;
 import java.util.function.Consumer;
 
 class AuthFlowTask extends Task<String> {
@@ -21,7 +22,7 @@ class AuthFlowTask extends Task<String> {
 	/**
 	 * Spawns a server and waits for the redirectUri to be called.
 	 *
-	 * @param hubConfig Configuration object holding parameters required by {@link AuthFlow}
+	 * @param hubConfig Configuration object holding parameters required by {@link io.github.coffeelibs.tinyoauth2client.AuthorizationCodeGrant}
 	 * @param redirectUriConsumer A callback invoked with the redirectUri, as soon as the server has started
 	 */
 	public AuthFlowTask(HubConfig hubConfig, AuthFlowContext authFlowContext, Consumer<URI> redirectUriConsumer) {
@@ -34,10 +35,11 @@ class AuthFlowTask extends Task<String> {
 	protected String call() throws IOException, InterruptedException {
 		var response = TinyOAuth2.client(hubConfig.clientId) //
 				.withTokenEndpoint(URI.create(hubConfig.tokenEndpoint)) //
-				.authFlow(URI.create(hubConfig.authEndpoint)) //
+				.withRequestTimeout(Duration.ofSeconds(10)) //
+				.authorizationCodeGrant(URI.create(hubConfig.authEndpoint)) //
 				.setSuccessResponse(Response.redirect(URI.create(hubConfig.authSuccessUrl + "&device=" + authFlowContext.deviceId()))) //
 				.setErrorResponse(Response.redirect(URI.create(hubConfig.authErrorUrl + "&device=" + authFlowContext.deviceId()))) //
-				.authorize(redirectUriConsumer);
+				.authorize(HttpClient.newHttpClient(), redirectUriConsumer);
 		if (response.statusCode() != 200) {
 			throw new NotOkResponseException("Authorization returned status code " + response.statusCode());
 		}

src/main/java/org/cryptomator/ui/keyloading/hub/CreateDeviceDto.java

@@ -1,5 +0,0 @@
-package org.cryptomator.ui.keyloading.hub;
-
-record CreateDeviceDto(String id, String name, String publicKey) {
-
-}

src/main/java/org/cryptomator/ui/keyloading/hub/DeviceAlreadyExistsException.java

@@ -0,0 +1,12 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import org.cryptomator.cryptolib.api.MasterkeyLoadingFailedException;
+
+/**
+ * Thrown, when Hub registerDevice-Request returns with 409
+ */
+class DeviceAlreadyExistsException extends MasterkeyLoadingFailedException {
+	public DeviceAlreadyExistsException() {
+		super("Device already registered on this Hub instance");
+	}
+}

src/main/java/org/cryptomator/ui/keyloading/hub/HttpHelper.java

@@ -1,19 +0,0 @@
-package org.cryptomator.ui.keyloading.hub;
-
-import com.google.common.io.CharStreams;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.InputStreamReader;
-import java.net.http.HttpResponse;
-import java.nio.charset.StandardCharsets;
-
-class HttpHelper {
-
-	public static String readBody(HttpResponse<InputStream> response) throws IOException {
-		try (var in = response.body(); var reader = new InputStreamReader(in, StandardCharsets.UTF_8)) {
-			return CharStreams.toString(reader);
-		}
-	}
-
-}

src/main/java/org/cryptomator/ui/keyloading/hub/HubConfig.java

@@ -1,6 +1,10 @@
 package org.cryptomator.ui.keyloading.hub;
 
+import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import org.jetbrains.annotations.Nullable;
+
+import java.net.URI;
 
 // needs to be accessible by JSON decoder
 @JsonIgnoreProperties(ignoreUnknown = true)
@@ -9,8 +13,50 @@ public class HubConfig {
 	public String clientId;
 	public String authEndpoint;
 	public String tokenEndpoint;
-	public String devicesResourceUrl;
 	public String authSuccessUrl;
 	public String authErrorUrl;
+	public @Nullable String apiBaseUrl;
+	@Deprecated // use apiBaseUrl + "/devices/"
+	public String devicesResourceUrl;
 
+	/**
+	 * A collection of String template processors to construct URIs related to this Hub instance.
+	 */
+	@JsonIgnore
+	public final URIProcessors URIs = new URIProcessors();
+
+	/**
+	 * Get the URI pointing to the <code>/api/</code> base resource.
+	 *
+	 * @return <code>/api/</code> URI
+	 * @apiNote URI is guaranteed to end on <code>/</code>
+	 * @see #URIs
+	 */
+	public URI getApiBaseUrl() {
+		if (apiBaseUrl != null) {
+			// make sure to end on "/":
+			return URI.create(apiBaseUrl + "/").normalize();
+		} else { // legacy approach
+			assert devicesResourceUrl != null;
+			// make sure to end on "/":
+			return URI.create(devicesResourceUrl + "/..").normalize();
+		}
+	}
+
+	public URI getWebappBaseUrl() {
+		return getApiBaseUrl().resolve("../app/");
+	}
+
+	public class URIProcessors {
+
+		/**
+		 * Resolves paths relative to the <code>/api/</code> endpoint of this Hub instance.
+		 */
+		public final StringTemplate.Processor<URI, RuntimeException> API = template -> {
+			var path = template.interpolate();
+			var relPath = path.startsWith("/") ? path.substring(1) : path;
+			return getApiBaseUrl().resolve(relPath);
+		};
+
+	}
 }

src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java

@@ -1,7 +1,6 @@
 package org.cryptomator.ui.keyloading.hub;
 
 import com.google.common.io.BaseEncoding;
-import com.nimbusds.jose.JWEObject;
 import dagger.Binds;
 import dagger.Module;
 import dagger.Provides;
@@ -69,7 +68,7 @@ public abstract class HubKeyLoadingModule {
 
 	@Provides
 	@KeyLoadingScoped
-	static CompletableFuture<JWEObject> provideResult() {
+	static CompletableFuture<ReceivedKey> provideResult() {
 		return new CompletableFuture<>();
 	}
 
@@ -114,10 +113,17 @@ public abstract class HubKeyLoadingModule {
 	}
 
 	@Provides
-	@FxmlScene(FxmlFile.HUB_REGISTER_DEVICE)
+	@FxmlScene(FxmlFile.HUB_LEGACY_REGISTER_DEVICE)
 	@KeyLoadingScoped
-	static Scene provideHubRegisterDeviceScene(@KeyLoading FxmlLoaderFactory fxmlLoaders) {
-		return fxmlLoaders.createScene(FxmlFile.HUB_REGISTER_DEVICE);
+	static Scene provideHubLegacyRegisterDeviceScene(@KeyLoading FxmlLoaderFactory fxmlLoaders) {
+		return fxmlLoaders.createScene(FxmlFile.HUB_LEGACY_REGISTER_DEVICE);
+	}
+
+	@Provides
+	@FxmlScene(FxmlFile.HUB_LEGACY_REGISTER_SUCCESS)
+	@KeyLoadingScoped
+	static Scene provideHubLegacyRegisterSuccessScene(@KeyLoading FxmlLoaderFactory fxmlLoaders) {
+		return fxmlLoaders.createScene(FxmlFile.HUB_LEGACY_REGISTER_SUCCESS);
 	}
 
 	@Provides
@@ -134,6 +140,20 @@ public abstract class HubKeyLoadingModule {
 		return fxmlLoaders.createScene(FxmlFile.HUB_REGISTER_FAILED);
 	}
 
+	@Provides
+	@FxmlScene(FxmlFile.HUB_REGISTER_DEVICE)
+	@KeyLoadingScoped
+	static Scene provideHubRegisterDeviceScene(@KeyLoading FxmlLoaderFactory fxmlLoaders) {
+		return fxmlLoaders.createScene(FxmlFile.HUB_REGISTER_DEVICE);
+	}
+
+	@Provides
+	@FxmlScene(FxmlFile.HUB_REGISTER_DEVICE_ALREADY_EXISTS)
+	@KeyLoadingScoped
+	static Scene provideHubRegisterDeviceAlreadyExistsScene(@KeyLoading FxmlLoaderFactory fxmlLoaders) {
+		return fxmlLoaders.createScene(FxmlFile.HUB_REGISTER_DEVICE_ALREADY_EXISTS);
+	}
+
 	@Provides
 	@FxmlScene(FxmlFile.HUB_UNAUTHORIZED_DEVICE)
 	@KeyLoadingScoped
@@ -141,6 +161,13 @@ public abstract class HubKeyLoadingModule {
 		return fxmlLoaders.createScene(FxmlFile.HUB_UNAUTHORIZED_DEVICE);
 	}
 
+	@Provides
+	@FxmlScene(FxmlFile.HUB_REQUIRE_ACCOUNT_INIT)
+	@KeyLoadingScoped
+	static Scene provideRequireAccountInitScene(@KeyLoading FxmlLoaderFactory fxmlLoaders) {
+		return fxmlLoaders.createScene(FxmlFile.HUB_REQUIRE_ACCOUNT_INIT);
+	}
+
 	@Binds
 	@IntoMap
 	@FxControllerKey(NoKeychainController.class)
@@ -166,6 +193,16 @@ public abstract class HubKeyLoadingModule {
 	@FxControllerKey(RegisterDeviceController.class)
 	abstract FxController bindRegisterDeviceController(RegisterDeviceController controller);
 
+	@Binds
+	@IntoMap
+	@FxControllerKey(LegacyRegisterDeviceController.class)
+	abstract FxController bindLegacyRegisterDeviceController(LegacyRegisterDeviceController controller);
+
+	@Binds
+	@IntoMap
+	@FxControllerKey(LegacyRegisterSuccessController.class)
+	abstract FxController bindLegacyRegisterSuccessController(LegacyRegisterSuccessController controller);
+
 	@Binds
 	@IntoMap
 	@FxControllerKey(RegisterSuccessController.class)
@@ -180,4 +217,9 @@ public abstract class HubKeyLoadingModule {
 	@IntoMap
 	@FxControllerKey(UnauthorizedDeviceController.class)
 	abstract FxController bindUnauthorizedDeviceController(UnauthorizedDeviceController controller);
+
+	@Binds
+	@IntoMap
+	@FxControllerKey(RequireAccountInitController.class)
+	abstract FxController bindRequireAccountInitController(RequireAccountInitController controller);
 }

src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java

@@ -1,7 +1,6 @@
 package org.cryptomator.ui.keyloading.hub;
 
 import com.google.common.base.Preconditions;
-import com.nimbusds.jose.JWEObject;
 import dagger.Lazy;
 import org.cryptomator.common.keychain.KeychainManager;
 import org.cryptomator.common.keychain.NoKeychainAccessProviderException;
@@ -36,14 +35,15 @@ public class HubKeyLoadingStrategy implements KeyLoadingStrategy {
 	private final KeychainManager keychainManager;
 	private final Lazy<Scene> authFlowScene;
 	private final Lazy<Scene> noKeychainScene;
-	private final CompletableFuture<JWEObject> result;
+	private final CompletableFuture<ReceivedKey> result;
 	private final DeviceKey deviceKey;
 
 	@Inject
-	public HubKeyLoadingStrategy(@KeyLoading Stage window, @FxmlScene(FxmlFile.HUB_AUTH_FLOW) Lazy<Scene> authFlowScene, @FxmlScene(FxmlFile.HUB_NO_KEYCHAIN) Lazy<Scene> noKeychainScene, CompletableFuture<JWEObject> result, DeviceKey deviceKey, KeychainManager keychainManager, @Named("windowTitle") String windowTitle) {
+	public HubKeyLoadingStrategy(@KeyLoading Stage window, @FxmlScene(FxmlFile.HUB_AUTH_FLOW) Lazy<Scene> authFlowScene, @FxmlScene(FxmlFile.HUB_NO_KEYCHAIN) Lazy<Scene> noKeychainScene, CompletableFuture<ReceivedKey> result, DeviceKey deviceKey, KeychainManager keychainManager, @Named("windowTitle") String windowTitle) {
 		this.window = window;
 		this.keychainManager = keychainManager;
 		window.setTitle(windowTitle);
+		window.setOnCloseRequest(_ -> result.cancel(true));
 		this.authFlowScene = authFlowScene;
 		this.noKeychainScene = noKeychainScene;
 		this.result = result;
@@ -60,7 +60,7 @@ public class HubKeyLoadingStrategy implements KeyLoadingStrategy {
 			var keypair = deviceKey.get();
 			showWindow(authFlowScene);
 			var jwe = result.get();
-			return JWEHelper.decrypt(jwe, keypair.getPrivate());
+			return jwe.decryptMasterkey(keypair.getPrivate());
 		} catch (NoKeychainAccessProviderException e) {
 			showWindow(noKeychainScene);
 			throw new UnlockCancelledException("Unlock canceled due to missing prerequisites", e);

src/main/java/org/cryptomator/ui/keyloading/hub/JWEHelper.java

@@ -1,36 +1,141 @@
 package org.cryptomator.ui.keyloading.hub;
 
 import com.google.common.base.Preconditions;
-import com.google.common.io.BaseEncoding;
+import com.nimbusds.jose.EncryptionMethod;
 import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWEAlgorithm;
+import com.nimbusds.jose.JWEHeader;
 import com.nimbusds.jose.JWEObject;
+import com.nimbusds.jose.Payload;
 import com.nimbusds.jose.crypto.ECDHDecrypter;
+import com.nimbusds.jose.crypto.ECDHEncrypter;
+import com.nimbusds.jose.crypto.PasswordBasedDecrypter;
+import com.nimbusds.jose.jwk.Curve;
+import com.nimbusds.jose.jwk.gen.ECKeyGenerator;
+import org.cryptomator.cryptolib.api.CryptoException;
 import org.cryptomator.cryptolib.api.Masterkey;
 import org.cryptomator.cryptolib.api.MasterkeyLoadingFailedException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.security.Key;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
 import java.security.interfaces.ECPrivateKey;
+import java.security.interfaces.ECPublicKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.security.spec.X509EncodedKeySpec;
 import java.util.Arrays;
+import java.util.Base64;
+import java.util.Map;
+import java.util.function.Function;
 
 class JWEHelper {
 
 	private static final Logger LOG = LoggerFactory.getLogger(JWEHelper.class);
-	private static final String JWE_PAYLOAD_MASTERKEY_FIELD = "key";
+	private static final String JWE_PAYLOAD_KEY_FIELD = "key";
+	private static final String EC_ALG = "EC";
 
-	private JWEHelper(){}
+	private JWEHelper() {}
 
-	public static Masterkey decrypt(JWEObject jwe, ECPrivateKey privateKey) throws MasterkeyLoadingFailedException {
+	public static JWEObject encryptUserKey(ECPrivateKey userKey, ECPublicKey deviceKey) {
+		return encryptKey(userKey, deviceKey);
+	}
+
+	public static ECPrivateKey decryptUserKey(JWEObject jwe, String setupCode) throws InvalidJweKeyException {
 		try {
-			jwe.decrypt(new ECDHDecrypter(privateKey));
-			return readKey(jwe);
+			jwe.decrypt(new PasswordBasedDecrypter(setupCode));
+			return readKey(jwe, JWE_PAYLOAD_KEY_FIELD, JWEHelper::decodeECPrivateKey);
 		} catch (JOSEException e) {
-			LOG.warn("Failed to decrypt JWE: {}", jwe);
-			throw new MasterkeyLoadingFailedException("Failed to decrypt JWE", e);
+			throw new InvalidJweKeyException(e);
 		}
 	}
 
-	private static Masterkey readKey(JWEObject jwe) throws MasterkeyLoadingFailedException {
+	public static ECPrivateKey decryptUserKey(JWEObject jwe, ECPrivateKey deviceKey) throws InvalidJweKeyException {
+		try {
+			jwe.decrypt(new ECDHDecrypter(deviceKey));
+			return readKey(jwe, JWE_PAYLOAD_KEY_FIELD, JWEHelper::decodeECPrivateKey);
+		} catch (JOSEException e) {
+			throw new InvalidJweKeyException(e);
+		}
+	}
+
+	/**
+	 * Attempts to decode a DER-encoded EC private key.
+	 *
+	 * @param encoded DER-encoded EC private key
+	 * @return the decoded key
+	 * @throws KeyDecodeFailedException On malformed input
+	 */
+	public static ECPrivateKey decodeECPrivateKey(byte[] encoded) throws KeyDecodeFailedException {
+		try {
+			KeyFactory factory = KeyFactory.getInstance(EC_ALG);
+			var privateKey = factory.generatePrivate(new PKCS8EncodedKeySpec(encoded));
+			if (privateKey instanceof ECPrivateKey ecPrivateKey) {
+				return ecPrivateKey;
+			} else {
+				throw new IllegalStateException(EC_ALG + " key factory not generating ECPrivateKeys");
+			}
+		} catch (NoSuchAlgorithmException e) {
+			throw new IllegalStateException(EC_ALG + " not supported");
+		} catch (InvalidKeySpecException e) {
+			throw new KeyDecodeFailedException(e);
+		}
+	}
+
+	/**
+	 * Attempts to decode a DER-encoded EC public key.
+	 *
+	 * @param encoded DER-encoded EC public key
+	 * @return the decoded key
+	 * @throws KeyDecodeFailedException On malformed input
+	 */
+	public static ECPublicKey decodeECPublicKey(byte[] encoded) throws KeyDecodeFailedException {
+		try {
+			KeyFactory factory = KeyFactory.getInstance(EC_ALG);
+			var publicKey = factory.generatePublic(new X509EncodedKeySpec(encoded));
+			if (publicKey instanceof ECPublicKey ecPublicKey) {
+				return ecPublicKey;
+			} else {
+				throw new IllegalStateException(EC_ALG + " key factory not generating ECPublicKeys");
+			}
+		} catch (NoSuchAlgorithmException e) {
+			throw new IllegalStateException(EC_ALG + " not supported");
+		} catch (InvalidKeySpecException e) {
+			throw new KeyDecodeFailedException(e);
+		}
+	}
+
+	public static JWEObject encryptVaultKey(Masterkey vaultKey, ECPublicKey userKey) {
+		return encryptKey(vaultKey, userKey);
+	}
+
+	private static JWEObject encryptKey(Key key, ECPublicKey userKey) {
+		try {
+			var encodedVaultKey = Base64.getEncoder().encodeToString(key.getEncoded());
+			var keyGen = new ECKeyGenerator(Curve.P_384);
+			var ephemeralKeyPair = keyGen.generate();
+			var header = new JWEHeader.Builder(JWEAlgorithm.ECDH_ES, EncryptionMethod.A256GCM).ephemeralPublicKey(ephemeralKeyPair.toPublicJWK()).build();
+			var payload = new Payload(Map.of(JWE_PAYLOAD_KEY_FIELD, encodedVaultKey));
+			var jwe = new JWEObject(header, payload);
+			jwe.encrypt(new ECDHEncrypter(userKey));
+			return jwe;
+		} catch (JOSEException e) {
+			throw new RuntimeException(e);
+		}
+	}
+
+	public static Masterkey decryptVaultKey(JWEObject jwe, ECPrivateKey privateKey) throws InvalidJweKeyException {
+		try {
+			jwe.decrypt(new ECDHDecrypter(privateKey));
+			return readKey(jwe, JWE_PAYLOAD_KEY_FIELD, Masterkey::new);
+		} catch (JOSEException e) {
+			throw new InvalidJweKeyException(e);
+		}
+	}
+
+	private static <T> T readKey(JWEObject jwe, String keyField, Function<byte[], T> rawKeyFactory) throws MasterkeyLoadingFailedException {
 		Preconditions.checkArgument(jwe.getState() == JWEObject.State.DECRYPTED);
 		var fields = jwe.getPayload().toJSONObject();
 		if (fields == null) {
@@ -39,17 +144,31 @@ class JWEHelper {
 		}
 		var keyBytes = new byte[0];
 		try {
-			if (fields.get(JWE_PAYLOAD_MASTERKEY_FIELD) instanceof String key) {
-				keyBytes = BaseEncoding.base64().decode(key);
-				return new Masterkey(keyBytes);
+			if (fields.get(keyField) instanceof String key) {
+				keyBytes = Base64.getDecoder().decode(key);
+				return rawKeyFactory.apply(keyBytes);
 			} else {
-				throw new IllegalArgumentException("JWE payload doesn't contain field " + JWE_PAYLOAD_MASTERKEY_FIELD);
+				throw new IllegalArgumentException("JWE payload doesn't contain field " + keyField);
 			}
-		} catch (IllegalArgumentException e) {
+		} catch (IllegalArgumentException | KeyDecodeFailedException e) {
 			LOG.error("Unexpected JWE payload: {}", jwe.getPayload());
 			throw new MasterkeyLoadingFailedException("Unexpected JWE payload", e);
 		} finally {
 			Arrays.fill(keyBytes, (byte) 0x00);
 		}
 	}
+
+	public static class InvalidJweKeyException extends MasterkeyLoadingFailedException {
+
+		public InvalidJweKeyException(Throwable cause) {
+			super("Invalid key", cause);
+		}
+	}
+
+	public static class KeyDecodeFailedException extends CryptoException {
+
+		public KeyDecodeFailedException(Throwable cause) {
+			super("Malformed key", cause);
+		}
+	}
 }

src/main/java/org/cryptomator/ui/keyloading/hub/LegacyRegisterDeviceController.java

@@ -0,0 +1,191 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.interfaces.DecodedJWT;
+import com.fasterxml.jackson.core.JacksonException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import dagger.Lazy;
+import org.cryptomator.common.settings.DeviceKey;
+import org.cryptomator.cryptolib.common.P384KeyPair;
+import org.cryptomator.ui.common.FxController;
+import org.cryptomator.ui.common.FxmlFile;
+import org.cryptomator.ui.common.FxmlScene;
+import org.cryptomator.ui.keyloading.KeyLoading;
+import org.cryptomator.ui.keyloading.KeyLoadingScoped;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.inject.Inject;
+import javax.inject.Named;
+import javafx.application.Platform;
+import javafx.beans.property.BooleanProperty;
+import javafx.beans.property.SimpleBooleanProperty;
+import javafx.fxml.FXML;
+import javafx.scene.Scene;
+import javafx.scene.control.Button;
+import javafx.scene.control.ContentDisplay;
+import javafx.scene.control.TextField;
+import javafx.stage.Stage;
+import javafx.stage.WindowEvent;
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.URI;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import java.util.List;
+import java.util.Objects;
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.atomic.AtomicReference;
+
+@KeyLoadingScoped
+public class LegacyRegisterDeviceController implements FxController {
+
+	private static final Logger LOG = LoggerFactory.getLogger(LegacyRegisterDeviceController.class);
+	private static final ObjectMapper JSON = new ObjectMapper().setDefaultLeniency(true);
+	private static final List<Integer> EXPECTED_RESPONSE_CODES = List.of(201, 409);
+
+	private final Stage window;
+	private final HubConfig hubConfig;
+	private final String bearerToken;
+	private final Lazy<Scene> registerSuccessScene;
+	private final Lazy<Scene> registerFailedScene;
+	private final String deviceId;
+	private final P384KeyPair keyPair;
+	private final CompletableFuture<ReceivedKey> result;
+	private final DecodedJWT jwt;
+	private final HttpClient httpClient;
+	private final BooleanProperty deviceNameAlreadyExists = new SimpleBooleanProperty(false);
+
+	public TextField deviceNameField;
+	public Button registerBtn;
+
+	@Inject
+	public LegacyRegisterDeviceController(@KeyLoading Stage window, ExecutorService executor, HubConfig hubConfig, @Named("deviceId") String deviceId, DeviceKey deviceKey, CompletableFuture<ReceivedKey> result, @Named("bearerToken") AtomicReference<String> bearerToken, @FxmlScene(FxmlFile.HUB_LEGACY_REGISTER_SUCCESS) Lazy<Scene> registerSuccessScene, @FxmlScene(FxmlFile.HUB_REGISTER_FAILED) Lazy<Scene> registerFailedScene) {
+		this.window = window;
+		this.hubConfig = hubConfig;
+		this.deviceId = deviceId;
+		this.keyPair = Objects.requireNonNull(deviceKey.get());
+		this.result = result;
+		this.bearerToken = Objects.requireNonNull(bearerToken.get());
+		this.registerSuccessScene = registerSuccessScene;
+		this.registerFailedScene = registerFailedScene;
+		this.jwt = JWT.decode(this.bearerToken);
+		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
+		this.httpClient = HttpClient.newBuilder().version(HttpClient.Version.HTTP_1_1).executor(executor).build();
+	}
+
+	public void initialize() {
+		deviceNameField.setText(determineHostname());
+		deviceNameField.textProperty().addListener(observable -> deviceNameAlreadyExists.set(false));
+	}
+
+	private String determineHostname() {
+		try {
+			var hostName = InetAddress.getLocalHost().getHostName();
+			return Objects.requireNonNullElse(hostName, "");
+		} catch (IOException e) {
+			return "";
+		}
+	}
+
+	@FXML
+	public void register() {
+		deviceNameAlreadyExists.set(false);
+		registerBtn.setContentDisplay(ContentDisplay.LEFT);
+		registerBtn.setDisable(true);
+
+		var deviceUri = URI.create(hubConfig.devicesResourceUrl + deviceId);
+		var deviceKey = keyPair.getPublic().getEncoded();
+		var dto = new CreateDeviceDto();
+		dto.id = deviceId;
+		dto.name = deviceNameField.getText();
+		dto.publicKey = Base64.getUrlEncoder().withoutPadding().encodeToString(deviceKey);
+		var json = toJson(dto);
+		var request = HttpRequest.newBuilder(deviceUri) //
+				.PUT(HttpRequest.BodyPublishers.ofString(json, StandardCharsets.UTF_8)) //
+				.header("Authorization", "Bearer " + bearerToken) //
+				.header("Content-Type", "application/json") //
+				.build();
+		httpClient.sendAsync(request, HttpResponse.BodyHandlers.discarding()) //
+				.thenApply(response -> {
+					if (EXPECTED_RESPONSE_CODES.contains(response.statusCode())) {
+						return response;
+					} else {
+						throw new RuntimeException("Server answered with unexpected status code " + response.statusCode());
+					}
+				}).handleAsync((response, throwable) -> {
+					if (response != null) {
+						this.handleResponse(response);
+					} else {
+						this.registrationFailed(throwable);
+					}
+					return null;
+				}, Platform::runLater);
+	}
+
+	private String toJson(CreateDeviceDto dto) {
+		try {
+			return JSON.writer().writeValueAsString(dto);
+		} catch (JacksonException e) {
+			throw new IllegalStateException("Failed to serialize DTO", e);
+		}
+	}
+
+	private void handleResponse(HttpResponse<Void> voidHttpResponse) {
+		assert EXPECTED_RESPONSE_CODES.contains(voidHttpResponse.statusCode());
+
+		if (voidHttpResponse.statusCode() == 409) {
+			deviceNameAlreadyExists.set(true);
+			registerBtn.setContentDisplay(ContentDisplay.TEXT_ONLY);
+			registerBtn.setDisable(false);
+		} else {
+			LOG.debug("Device registration for hub instance {} successful.", hubConfig.authSuccessUrl);
+			window.setScene(registerSuccessScene.get());
+		}
+	}
+
+	private void registrationFailed(Throwable cause) {
+		LOG.warn("Device registration failed.", cause);
+		window.setScene(registerFailedScene.get());
+		result.completeExceptionally(cause);
+	}
+
+	@FXML
+	public void close() {
+		window.close();
+	}
+
+	private void windowClosed(WindowEvent windowEvent) {
+		result.cancel(true);
+	}
+
+	/* Getter */
+
+	public String getUserName() {
+		return jwt.getClaim("email").asString();
+	}
+
+
+	//--- Getters & Setters
+
+	public BooleanProperty deviceNameAlreadyExistsProperty() {
+		return deviceNameAlreadyExists;
+	}
+
+	public boolean getDeviceNameAlreadyExists() {
+		return deviceNameAlreadyExists.get();
+	}
+
+	private static class CreateDeviceDto {
+		public String id;
+		public String name;
+		public final String type = "DESKTOP";
+		public String publicKey;
+
+	}
+
+}

src/main/java/org/cryptomator/ui/keyloading/hub/LegacyRegisterSuccessController.java

@@ -0,0 +1,24 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import org.cryptomator.ui.common.FxController;
+import org.cryptomator.ui.keyloading.KeyLoading;
+import org.cryptomator.ui.keyloading.KeyLoadingScoped;
+
+import javax.inject.Inject;
+import javafx.fxml.FXML;
+import javafx.stage.Stage;
+
+@KeyLoadingScoped
+public class LegacyRegisterSuccessController implements FxController {
+	private final Stage window;
+
+	@Inject
+	public LegacyRegisterSuccessController(@KeyLoading Stage window) {
+		this.window = window;
+	}
+
+	@FXML
+	public void close() {
+		window.close();
+	}
+}

src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java

@@ -1,5 +1,9 @@
 package org.cryptomator.ui.keyloading.hub;
 
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.common.base.Preconditions;
 import com.nimbusds.jose.JWEObject;
 import dagger.Lazy;
 import org.cryptomator.common.vaults.Vault;
@@ -8,6 +12,8 @@ import org.cryptomator.ui.common.FxmlFile;
 import org.cryptomator.ui.common.FxmlScene;
 import org.cryptomator.ui.keyloading.KeyLoading;
 import org.cryptomator.ui.keyloading.KeyLoadingScoped;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import javax.inject.Inject;
 import javax.inject.Named;
@@ -17,14 +23,15 @@ import javafx.scene.Scene;
 import javafx.stage.Stage;
 import javafx.stage.WindowEvent;
 import java.io.IOException;
-import java.io.InputStream;
 import java.io.UncheckedIOException;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.http.HttpClient;
 import java.net.http.HttpRequest;
 import java.net.http.HttpResponse;
+import java.nio.charset.StandardCharsets;
 import java.text.ParseException;
+import java.time.Duration;
 import java.util.Objects;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.ExecutorService;
@@ -33,27 +40,36 @@ import java.util.concurrent.atomic.AtomicReference;
 @KeyLoadingScoped
 public class ReceiveKeyController implements FxController {
 
+	private static final Logger LOG = LoggerFactory.getLogger(ReceiveKeyController.class);
 	private static final String SCHEME_PREFIX = "hub+";
+	private static final ObjectMapper JSON = new ObjectMapper().setDefaultLeniency(true);
+	private static final Duration REQ_TIMEOUT = Duration.ofSeconds(10);
 
 	private final Stage window;
+	private final HubConfig hubConfig;
+	private final String vaultId;
 	private final String deviceId;
 	private final String bearerToken;
-	private final CompletableFuture<JWEObject> result;
+	private final CompletableFuture<ReceivedKey> result;
 	private final Lazy<Scene> registerDeviceScene;
+	private final Lazy<Scene> legacyRegisterDeviceScene;
 	private final Lazy<Scene> unauthorizedScene;
-	private final URI vaultBaseUri;
+	private final Lazy<Scene> accountInitializationScene;
 	private final Lazy<Scene> invalidLicenseScene;
 	private final HttpClient httpClient;
 
 	@Inject
-	public ReceiveKeyController(@KeyLoading Vault vault, ExecutorService executor, @KeyLoading Stage window, @Named("deviceId") String deviceId, @Named("bearerToken") AtomicReference<String> tokenRef, CompletableFuture<JWEObject> result, @FxmlScene(FxmlFile.HUB_REGISTER_DEVICE) Lazy<Scene> registerDeviceScene, @FxmlScene(FxmlFile.HUB_UNAUTHORIZED_DEVICE) Lazy<Scene> unauthorizedScene, @FxmlScene(FxmlFile.HUB_INVALID_LICENSE) Lazy<Scene> invalidLicenseScene) {
+	public ReceiveKeyController(@KeyLoading Vault vault, ExecutorService executor, @KeyLoading Stage window, HubConfig hubConfig, @Named("deviceId") String deviceId, @Named("bearerToken") AtomicReference<String> tokenRef, CompletableFuture<ReceivedKey> result, @FxmlScene(FxmlFile.HUB_REGISTER_DEVICE) Lazy<Scene> registerDeviceScene, @FxmlScene(FxmlFile.HUB_LEGACY_REGISTER_DEVICE) Lazy<Scene> legacyRegisterDeviceScene, @FxmlScene(FxmlFile.HUB_UNAUTHORIZED_DEVICE) Lazy<Scene> unauthorizedScene, @FxmlScene(FxmlFile.HUB_REQUIRE_ACCOUNT_INIT) Lazy<Scene> accountInitializationScene, @FxmlScene(FxmlFile.HUB_INVALID_LICENSE) Lazy<Scene> invalidLicenseScene) {
 		this.window = window;
+		this.hubConfig = hubConfig;
+		this.vaultId = extractVaultId(vault.getVaultConfigCache().getUnchecked().getKeyId()); // TODO: access vault config's JTI directly (requires changes in cryptofs)
 		this.deviceId = deviceId;
 		this.bearerToken = Objects.requireNonNull(tokenRef.get());
 		this.result = result;
 		this.registerDeviceScene = registerDeviceScene;
+		this.legacyRegisterDeviceScene = legacyRegisterDeviceScene;
 		this.unauthorizedScene = unauthorizedScene;
-		this.vaultBaseUri = getVaultBaseUri(vault);
+		this.accountInitializationScene = accountInitializationScene;
 		this.invalidLicenseScene = invalidLicenseScene;
 		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
 		this.httpClient = HttpClient.newBuilder().version(HttpClient.Version.HTTP_1_1).executor(executor).build();
@@ -61,23 +77,158 @@ public class ReceiveKeyController implements FxController {
 
 	@FXML
 	public void initialize() {
-		var keyUri = appendPath(vaultBaseUri, "/keys/" + deviceId);
-		var request = HttpRequest.newBuilder(keyUri) //
-				.header("Authorization", "Bearer " + bearerToken) //
+		receiveKey();
+	}
+
+	public void receiveKey() {
+		requestApiConfig();
+	}
+
+	/**
+	 * STEP 0 (Request): GET /api/config
+	 */
+	private void requestApiConfig() {
+		var configUri = hubConfig.URIs.API."config";
+		var request = HttpRequest.newBuilder(configUri) //
 				.GET() //
+				.timeout(REQ_TIMEOUT) //
 				.build();
-		httpClient.sendAsync(request, HttpResponse.BodyHandlers.ofInputStream()) //
-				.thenAcceptAsync(this::loadedExistingKey, Platform::runLater) //
+		httpClient.sendAsync(request, HttpResponse.BodyHandlers.ofString(StandardCharsets.US_ASCII)) //
+				.thenAcceptAsync(this::receivedApiConfig, Platform::runLater) //
 				.exceptionally(this::retrievalFailed);
 	}
 
-	private void loadedExistingKey(HttpResponse<InputStream> response) {
+	/**
+	 * STEP 0 (Response): GET /api/config
+	 *
+	 * @param response Response
+	 */
+	private void receivedApiConfig(HttpResponse<String> response) {
+		LOG.debug("GET {} -> Status Code {}", response.request().uri(), response.statusCode());
+		Preconditions.checkState(response.statusCode() == 200, "Unexpected response " + response.statusCode());
+		try {
+			var config = JSON.reader().readValue(response.body(), ConfigDto.class);
+			if (config.apiLevel >= 1) {
+				requestDeviceData();
+			} else {
+				requestLegacyAccessToken();
+			}
+		} catch (IOException e) {
+			throw new UncheckedIOException(e);
+		}
+	}
+
+	/**
+	 * STEP 1 (Request): GET user key for this device
+	 */
+	private void requestDeviceData() {
+		var deviceUri = hubConfig.URIs.API."devices/\{deviceId}";
+		var request = HttpRequest.newBuilder(deviceUri) //
+				.header("Authorization", "Bearer " + bearerToken) //
+				.GET() //
+				.timeout(REQ_TIMEOUT) //
+				.build();
+		httpClient.sendAsync(request, HttpResponse.BodyHandlers.ofString(StandardCharsets.UTF_8)) //
+				.thenAcceptAsync(this::receivedDeviceData) //
+				.exceptionally(this::retrievalFailed);
+	}
+
+	/**
+	 * STEP 1 (Response): GET user key for this device
+	 *
+	 * @param response Response
+	 */
+	private void receivedDeviceData(HttpResponse<String> response) {
+		LOG.debug("GET {} -> Status Code {}", response.request().uri(), response.statusCode());
 		try {
 			switch (response.statusCode()) {
-				case 200 -> retrievalSucceeded(response);
+				case 200 -> {
+					var device = JSON.reader().readValue(response.body(), DeviceDto.class);
+					requestVaultMasterkey(device.userPrivateKey);
+				}
+				case 404 -> Platform.runLater(this::needsDeviceRegistration);
+				default -> throw new IllegalStateException("Unexpected response " + response.statusCode());
+			}
+		} catch (IOException e) {
+			throw new UncheckedIOException(e);
+		}
+	}
+
+	private void needsDeviceRegistration() {
+		window.setScene(registerDeviceScene.get());
+	}
+
+	/**
+	 * STEP 2 (Request): GET vault key for this user
+	 */
+	private void requestVaultMasterkey(String encryptedUserKey) {
+		var vaultKeyUri = hubConfig.URIs.API."vaults/\{vaultId}/access-token";
+		var request = HttpRequest.newBuilder(vaultKeyUri) //
+				.header("Authorization", "Bearer " + bearerToken) //
+				.GET() //
+				.timeout(REQ_TIMEOUT) //
+				.build();
+		httpClient.sendAsync(request, HttpResponse.BodyHandlers.ofString(StandardCharsets.US_ASCII)) //
+				.thenAcceptAsync(response -> receivedVaultMasterkey(encryptedUserKey, response), Platform::runLater) //
+				.exceptionally(this::retrievalFailed);
+	}
+
+	/**
+	 * STEP 2 (Response): GET vault key for this user
+	 *
+	 * @param response Response
+	 */
+	private void receivedVaultMasterkey(String encryptedUserKey, HttpResponse<String> response) {
+		LOG.debug("GET {} -> Status Code {}", response.request().uri(), response.statusCode());
+		switch (response.statusCode()) {
+			case 200 -> receivedBothEncryptedKeys(response.body(), encryptedUserKey);
+			case 402 -> licenseExceeded();
+			case 403, 410 -> accessNotGranted(); // or vault has been archived, effectively disallowing access - TODO: add specific dialog?
+			case 449 -> accountInitializationRequired();
+			default -> throw new IllegalStateException("Unexpected response " + response.statusCode());
+		}
+	}
+
+	private void receivedBothEncryptedKeys(String encryptedVaultKey, String encryptedUserKey) {
+		try {
+			var vaultKeyJwe = JWEObject.parse(encryptedVaultKey);
+			var userKeyJwe = JWEObject.parse(encryptedUserKey);
+			result.complete(ReceivedKey.vaultKeyAndUserKey(vaultKeyJwe, userKeyJwe));
+			window.close();
+		} catch (ParseException e) {
+			retrievalFailed(e);
+		}
+	}
+
+	/**
+	 * LEGACY FALLBACK (Request): GET the legacy access token from Hub 1.x
+	 */
+	@Deprecated
+	private void requestLegacyAccessToken() {
+		var legacyAccessTokenUri = hubConfig.URIs.API."vaults/\{vaultId}/keys/\{deviceId}";
+		var request = HttpRequest.newBuilder(legacyAccessTokenUri) //
+				.header("Authorization", "Bearer " + bearerToken) //
+				.GET() //
+				.timeout(REQ_TIMEOUT) //
+				.build();
+		httpClient.sendAsync(request, HttpResponse.BodyHandlers.ofString(StandardCharsets.US_ASCII)) //
+				.thenAcceptAsync(this::receivedLegacyAccessTokenResponse, Platform::runLater) //
+				.exceptionally(this::retrievalFailed);
+	}
+
+	/**
+	 * LEGACY FALLBACK (Response)
+	 *
+	 * @param response Response
+	 */
+	@Deprecated
+	private void receivedLegacyAccessTokenResponse(HttpResponse<String> response) {
+		try {
+			switch (response.statusCode()) {
+				case 200 -> receivedLegacyAccessTokenSuccess(response.body());
 				case 402 -> licenseExceeded();
 				case 403, 410 -> accessNotGranted(); // or vault has been archived, effectively disallowing access
-				case 404 -> needsDeviceRegistration();
+				case 404 -> needsLegacyDeviceRegistration();
 				default -> throw new IOException("Unexpected response " + response.statusCode());
 			}
 		} catch (IOException e) {
@@ -85,10 +236,11 @@ public class ReceiveKeyController implements FxController {
 		}
 	}
 
-	private void retrievalSucceeded(HttpResponse<InputStream> response) throws IOException {
+	@Deprecated
+	private void receivedLegacyAccessTokenSuccess(String rawToken) throws IOException {
 		try {
-			var string = HttpHelper.readBody(response);
-			result.complete(JWEObject.parse(string));
+			var token = JWEObject.parse(rawToken);
+			result.complete(ReceivedKey.legacyDeviceKey(token));
 			window.close();
 		} catch (ParseException e) {
 			throw new IOException("Failed to parse JWE", e);
@@ -99,14 +251,19 @@ public class ReceiveKeyController implements FxController {
 		window.setScene(invalidLicenseScene.get());
 	}
 
-	private void needsDeviceRegistration() {
-		window.setScene(registerDeviceScene.get());
+	@Deprecated
+	private void needsLegacyDeviceRegistration() {
+		window.setScene(legacyRegisterDeviceScene.get());
 	}
 
 	private void accessNotGranted() {
 		window.setScene(unauthorizedScene.get());
 	}
 
+	private void accountInitializationRequired() {
+		window.setScene(accountInitializationScene.get());
+	}
+
 	private Void retrievalFailed(Throwable cause) {
 		result.completeExceptionally(cause);
 		return null;
@@ -130,16 +287,15 @@ public class ReceiveKeyController implements FxController {
 		}
 	}
 
-	private static URI getVaultBaseUri(Vault vault) {
-		try {
-			var kid = vault.getVaultConfigCache().get().getKeyId();
-			assert kid.getScheme().startsWith(SCHEME_PREFIX);
-			var hubUriScheme = kid.getScheme().substring(SCHEME_PREFIX.length());
-			return new URI(hubUriScheme, kid.getSchemeSpecificPart(), kid.getFragment());
-		} catch (IOException e) {
-			throw new UncheckedIOException(e);
-		} catch (URISyntaxException e) {
-			throw new IllegalStateException("URI constructed from params known to be valid", e);
-		}
+	private static String extractVaultId(URI vaultKeyUri) {
+		assert vaultKeyUri.getScheme().startsWith(SCHEME_PREFIX);
+		var path = vaultKeyUri.getPath();
+		return path.substring(path.lastIndexOf('/') + 1);
 	}
+
+	@JsonIgnoreProperties(ignoreUnknown = true)
+	private record DeviceDto(@JsonProperty(value = "userPrivateKey", required = true) String userPrivateKey) {}
+
+	@JsonIgnoreProperties(ignoreUnknown = true)
+	private record ConfigDto(@JsonProperty(value = "apiLevel") int apiLevel) {}
 }

src/main/java/org/cryptomator/ui/keyloading/hub/ReceivedKey.java

@@ -0,0 +1,45 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import com.nimbusds.jose.JWEObject;
+import org.cryptomator.cryptolib.api.Masterkey;
+
+import java.security.interfaces.ECPrivateKey;
+
+@FunctionalInterface
+interface ReceivedKey {
+
+	/**
+	 * Decrypts the vault key.
+	 *
+	 * @param deviceKey This device's private key.
+	 * @return The decrypted vault key
+	 */
+	Masterkey decryptMasterkey(ECPrivateKey deviceKey);
+
+	/**
+	 * Creates an unlock response object from the user key + vault key.
+	 *
+	 * @param vaultKeyJwe a JWE containing the symmetric vault key, encrypted for this device's user.
+	 * @param userKeyJwe a JWE containing the user's private key, encrypted for this device.
+	 * @return Ciphertext received by Hub, which can be decrypted using this device's private key.
+	 */
+	static ReceivedKey vaultKeyAndUserKey(JWEObject vaultKeyJwe, JWEObject userKeyJwe) {
+		return deviceKey -> {
+			var userKey = JWEHelper.decryptUserKey(userKeyJwe, deviceKey);
+			return JWEHelper.decryptVaultKey(vaultKeyJwe, userKey);
+		};
+	}
+
+	/**
+	 * Creates an unlock response object from the received legacy "access token" JWE.
+	 *
+	 * @param vaultKeyJwe a JWE containing the symmetric vault key, encrypted for this device.
+	 * @return Ciphertext received by Hub, which can be decrypted using this device's private key.
+	 * @deprecated Only for compatibility with Hub 1.0 - 1.2
+	 */
+	@Deprecated
+	static ReceivedKey legacyDeviceKey(JWEObject vaultKeyJwe) {
+		return deviceKey -> JWEHelper.decryptVaultKey(vaultKeyJwe, deviceKey);
+	}
+
+}

src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java

@@ -1,7 +1,7 @@
 package org.cryptomator.ui.keyloading.hub;
 
-import com.auth0.jwt.JWT;
-import com.auth0.jwt.interfaces.DecodedJWT;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.core.JacksonException;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.common.io.BaseEncoding;
@@ -20,6 +20,7 @@ import org.slf4j.LoggerFactory;
 import javax.inject.Inject;
 import javax.inject.Named;
 import javafx.application.Platform;
+import javafx.beans.binding.Bindings;
 import javafx.beans.property.BooleanProperty;
 import javafx.beans.property.SimpleBooleanProperty;
 import javafx.fxml.FXML;
@@ -30,58 +31,74 @@ import javafx.scene.control.TextField;
 import javafx.stage.Stage;
 import javafx.stage.WindowEvent;
 import java.io.IOException;
+import java.io.InterruptedIOException;
+import java.io.UncheckedIOException;
 import java.net.InetAddress;
-import java.net.URI;
 import java.net.http.HttpClient;
 import java.net.http.HttpRequest;
 import java.net.http.HttpResponse;
 import java.nio.charset.StandardCharsets;
-import java.util.List;
+import java.security.interfaces.ECPublicKey;
+import java.text.ParseException;
+import java.time.Duration;
+import java.time.Instant;
+import java.util.Base64;
+import java.util.Map;
 import java.util.Objects;
 import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.CompletionException;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.atomic.AtomicReference;
+import java.util.stream.Collectors;
 
 @KeyLoadingScoped
 public class RegisterDeviceController implements FxController {
 
 	private static final Logger LOG = LoggerFactory.getLogger(RegisterDeviceController.class);
 	private static final ObjectMapper JSON = new ObjectMapper().setDefaultLeniency(true);
-	private static final List<Integer> EXPECTED_RESPONSE_CODES = List.of(201, 409);
+	private static final Duration REQ_TIMEOUT = Duration.ofSeconds(10);
 
 	private final Stage window;
 	private final HubConfig hubConfig;
 	private final String bearerToken;
 	private final Lazy<Scene> registerSuccessScene;
 	private final Lazy<Scene> registerFailedScene;
+	private final Lazy<Scene> deviceAlreadyExistsScene;
 	private final String deviceId;
-	private final P384KeyPair keyPair;
-	private final CompletableFuture<JWEObject> result;
-	private final DecodedJWT jwt;
+	private final P384KeyPair deviceKeyPair;
+	private final CompletableFuture<ReceivedKey> result;
 	private final HttpClient httpClient;
-	private final BooleanProperty deviceNameAlreadyExists = new SimpleBooleanProperty(false);
 
+	private final BooleanProperty invalidSetupCode = new SimpleBooleanProperty(false);
+	private final BooleanProperty workInProgress = new SimpleBooleanProperty(false);
+	public TextField setupCodeField;
 	public TextField deviceNameField;
 	public Button registerBtn;
 
 	@Inject
-	public RegisterDeviceController(@KeyLoading Stage window, ExecutorService executor, HubConfig hubConfig, @Named("deviceId") String deviceId, DeviceKey deviceKey, CompletableFuture<JWEObject> result, @Named("bearerToken") AtomicReference<String> bearerToken, @FxmlScene(FxmlFile.HUB_REGISTER_SUCCESS) Lazy<Scene> registerSuccessScene, @FxmlScene(FxmlFile.HUB_REGISTER_FAILED) Lazy<Scene> registerFailedScene) {
+	public RegisterDeviceController(@KeyLoading Stage window, ExecutorService executor, HubConfig hubConfig, @Named("deviceId") String deviceId, DeviceKey deviceKey, CompletableFuture<ReceivedKey> result, @Named("bearerToken") AtomicReference<String> bearerToken, @FxmlScene(FxmlFile.HUB_REGISTER_SUCCESS) Lazy<Scene> registerSuccessScene, @FxmlScene(FxmlFile.HUB_REGISTER_FAILED) Lazy<Scene> registerFailedScene, @FxmlScene(FxmlFile.HUB_REGISTER_DEVICE_ALREADY_EXISTS) Lazy<Scene> deviceAlreadyExistsScene) {
 		this.window = window;
 		this.hubConfig = hubConfig;
 		this.deviceId = deviceId;
-		this.keyPair = Objects.requireNonNull(deviceKey.get());
+		this.deviceKeyPair = Objects.requireNonNull(deviceKey.get());
 		this.result = result;
 		this.bearerToken = Objects.requireNonNull(bearerToken.get());
 		this.registerSuccessScene = registerSuccessScene;
 		this.registerFailedScene = registerFailedScene;
-		this.jwt = JWT.decode(this.bearerToken);
+		this.deviceAlreadyExistsScene = deviceAlreadyExistsScene;
 		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
 		this.httpClient = HttpClient.newBuilder().version(HttpClient.Version.HTTP_1_1).executor(executor).build();
 	}
 
 	public void initialize() {
 		deviceNameField.setText(determineHostname());
-		deviceNameField.textProperty().addListener(observable -> deviceNameAlreadyExists.set(false));
+		deviceNameField.disableProperty().bind(workInProgress);
+		setupCodeField.textProperty().addListener(observable -> invalidSetupCode.set(false));
+		setupCodeField.disableProperty().bind(workInProgress);
+		var missingSetupCode = setupCodeField.textProperty().isEmpty();
+		var missingDeviceName = deviceNameField.textProperty().isEmpty();
+		registerBtn.disableProperty().bind(workInProgress.or(missingSetupCode).or(missingDeviceName));
+		registerBtn.contentDisplayProperty().bind(Bindings.when(workInProgress).then(ContentDisplay.LEFT).otherwise(ContentDisplay.TEXT_ONLY));
 	}
 
 	private String determineHostname() {
@@ -95,35 +112,103 @@ public class RegisterDeviceController implements FxController {
 
 	@FXML
 	public void register() {
-		deviceNameAlreadyExists.set(false);
-		registerBtn.setContentDisplay(ContentDisplay.LEFT);
-		registerBtn.setDisable(true);
+		workInProgress.set(true);
 
-		var keyUri = URI.create(hubConfig.devicesResourceUrl + deviceId);
-		var deviceKey = keyPair.getPublic().getEncoded();
-		var dto = new CreateDeviceDto(deviceId, deviceNameField.getText(), BaseEncoding.base64Url().omitPadding().encode(deviceKey));
-		var json = toJson(dto);
-		var request = HttpRequest.newBuilder(keyUri) //
+
+		var userReq = HttpRequest.newBuilder(hubConfig.URIs.API."users/me") //
+				.GET() //
+				.timeout(REQ_TIMEOUT) //
 				.header("Authorization", "Bearer " + bearerToken) //
-				.header("Content-Type", "application/json").PUT(HttpRequest.BodyPublishers.ofString(json, StandardCharsets.UTF_8)) //
+				.header("Content-Type", "application/json") //
 				.build();
-		httpClient.sendAsync(request, HttpResponse.BodyHandlers.discarding()) //
+		httpClient.sendAsync(userReq, HttpResponse.BodyHandlers.ofString(StandardCharsets.UTF_8)) //
 				.thenApply(response -> {
-					if (EXPECTED_RESPONSE_CODES.contains(response.statusCode())) {
-						return response;
+					if (response.statusCode() == 200) {
+						var dto = fromJson(response.body());
+						return Objects.requireNonNull(dto, "null or empty response body");
 					} else {
 						throw new RuntimeException("Server answered with unexpected status code " + response.statusCode());
 					}
-				}).handleAsync((response, throwable) -> {
-					if (response != null) {
-						this.handleResponse(response);
-					} else {
-						this.registrationFailed(throwable);
+				}).thenApply(user -> {
+					try {
+						assert user.privateKey != null && user.publicKey != null; // api/vaults/{v}/user-tokens/me would have returned 403, if user wasn't fully set up yet
+						var userPublicKey = JWEHelper.decodeECPublicKey(Base64.getDecoder().decode(user.publicKey));
+						migrateLegacyDevices(userPublicKey); // TODO: remove eventually, when most users have migrated to Hub 1.3.x or newer
+						var userKey = JWEHelper.decryptUserKey(JWEObject.parse(user.privateKey), setupCodeField.getText());
+						return JWEHelper.encryptUserKey(userKey, deviceKeyPair.getPublic());
+					} catch (ParseException | JWEHelper.KeyDecodeFailedException e) {
+						throw new RuntimeException("Server answered with unparsable user key", e);
 					}
-					return null;
+				}).thenCompose(jwe -> {
+					var now = Instant.now().toString();
+					var dto = new CreateDeviceDto(deviceId, deviceNameField.getText(), BaseEncoding.base64().encode(deviceKeyPair.getPublic().getEncoded()), "DESKTOP", jwe.serialize(), now);
+					var json = toJson(dto);
+					var deviceUri = hubConfig.URIs.API."devices/\{deviceId}";
+					var putDeviceReq = HttpRequest.newBuilder(deviceUri) //
+							.PUT(HttpRequest.BodyPublishers.ofString(json, StandardCharsets.UTF_8)) //
+							.timeout(REQ_TIMEOUT) //
+							.header("Authorization", "Bearer " + bearerToken) //
+							.header("Content-Type", "application/json") //
+							.build();
+					return httpClient.sendAsync(putDeviceReq, HttpResponse.BodyHandlers.discarding());
+				}).whenCompleteAsync((response, throwable) -> {
+					if (response != null) {
+						this.handleRegisterDeviceResponse(response);
+					} else {
+						this.setupFailed(throwable);
+					}
+					workInProgress.set(false);
 				}, Platform::runLater);
 	}
 
+	private void migrateLegacyDevices(ECPublicKey userPublicKey) {
+		try {
+			// GET legacy access tokens
+			var getUri = hubConfig.URIs.API."devices/\{deviceId}/legacy-access-tokens";
+			var getReq = HttpRequest.newBuilder(getUri).GET().timeout(REQ_TIMEOUT).header("Authorization", "Bearer " + bearerToken).build();
+			var getRes = httpClient.send(getReq, HttpResponse.BodyHandlers.ofString(StandardCharsets.UTF_8));
+			if (getRes.statusCode() != 200) {
+				LOG.debug("GET {} resulted in status code {}. Skipping migration.", getUri, getRes.statusCode());
+				return;
+			}
+			Map<String, String> legacyAccessTokens = JSON.readerForMapOf(String.class).readValue(getRes.body());
+			if (legacyAccessTokens.isEmpty()) {
+				return; // no migration required
+			}
+
+			// POST new access tokens
+			Map<String, String> newAccessTokens = legacyAccessTokens.entrySet().stream().<Map.Entry<String, String>>mapMulti((entry, consumer) -> {
+				try (var vaultKey = JWEHelper.decryptVaultKey(JWEObject.parse(entry.getValue()), deviceKeyPair.getPrivate())) {
+					var newAccessToken = JWEHelper.encryptVaultKey(vaultKey, userPublicKey).serialize();
+					consumer.accept(Map.entry(entry.getKey(), newAccessToken));
+				} catch (ParseException | JWEHelper.InvalidJweKeyException e) {
+					LOG.warn("Failed to decrypt legacy access token for vault {}. Skipping migration.", entry.getKey());
+				}
+			}).collect(Collectors.toMap(Map.Entry::getKey, Map.Entry::getValue));
+			var postUri = hubConfig.URIs.API."users/me/access-tokens";
+			var postBody = JSON.writer().writeValueAsString(newAccessTokens);
+			var postReq = HttpRequest.newBuilder(postUri).POST(HttpRequest.BodyPublishers.ofString(postBody)).timeout(REQ_TIMEOUT).header("Authorization", "Bearer " + bearerToken).build();
+			var postRes = httpClient.send(postReq, HttpResponse.BodyHandlers.ofString(StandardCharsets.UTF_8));
+			if (postRes.statusCode() != 200) {
+				throw new IOException(STR."Unexpected response from POST \{postUri}: \{postRes.statusCode()}");
+			}
+		} catch (IOException e) {
+			// log and ignore: this is merely a best-effort attempt of migrating legacy devices. Failure is uncritical as this is merely a convenience feature.
+			LOG.error("Legacy Device Migration failed.", e);
+		} catch (InterruptedException e) {
+			Thread.currentThread().interrupt();
+			throw new UncheckedIOException(new InterruptedIOException("Legacy Device Migration interrupted"));
+		}
+	}
+
+	private UserDto fromJson(String json) {
+		try {
+			return JSON.reader().readValue(json, UserDto.class);
+		} catch (IOException e) {
+			throw new IllegalStateException("Failed to deserialize DTO", e);
+		}
+	}
+
 	private String toJson(CreateDeviceDto dto) {
 		try {
 			return JSON.writer().writeValueAsString(dto);
@@ -132,23 +217,29 @@ public class RegisterDeviceController implements FxController {
 		}
 	}
 
-	private void handleResponse(HttpResponse<Void> voidHttpResponse) {
-		assert EXPECTED_RESPONSE_CODES.contains(voidHttpResponse.statusCode());
-
-		if (voidHttpResponse.statusCode() == 409) {
-			deviceNameAlreadyExists.set(true);
-			registerBtn.setContentDisplay(ContentDisplay.TEXT_ONLY);
-			registerBtn.setDisable(false);
-		} else {
+	private void handleRegisterDeviceResponse(HttpResponse<Void> response) {
+		if (response.statusCode() == 201) {
 			LOG.debug("Device registration for hub instance {} successful.", hubConfig.authSuccessUrl);
 			window.setScene(registerSuccessScene.get());
+		} else if (response.statusCode() == 409) {
+			setupFailed(new DeviceAlreadyExistsException());
+		} else {
+			setupFailed(new IllegalStateException("Unexpected http status code " + response.statusCode()));
 		}
 	}
 
-	private void registrationFailed(Throwable cause) {
-		LOG.warn("Device registration failed.", cause);
-		window.setScene(registerFailedScene.get());
-		result.completeExceptionally(cause);
+	private void setupFailed(Throwable cause) {
+		switch (cause) {
+			case CompletionException e when e.getCause() instanceof JWEHelper.InvalidJweKeyException -> invalidSetupCode.set(true);
+			case DeviceAlreadyExistsException e -> {
+				LOG.debug("Device already registered in hub instance {} for different user", hubConfig.authSuccessUrl);
+				window.setScene(deviceAlreadyExistsScene.get());
+			}
+			default -> {
+				LOG.warn("Device setup failed.", cause);
+				window.setScene(registerFailedScene.get());
+			}
+		}
 	}
 
 	@FXML
@@ -160,22 +251,22 @@ public class RegisterDeviceController implements FxController {
 		result.cancel(true);
 	}
 
-	/* Getter */
-
-	public String getUserName() {
-		return jwt.getClaim("email").asString();
-	}
-
-
 	//--- Getters & Setters
-
-	public BooleanProperty deviceNameAlreadyExistsProperty() {
-		return deviceNameAlreadyExists;
+	public BooleanProperty invalidSetupCodeProperty() {
+		return invalidSetupCode;
 	}
 
-	public boolean getDeviceNameAlreadyExists() {
-		return deviceNameAlreadyExists.get();
+	public boolean isInvalidSetupCode() {
+		return invalidSetupCode.get();
 	}
 
+	@JsonIgnoreProperties(ignoreUnknown = true)
+	private record UserDto(String id, String name, String publicKey, String privateKey, String setupCode) {}
 
+	private record CreateDeviceDto(@JsonProperty(required = true) String id, //
+								   @JsonProperty(required = true) String name, //
+								   @JsonProperty(required = true) String publicKey, //
+								   @JsonProperty(required = true, defaultValue = "DESKTOP") String type, //
+								   @JsonProperty(required = true) String userPrivateKey, //
+								   @JsonProperty(required = true) String creationTime) {}
 }

src/main/java/org/cryptomator/ui/keyloading/hub/RegisterFailedController.java

@@ -1,6 +1,5 @@
 package org.cryptomator.ui.keyloading.hub;
 
-import com.nimbusds.jose.JWEObject;
 import org.cryptomator.ui.common.FxController;
 import org.cryptomator.ui.keyloading.KeyLoading;
 
@@ -12,18 +11,18 @@ import java.util.concurrent.CompletableFuture;
 public class RegisterFailedController implements FxController {
 
 	private final Stage window;
-	private final CompletableFuture<JWEObject> result;
+	private final CompletableFuture<ReceivedKey> result;
 
 	@Inject
-	public RegisterFailedController(@KeyLoading Stage window, CompletableFuture<JWEObject> result) {
+	public RegisterFailedController(@KeyLoading Stage window, CompletableFuture<ReceivedKey> result) {
 		this.window = window;
 		this.result = result;
 	}
 
 	@FXML
 	public void close() {
+		result.cancel(true);
 		window.close();
 	}
 
-
 }

src/main/java/org/cryptomator/ui/keyloading/hub/RegisterSuccessController.java

@@ -1,24 +1,43 @@
 package org.cryptomator.ui.keyloading.hub;
 
+import dagger.Lazy;
 import org.cryptomator.ui.common.FxController;
+import org.cryptomator.ui.common.FxmlFile;
+import org.cryptomator.ui.common.FxmlScene;
 import org.cryptomator.ui.keyloading.KeyLoading;
 
 import javax.inject.Inject;
 import javafx.fxml.FXML;
+import javafx.scene.Scene;
 import javafx.stage.Stage;
+import javafx.stage.WindowEvent;
+import java.util.concurrent.CompletableFuture;
 
 public class RegisterSuccessController implements FxController {
 
 	private final Stage window;
+	private final CompletableFuture<ReceivedKey> result;
+	private final Lazy<Scene> receiveKeyScene;
+	private final ReceiveKeyController receiveKeyController;
 
 	@Inject
-	public RegisterSuccessController(@KeyLoading Stage window) {
+	public RegisterSuccessController(@KeyLoading Stage window, CompletableFuture<ReceivedKey> result, @FxmlScene(FxmlFile.HUB_RECEIVE_KEY) Lazy<Scene> receiveKeyScene, ReceiveKeyController receiveKeyController) {
 		this.window = window;
+		this.result = result;
+		this.receiveKeyScene = receiveKeyScene;
+		this.receiveKeyController = receiveKeyController;
+		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
 	}
 
 	@FXML
-	public void close() {
-		window.close();
+	public void complete() {
+		window.setScene(receiveKeyScene.get());
+		receiveKeyController.receiveKey();
 	}
 
+	private void windowClosed(WindowEvent windowEvent) {
+		result.cancel(true);
+	}
+
+
 }

src/main/java/org/cryptomator/ui/keyloading/hub/RequireAccountInitController.java

@@ -0,0 +1,46 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import org.cryptomator.ui.common.FxController;
+import org.cryptomator.ui.keyloading.KeyLoading;
+import org.cryptomator.ui.keyloading.KeyLoadingScoped;
+
+import javax.inject.Inject;
+import javafx.application.Application;
+import javafx.event.ActionEvent;
+import javafx.fxml.FXML;
+import javafx.stage.Stage;
+import javafx.stage.WindowEvent;
+import java.util.concurrent.CompletableFuture;
+
+@KeyLoadingScoped
+public class RequireAccountInitController implements FxController {
+
+	private final Application application;
+	private final HubConfig hubConfig;
+	private final Stage window;
+	private final CompletableFuture<ReceivedKey> result;
+
+	@Inject
+	public RequireAccountInitController(Application application, HubConfig hubConfig, @KeyLoading Stage window, CompletableFuture<ReceivedKey> result) {
+		this.application = application;
+		this.hubConfig = hubConfig;
+		this.window = window;
+		this.result = result;
+		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
+	}
+
+	@FXML
+	public void completeSetup() {
+		application.getHostServices().showDocument(hubConfig.getWebappBaseUrl().resolve("profile").toString());
+		close();
+	}
+
+	@FXML
+	public void close() {
+		window.close();
+	}
+
+	private void windowClosed(WindowEvent windowEvent) {
+		result.cancel(true);
+	}
+}

src/main/java/org/cryptomator/ui/keyloading/hub/UnauthorizedDeviceController.java

@@ -15,10 +15,10 @@ import java.util.concurrent.CompletableFuture;
 public class UnauthorizedDeviceController implements FxController {
 
 	private final Stage window;
-	private final CompletableFuture<JWEObject> result;
+	private final CompletableFuture<ReceivedKey> result;
 
 	@Inject
-	public UnauthorizedDeviceController(@KeyLoading Stage window, CompletableFuture<JWEObject> result) {
+	public UnauthorizedDeviceController(@KeyLoading Stage window, CompletableFuture<ReceivedKey> result) {
 		this.window = window;
 		this.result = result;
 		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);

src/main/java/org/cryptomator/ui/mainwindow/ResizeController.java

@@ -7,7 +7,6 @@ import org.slf4j.LoggerFactory;
 
 import javax.inject.Inject;
 import javafx.beans.binding.BooleanBinding;
-import javafx.collections.ObservableList;
 import javafx.fxml.FXML;
 import javafx.geometry.Rectangle2D;
 import javafx.scene.input.MouseEvent;
@@ -67,37 +66,7 @@ public class ResizeController implements FxController {
 		return (settings.windowHeight.get() == 0) && (settings.windowWidth.get() == 0) && (settings.windowXPosition.get() == 0) && (settings.windowYPosition.get() == 0);
 	}
 
-	private boolean isWithinDisplayBounds() {
-		// (x1, y1) is the top left corner of the window, (x2, y2) is the bottom right corner
-		final double slack = 10;
-		final double width = window.getWidth() - 2 * slack;
-		final double height = window.getHeight() - 2 * slack;
-		final double x1 = window.getX() + slack;
-		final double y1 = window.getY() + slack;
-		final double x2 = x1 + width;
-		final double y2 = y1 + height;
-
-		final ObservableList<Screen> screens = Screen.getScreensForRectangle(x1, y1, width, height);
-
-		// Find the total visible area of the window
-		double visibleArea = 0;
-		for (Screen screen : screens) {
-			Rectangle2D bounds = screen.getVisualBounds();
-
-			double xOverlap = Math.min(x2, bounds.getMaxX()) - Math.max(x1, bounds.getMinX());
-			double yOverlap = Math.min(y2, bounds.getMaxY()) - Math.max(y1, bounds.getMinY());
-
-			visibleArea += xOverlap * yOverlap;
-		}
-
-		final double windowArea = width * height;
-
-		// Within bounds if the visible area matches the window area
-		return visibleArea == windowArea;
-	}
-
 	private void checkDisplayBounds(WindowEvent evt) {
-
 		// Minimizing a window in Windows and closing it could result in an out of bounds position at (x, y) = (-32000, -32000)
 		// See https://devblogs.microsoft.com/oldnewthing/20041028-00/?p=37453
 		// If the position is (-32000, -32000), restore to the last saved position
@@ -108,8 +77,9 @@ public class ResizeController implements FxController {
 			window.setHeight(settings.windowHeight.get());
 		}
 
-		if (!isWithinDisplayBounds()) {
+		if (isOutOfDisplayBounds()) {
 			// If the position is illegal, then the window appears on the main screen in the middle of the window.
+			LOG.debug("Resetting window position due to insufficient screen overlap");
 			Rectangle2D primaryScreenBounds = Screen.getPrimary().getBounds();
 			window.setX((primaryScreenBounds.getWidth() - window.getMinWidth()) / 2);
 			window.setY((primaryScreenBounds.getHeight() - window.getMinHeight()) / 2);
@@ -119,6 +89,22 @@ public class ResizeController implements FxController {
 		}
 	}
 
+	private boolean isOutOfDisplayBounds() {
+		// define a rect which is inset on all sides from the window's rect:
+		final double x = window.getX() + 20; // 20px left
+		final double y = window.getY() + 5; // 5px top
+		final double w = window.getWidth() - 40; // 20px left + 20px right
+		final double h = window.getHeight() - 25; // 5px top + 20px bottom
+		return isRectangleOutOfScreen(x, y, 0, h) // Left pixel column
+				|| isRectangleOutOfScreen(x + w, y, 0, h) // Right pixel column
+				|| isRectangleOutOfScreen(x, y, w, 0) // Top pixel row
+				|| isRectangleOutOfScreen(x, y + h, w, 0); // Bottom pixel row
+	}
+
+	private boolean isRectangleOutOfScreen(double x, double y, double width, double height) {
+		return Screen.getScreensForRectangle(x, y, width, height).isEmpty();
+	}
+
 	private void startResize(MouseEvent evt) {
 		origX = window.getX();
 		origY = window.getY();

src/main/java/org/cryptomator/ui/mainwindow/VaultDetailLockedController.java

@@ -44,6 +44,11 @@ public class VaultDetailLockedController implements FxController {
 		appWindows.startUnlockWorkflow(vault.get(), mainWindow);
 	}
 
+	@FXML
+	public void share() {
+		appWindows.showShareVaultWindow(vault.get());
+	}
+
 	@FXML
 	public void showVaultOptions() {
 		vaultOptionsWindow.create(vault.get()).showVaultOptionsWindow(SelectedVaultOptionsTab.ANY);

src/main/java/org/cryptomator/ui/mainwindow/VaultListController.java

@@ -7,6 +7,7 @@ import org.cryptomator.cryptofs.CryptoFileSystemProvider;
 import org.cryptomator.cryptofs.DirStructure;
 import org.cryptomator.ui.addvaultwizard.AddVaultWizardComponent;
 import org.cryptomator.ui.common.FxController;
+import org.cryptomator.ui.fxapp.FxApplicationWindows;
 import org.cryptomator.ui.removevault.RemoveVaultComponent;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -37,6 +38,7 @@ import java.io.File;
 import java.io.IOException;
 import java.nio.file.Path;
 import java.util.EnumSet;
+import java.util.Optional;
 import java.util.ResourceBundle;
 import java.util.Set;
 import java.util.stream.Collectors;
@@ -64,6 +66,7 @@ public class VaultListController implements FxController {
 	private final VaultListManager vaultListManager;
 	private final BooleanProperty draggingVaultOver = new SimpleBooleanProperty();
 	private final ResourceBundle resourceBundle;
+	private final FxApplicationWindows appWindows;
 
 	public ListView<Vault> vaultList;
 	public StackPane root;
@@ -79,7 +82,8 @@ public class VaultListController implements FxController {
 						AddVaultWizardComponent.Builder addVaultWizard, //
 						RemoveVaultComponent.Builder removeVaultDialogue, //
 						VaultListManager vaultListManager, //
-						ResourceBundle resourceBundle) {
+						ResourceBundle resourceBundle, //
+						FxApplicationWindows appWindows) {
 		this.mainWindow = mainWindow;
 		this.vaults = vaults;
 		this.selectedVault = selectedVault;
@@ -88,6 +92,7 @@ public class VaultListController implements FxController {
 		this.removeVaultDialogue = removeVaultDialogue;
 		this.vaultListManager = vaultListManager;
 		this.resourceBundle = resourceBundle;
+		this.appWindows = appWindows;
 
 		this.emptyVaultList = Bindings.isEmpty(vaults);
 
@@ -108,6 +113,15 @@ public class VaultListController implements FxController {
 		});
 		vaultList.addEventFilter(MouseEvent.MOUSE_RELEASED, this::deselect);
 
+		//unlock vault on double click
+		vaultList.addEventFilter(MouseEvent.MOUSE_CLICKED, click -> {
+			if (click.getClickCount() >= 2) {
+				Optional.ofNullable(selectedVault.get())
+						.filter(Vault::isLocked)
+						.ifPresent(vault -> appWindows.startUnlockWorkflow(vault, mainWindow));
+			}
+		});
+
 		//don't show context menu when no vault selected
 		vaultList.addEventFilter(ContextMenuEvent.CONTEXT_MENU_REQUESTED, request -> {
 			if (selectedVault.get() == null) {

src/main/java/org/cryptomator/ui/preferences/VolumePreferencesController.java

@@ -2,17 +2,14 @@ package org.cryptomator.ui.preferences;
 
 import dagger.Lazy;
 import org.cryptomator.common.ObservableUtil;
-import org.cryptomator.common.mount.MountModule;
 import org.cryptomator.common.settings.Settings;
 import org.cryptomator.integrations.mount.MountCapability;
 import org.cryptomator.integrations.mount.MountService;
 import org.cryptomator.ui.common.FxController;
 
 import javax.inject.Inject;
-import javax.inject.Named;
 import javafx.application.Application;
 import javafx.beans.binding.Bindings;
-import javafx.beans.binding.BooleanExpression;
 import javafx.beans.value.ObservableValue;
 import javafx.scene.control.Button;
 import javafx.scene.control.ChoiceBox;
@@ -21,24 +18,22 @@ import javafx.util.StringConverter;
 import java.util.List;
 import java.util.Optional;
 import java.util.ResourceBundle;
-import java.util.concurrent.atomic.AtomicReference;
 
 @PreferencesScoped
 public class VolumePreferencesController implements FxController {
 
-	private static final String DOCS_MOUNTING_URL = "https://docs.cryptomator.org/en/1.7/desktop/volume-type/";
-	private static final int MIN_PORT = 1024;
-	private static final int MAX_PORT = 65535;
+	public static final String DOCS_MOUNTING_URL = "https://docs.cryptomator.org/en/1.7/desktop/volume-type/";
+	public static final int MIN_PORT = 1024;
+	public static final int MAX_PORT = 65535;
 
 	private final Settings settings;
 	private final ObservableValue<MountService> selectedMountService;
 	private final ResourceBundle resourceBundle;
-	private final BooleanExpression loopbackPortSupported;
+	private final ObservableValue<Boolean> loopbackPortSupported;
 	private final ObservableValue<Boolean> mountToDirSupported;
 	private final ObservableValue<Boolean> mountToDriveLetterSupported;
 	private final ObservableValue<Boolean> mountFlagsSupported;
 	private final ObservableValue<Boolean> readonlySupported;
-	private final ObservableValue<Boolean> fuseRestartRequired;
 	private final Lazy<Application> application;
 	private final List<MountService> mountProviders;
 	public ChoiceBox<MountService> volumeTypeChoiceBox;
@@ -46,7 +41,10 @@ public class VolumePreferencesController implements FxController {
 	public Button loopbackPortApplyButton;
 
 	@Inject
-	VolumePreferencesController(Settings settings, Lazy<Application> application, List<MountService> mountProviders, @Named("FUPFMS") AtomicReference<MountService> firstUsedProblematicFuseMountService, ResourceBundle resourceBundle) {
+	VolumePreferencesController(Settings settings, //
+								Lazy<Application> application, //
+								List<MountService> mountProviders, //
+								ResourceBundle resourceBundle) {
 		this.settings = settings;
 		this.application = application;
 		this.mountProviders = mountProviders;
@@ -54,17 +52,11 @@ public class VolumePreferencesController implements FxController {
 
 		var fallbackProvider = mountProviders.stream().findFirst().orElse(null);
 		this.selectedMountService = ObservableUtil.mapWithDefault(settings.mountService, serviceName -> mountProviders.stream().filter(s -> s.getClass().getName().equals(serviceName)).findFirst().orElse(fallbackProvider), fallbackProvider);
-		this.loopbackPortSupported = BooleanExpression.booleanExpression(selectedMountService.map(s -> s.hasCapability(MountCapability.LOOPBACK_PORT)));
+		this.loopbackPortSupported = selectedMountService.map(s -> s.hasCapability(MountCapability.LOOPBACK_PORT));
 		this.mountToDirSupported = selectedMountService.map(s -> s.hasCapability(MountCapability.MOUNT_WITHIN_EXISTING_PARENT) || s.hasCapability(MountCapability.MOUNT_TO_EXISTING_DIR));
 		this.mountToDriveLetterSupported = selectedMountService.map(s -> s.hasCapability(MountCapability.MOUNT_AS_DRIVE_LETTER));
 		this.mountFlagsSupported = selectedMountService.map(s -> s.hasCapability(MountCapability.MOUNT_FLAGS));
 		this.readonlySupported = selectedMountService.map(s -> s.hasCapability(MountCapability.READ_ONLY));
-		this.fuseRestartRequired = selectedMountService.map(s -> {//
-			return firstUsedProblematicFuseMountService.get() != null //
-					&& MountModule.isProblematicFuseService(s) //
-					&& !firstUsedProblematicFuseMountService.get().equals(s);
-		});
-
 	}
 
 	public void initialize() {
@@ -101,12 +93,12 @@ public class VolumePreferencesController implements FxController {
 
 	/* Property Getters */
 
-	public BooleanExpression loopbackPortSupportedProperty() {
+	public ObservableValue<Boolean> loopbackPortSupportedProperty() {
 		return loopbackPortSupported;
 	}
 
 	public boolean isLoopbackPortSupported() {
-		return loopbackPortSupported.get();
+		return loopbackPortSupported.getValue();
 	}
 
 	public ObservableValue<Boolean> readonlySupportedProperty() {
@@ -141,14 +133,6 @@ public class VolumePreferencesController implements FxController {
 		return mountFlagsSupported.getValue();
 	}
 
-	public ObservableValue<Boolean> fuseRestartRequiredProperty() {
-		return fuseRestartRequired;
-	}
-
-	public boolean getFuseRestartRequired() {
-		return fuseRestartRequired.getValue();
-	}
-
 	/* Helpers */
 
 	private class MountServiceConverter extends StringConverter<MountService> {

src/main/java/org/cryptomator/ui/sharevault/ShareVaultComponent.java

@@ -0,0 +1,34 @@
+package org.cryptomator.ui.sharevault;
+
+import dagger.BindsInstance;
+import dagger.Lazy;
+import dagger.Subcomponent;
+import org.cryptomator.common.vaults.Vault;
+import org.cryptomator.ui.common.FxmlFile;
+import org.cryptomator.ui.common.FxmlScene;
+
+import javafx.scene.Scene;
+import javafx.stage.Stage;
+
+@ShareVaultScoped
+@Subcomponent(modules = {ShareVaultModule.class})
+public interface ShareVaultComponent {
+
+	@ShareVaultWindow
+	Stage window();
+
+	@FxmlScene(FxmlFile.SHARE_VAULT)
+	Lazy<Scene> scene();
+
+	default void showShareVaultWindow(){
+		Stage stage = window();
+		stage.setScene(scene().get());
+		stage.show();
+	}
+
+	@Subcomponent.Factory
+	interface Factory {
+		ShareVaultComponent create(@BindsInstance @ShareVaultWindow Vault vault);
+	}
+
+}

src/main/java/org/cryptomator/ui/sharevault/ShareVaultController.java

@@ -0,0 +1,76 @@
+package org.cryptomator.ui.sharevault;
+
+import dagger.Lazy;
+import org.cryptomator.common.vaults.Vault;
+import org.cryptomator.ui.common.FxController;
+import org.cryptomator.ui.keyloading.hub.HubKeyLoadingStrategy;
+
+import javax.inject.Inject;
+import javafx.application.Application;
+import javafx.fxml.FXML;
+import javafx.stage.Stage;
+import java.io.IOException;
+import java.io.UncheckedIOException;
+import java.net.URI;
+import java.net.URISyntaxException;
+
+@ShareVaultScoped
+public class ShareVaultController implements FxController {
+
+	private static final String SCHEME_PREFIX = "hub+";
+	private static final String VISIT_HUB_URL = "https://cryptomator.org/hub/";
+	private static final String BEST_PRACTICES_URL = "https://docs.cryptomator.org/en/latest/security/best-practices/#sharing-of-vaults";
+
+	private final Stage window;
+	private final Lazy<Application> application;
+	private final Vault vault;
+	private final Boolean hubVault;
+
+	@Inject
+	ShareVaultController(@ShareVaultWindow Stage window, //
+						 Lazy<Application> application, //
+						 @ShareVaultWindow Vault vault) {
+		this.window = window;
+		this.application = application;
+		this.vault = vault;
+		var vaultScheme = vault.getVaultConfigCache().getUnchecked().getKeyId().getScheme();
+		this.hubVault = (vaultScheme.equals(HubKeyLoadingStrategy.SCHEME_HUB_HTTP) || vaultScheme.equals(HubKeyLoadingStrategy.SCHEME_HUB_HTTPS));
+	}
+
+	@FXML
+	public void close() {
+		window.close();
+	}
+
+	@FXML
+	public void visitHub() {
+		application.get().getHostServices().showDocument(VISIT_HUB_URL);
+	}
+
+	@FXML
+	public void openHub() {
+		application.get().getHostServices().showDocument(getHubUri(vault).toString());
+	}
+
+	@FXML
+	public void visitBestPractices() {
+		application.get().getHostServices().showDocument(BEST_PRACTICES_URL);
+	}
+
+	private static URI getHubUri(Vault vault) {
+		try {
+			var keyID = new URI(vault.getVaultConfigCache().get().getKeyId().toString());
+			assert keyID.getScheme().startsWith(SCHEME_PREFIX);
+			return new URI(keyID.getScheme().substring(SCHEME_PREFIX.length()) + "://" + keyID.getHost() + "/app/vaults");
+		} catch (IOException e) {
+			throw new UncheckedIOException(e);
+		} catch (URISyntaxException e) {
+			throw new IllegalStateException("URI constructed from params known to be valid", e);
+		}
+	}
+
+	public boolean isHubVault() {
+		return hubVault;
+	}
+
+}

src/main/java/org/cryptomator/ui/sharevault/ShareVaultModule.java

@@ -0,0 +1,54 @@
+package org.cryptomator.ui.sharevault;
+
+import dagger.Binds;
+import dagger.Module;
+import dagger.Provides;
+import dagger.multibindings.IntoMap;
+import org.cryptomator.ui.common.DefaultSceneFactory;
+import org.cryptomator.ui.common.FxController;
+import org.cryptomator.ui.common.FxControllerKey;
+import org.cryptomator.ui.common.FxmlFile;
+import org.cryptomator.ui.common.FxmlLoaderFactory;
+import org.cryptomator.ui.common.FxmlScene;
+import org.cryptomator.ui.common.StageFactory;
+
+import javax.inject.Provider;
+import javafx.scene.Scene;
+import javafx.stage.Modality;
+import javafx.stage.Stage;
+import java.util.Map;
+import java.util.ResourceBundle;
+
+@Module
+abstract class ShareVaultModule {
+
+	@Provides
+	@ShareVaultWindow
+	@ShareVaultScoped
+	static FxmlLoaderFactory provideFxmlLoaderFactory(Map<Class<? extends FxController>, Provider<FxController>> factories, DefaultSceneFactory sceneFactory, ResourceBundle resourceBundle) {
+		return new FxmlLoaderFactory(factories, sceneFactory, resourceBundle);
+	}
+
+	@Provides
+	@ShareVaultWindow
+	@ShareVaultScoped
+	static Stage provideStage(StageFactory factory, ResourceBundle resourceBundle) {
+		Stage stage = factory.create();
+		stage.setResizable(false);
+		stage.initModality(Modality.APPLICATION_MODAL);
+		stage.setTitle(resourceBundle.getString("shareVault.title"));
+		return stage;
+	}
+
+	@Provides
+	@FxmlScene(FxmlFile.SHARE_VAULT)
+	@ShareVaultScoped
+	static Scene provideShareVaultScene(@ShareVaultWindow FxmlLoaderFactory fxmlLoaders) {
+		return fxmlLoaders.createScene(FxmlFile.SHARE_VAULT);
+	}
+
+	@Binds
+	@IntoMap
+	@FxControllerKey(ShareVaultController.class)
+	abstract FxController bindShareVaultController(ShareVaultController controller);
+}

src/main/java/org/cryptomator/ui/sharevault/ShareVaultScoped.java

@@ -0,0 +1,13 @@
+package org.cryptomator.ui.sharevault;
+
+import javax.inject.Scope;
+import java.lang.annotation.Documented;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+
+@Scope
+@Documented
+@Retention(RetentionPolicy.RUNTIME)
+@interface ShareVaultScoped {
+
+}

src/main/java/org/cryptomator/ui/sharevault/ShareVaultWindow.java

@@ -0,0 +1,14 @@
+package org.cryptomator.ui.sharevault;
+
+import javax.inject.Qualifier;
+import java.lang.annotation.Documented;
+import java.lang.annotation.Retention;
+
+import static java.lang.annotation.RetentionPolicy.RUNTIME;
+
+@Qualifier
+@Documented
+@Retention(RUNTIME)
+@interface  ShareVaultWindow {
+
+}

src/main/java/org/cryptomator/ui/unlock/UnlockComponent.java

@@ -19,16 +19,8 @@ import java.util.concurrent.Future;
 @Subcomponent(modules = {UnlockModule.class})
 public interface UnlockComponent {
 
-	ExecutorService defaultExecutorService();
-
 	UnlockWorkflow unlockWorkflow();
 
-	default Future<Boolean> startUnlockWorkflow() {
-		UnlockWorkflow workflow = unlockWorkflow();
-		defaultExecutorService().submit(workflow);
-		return workflow;
-	}
-
 	@Subcomponent.Factory
 	interface Factory {
 		UnlockComponent create(@BindsInstance @UnlockWindow Vault vault, @BindsInstance @Named("unlockWindowOwner") @Nullable Stage owner);

src/main/java/org/cryptomator/ui/unlock/UnlockModule.java

@@ -81,6 +81,13 @@ abstract class UnlockModule {
 		return fxmlLoaders.createScene(FxmlFile.UNLOCK_INVALID_MOUNT_POINT);
 	}
 
+	@Provides
+	@FxmlScene(FxmlFile.UNLOCK_REQUIRES_RESTART)
+	@UnlockScoped
+	static Scene provideRestartRequiredScene(@UnlockWindow FxmlLoaderFactory fxmlLoaders) {
+		return fxmlLoaders.createScene(FxmlFile.UNLOCK_REQUIRES_RESTART);
+	}
+
 	// ------------------
 
 	@Binds
@@ -93,4 +100,9 @@ abstract class UnlockModule {
 	@FxControllerKey(UnlockInvalidMountPointController.class)
 	abstract FxController bindUnlockInvalidMountPointController(UnlockInvalidMountPointController controller);
 
+	@Binds
+	@IntoMap
+	@FxControllerKey(UnlockRequiresRestartController.class)
+	abstract FxController bindUnlockRequiresRestartController(UnlockRequiresRestartController controller);
+
 }

src/main/java/org/cryptomator/ui/unlock/UnlockRequiresRestartController.java

@@ -0,0 +1,47 @@
+package org.cryptomator.ui.unlock;
+
+import org.cryptomator.common.vaults.Vault;
+import org.cryptomator.ui.common.FxController;
+import org.cryptomator.ui.fxapp.FxApplicationWindows;
+import org.cryptomator.ui.vaultoptions.SelectedVaultOptionsTab;
+
+import javax.inject.Inject;
+import javafx.fxml.FXML;
+import javafx.stage.Stage;
+import java.util.ResourceBundle;
+
+@UnlockScoped
+public class UnlockRequiresRestartController implements FxController {
+
+	private final Stage window;
+	private final ResourceBundle resourceBundle;
+	private final FxApplicationWindows appWindows;
+	private final Vault vault;
+
+	@Inject
+	UnlockRequiresRestartController(@UnlockWindow Stage window, //
+									ResourceBundle resourceBundle, //
+									FxApplicationWindows appWindows, //
+									@UnlockWindow Vault vault) {
+		this.window = window;
+		this.resourceBundle = resourceBundle;
+		this.appWindows = appWindows;
+		this.vault = vault;
+	}
+
+	public void initialize() {
+		window.setTitle(String.format(resourceBundle.getString("unlock.error.title"), vault.getDisplayName()));
+	}
+
+	@FXML
+	public void close() {
+		window.close();
+	}
+
+	@FXML
+	public void closeAndOpenVaultOptions() {
+		appWindows.showVaultOptionsWindow(vault, SelectedVaultOptionsTab.MOUNT);
+		window.close();
+	}
+
+}

src/main/java/org/cryptomator/ui/unlock/UnlockWorkflow.java

@@ -1,7 +1,7 @@
 package org.cryptomator.ui.unlock;
 
-import com.google.common.base.Throwables;
 import dagger.Lazy;
+import org.cryptomator.common.mount.ConflictingMountServiceException;
 import org.cryptomator.common.mount.IllegalMountPointException;
 import org.cryptomator.common.vaults.Vault;
 import org.cryptomator.common.vaults.VaultState;
@@ -29,7 +29,7 @@ import java.io.IOException;
  * This class runs the unlock process and controls when to display which UI.
  */
 @UnlockScoped
-public class UnlockWorkflow extends Task<Boolean> {
+public class UnlockWorkflow extends Task<Void> {
 
 	private static final Logger LOG = LoggerFactory.getLogger(UnlockWorkflow.class);
 
@@ -38,42 +38,44 @@ public class UnlockWorkflow extends Task<Boolean> {
 	private final VaultService vaultService;
 	private final Lazy<Scene> successScene;
 	private final Lazy<Scene> invalidMountPointScene;
+	private final Lazy<Scene> restartRequiredScene;
 	private final FxApplicationWindows appWindows;
 	private final KeyLoadingStrategy keyLoadingStrategy;
 	private final ObjectProperty<IllegalMountPointException> illegalMountPointException;
 
 	@Inject
-	UnlockWorkflow(@UnlockWindow Stage window, @UnlockWindow Vault vault, VaultService vaultService, @FxmlScene(FxmlFile.UNLOCK_SUCCESS) Lazy<Scene> successScene, @FxmlScene(FxmlFile.UNLOCK_INVALID_MOUNT_POINT) Lazy<Scene> invalidMountPointScene, FxApplicationWindows appWindows, @UnlockWindow KeyLoadingStrategy keyLoadingStrategy, @UnlockWindow ObjectProperty<IllegalMountPointException> illegalMountPointException) {
+	UnlockWorkflow(@UnlockWindow Stage window, //
+				   @UnlockWindow Vault vault, //
+				   VaultService vaultService, //
+				   @FxmlScene(FxmlFile.UNLOCK_SUCCESS) Lazy<Scene> successScene, //
+				   @FxmlScene(FxmlFile.UNLOCK_INVALID_MOUNT_POINT) Lazy<Scene> invalidMountPointScene, //
+				   @FxmlScene(FxmlFile.UNLOCK_REQUIRES_RESTART) Lazy<Scene> restartRequiredScene, //
+				   FxApplicationWindows appWindows, //
+				   @UnlockWindow KeyLoadingStrategy keyLoadingStrategy, //
+				   @UnlockWindow ObjectProperty<IllegalMountPointException> illegalMountPointException) {
 		this.window = window;
 		this.vault = vault;
 		this.vaultService = vaultService;
 		this.successScene = successScene;
 		this.invalidMountPointScene = invalidMountPointScene;
+		this.restartRequiredScene = restartRequiredScene;
 		this.appWindows = appWindows;
 		this.keyLoadingStrategy = keyLoadingStrategy;
 		this.illegalMountPointException = illegalMountPointException;
 	}
 
 	@Override
-	protected Boolean call() throws InterruptedException, IOException, CryptoException, MountFailedException {
-		try {
-			attemptUnlock();
-			return true;
-		} catch (UnlockCancelledException e) {
-			cancel(false); // set Tasks state to cancelled
-			return false;
-		}
-	}
-
-	private void attemptUnlock() throws IOException, CryptoException, MountFailedException {
+	protected Void call() throws InterruptedException, IOException, CryptoException, MountFailedException {
 		try {
 			keyLoadingStrategy.use(vault::unlock);
+			return null;
+		} catch (UnlockCancelledException e) {
+			cancel(false); // set Tasks state to cancelled
+			return null;
+		} catch (IOException | RuntimeException | MountFailedException e) {
+			throw e;
 		} catch (Exception e) {
-			Throwables.propagateIfPossible(e, IOException.class);
-			Throwables.propagateIfPossible(e, CryptoException.class);
-			Throwables.propagateIfPossible(e, IllegalMountPointException.class);
-			Throwables.propagateIfPossible(e, MountFailedException.class);
-			throw new IllegalStateException("unexpected exception type", e);
+			throw new IllegalStateException("Unexpected exception type", e);
 		}
 	}
 
@@ -85,6 +87,13 @@ public class UnlockWorkflow extends Task<Boolean> {
 		});
 	}
 
+	private void handleConflictingMountServiceException() {
+		Platform.runLater(() -> {
+			window.setScene(restartRequiredScene.get());
+			window.show();
+		});
+	}
+
 	private void handleGenericError(Throwable e) {
 		LOG.error("Unlock failed for technical reasons.", e);
 		appWindows.showErrorWindow(e, window, null);
@@ -113,10 +122,10 @@ public class UnlockWorkflow extends Task<Boolean> {
 	protected void failed() {
 		LOG.info("Unlock of '{}' failed.", vault.getDisplayName());
 		Throwable throwable = super.getException();
-		if(throwable instanceof IllegalMountPointException impe) {
-			handleIllegalMountPointError(impe);
-		} else {
-			handleGenericError(throwable);
+		switch (throwable) {
+			case IllegalMountPointException e -> handleIllegalMountPointError(e);
+			case ConflictingMountServiceException _ -> handleConflictingMountServiceException();
+			default -> handleGenericError(throwable);
 		}
 		vault.stateProperty().transition(VaultState.Value.PROCESSING, VaultState.Value.LOCKED);
 	}

src/main/java/org/cryptomator/ui/vaultoptions/MountOptionsController.java

@@ -1,18 +1,25 @@
 package org.cryptomator.ui.vaultoptions;
 
 import com.google.common.base.Strings;
-import org.cryptomator.common.mount.ActualMountService;
+import dagger.Lazy;
+import org.cryptomator.common.ObservableUtil;
+import org.cryptomator.common.mount.Mounter;
 import org.cryptomator.common.mount.WindowsDriveLetters;
 import org.cryptomator.common.settings.VaultSettings;
 import org.cryptomator.common.vaults.Vault;
 import org.cryptomator.integrations.mount.MountCapability;
+import org.cryptomator.integrations.mount.MountService;
 import org.cryptomator.ui.common.FxController;
 import org.cryptomator.ui.fxapp.FxApplicationWindows;
 import org.cryptomator.ui.preferences.SelectedPreferencesTab;
+import org.cryptomator.ui.preferences.VolumePreferencesController;
 
 import javax.inject.Inject;
+import javafx.application.Application;
+import javafx.beans.binding.Bindings;
 import javafx.beans.value.ObservableValue;
 import javafx.fxml.FXML;
+import javafx.scene.control.Button;
 import javafx.scene.control.CheckBox;
 import javafx.scene.control.ChoiceBox;
 import javafx.scene.control.RadioButton;
@@ -26,6 +33,8 @@ import java.io.File;
 import java.nio.file.Files;
 import java.nio.file.InvalidPathException;
 import java.nio.file.Path;
+import java.util.List;
+import java.util.Optional;
 import java.util.ResourceBundle;
 import java.util.Set;
 
@@ -36,14 +45,21 @@ public class MountOptionsController implements FxController {
 	private final VaultSettings vaultSettings;
 	private final WindowsDriveLetters windowsDriveLetters;
 	private final ResourceBundle resourceBundle;
+	private final Lazy<Application> application;
 
 	private final ObservableValue<String> defaultMountFlags;
 	private final ObservableValue<Boolean> mountpointDirSupported;
 	private final ObservableValue<Boolean> mountpointDriveLetterSupported;
 	private final ObservableValue<Boolean> readOnlySupported;
 	private final ObservableValue<Boolean> mountFlagsSupported;
+	private final ObservableValue<Boolean> defaultMountServiceSelected;
 	private final ObservableValue<String> directoryPath;
 	private final FxApplicationWindows applicationWindows;
+	private final List<MountService> mountProviders;
+	private final ObservableValue<MountService> defaultMountService;
+	private final ObservableValue<MountService> selectedMountService;
+	private final ObservableValue<Boolean> selectedMountServiceRequiresRestart;
+	private final ObservableValue<Boolean> loopbackPortChangeable;
 
 
 	//-- FXML objects --
@@ -56,30 +72,58 @@ public class MountOptionsController implements FxController {
 	public RadioButton mountPointDirBtn;
 	public TextField directoryPathField;
 	public ChoiceBox<Path> driveLetterSelection;
+	public ChoiceBox<MountService> vaultVolumeTypeChoiceBox;
+	public TextField vaultLoopbackPortField;
+	public Button vaultLoopbackPortApplyButton;
+
 
 	@Inject
-	MountOptionsController(@VaultOptionsWindow Stage window, @VaultOptionsWindow Vault vault, ObservableValue<ActualMountService> mountService, WindowsDriveLetters windowsDriveLetters, ResourceBundle resourceBundle, FxApplicationWindows applicationWindows) {
+	MountOptionsController(@VaultOptionsWindow Stage window, //
+						   @VaultOptionsWindow Vault vault, //
+						   WindowsDriveLetters windowsDriveLetters, //
+						   ResourceBundle resourceBundle, //
+						   FxApplicationWindows applicationWindows, //
+						   Lazy<Application> application, //
+						   List<MountService> mountProviders, //
+						   Mounter mounter, //
+						   ObservableValue<MountService> defaultMountService) {
 		this.window = window;
 		this.vaultSettings = vault.getVaultSettings();
 		this.windowsDriveLetters = windowsDriveLetters;
 		this.resourceBundle = resourceBundle;
-		this.defaultMountFlags = mountService.map(as -> {
-			if (as.service().hasCapability(MountCapability.MOUNT_FLAGS)) {
-				return as.service().getDefaultMountFlags();
+		this.applicationWindows = applicationWindows;
+		this.directoryPath = vault.getVaultSettings().mountPoint.map(p -> isDriveLetter(p) ? null : p.toString());
+		this.application = application;
+		this.mountProviders = mountProviders;
+		this.defaultMountService = defaultMountService;
+		this.selectedMountService = Bindings.createObjectBinding(this::reselectMountService, defaultMountService, vaultSettings.mountService);
+		this.selectedMountServiceRequiresRestart = selectedMountService.map(mounter::isConflictingMountService);
+
+		this.defaultMountFlags = selectedMountService.map(s -> {
+			if (s.hasCapability(MountCapability.MOUNT_FLAGS)) {
+				return s.getDefaultMountFlags();
 			} else {
 				return "";
 			}
 		});
-		this.mountpointDirSupported = mountService.map(as -> as.service().hasCapability(MountCapability.MOUNT_TO_EXISTING_DIR) || as.service().hasCapability(MountCapability.MOUNT_WITHIN_EXISTING_PARENT));
-		this.mountpointDriveLetterSupported = mountService.map(as -> as.service().hasCapability(MountCapability.MOUNT_AS_DRIVE_LETTER));
-		this.mountFlagsSupported = mountService.map(as -> as.service().hasCapability(MountCapability.MOUNT_FLAGS));
-		this.readOnlySupported = mountService.map(as -> as.service().hasCapability(MountCapability.READ_ONLY));
-		this.directoryPath = vault.getVaultSettings().mountPoint.map(p -> isDriveLetter(p) ? null : p.toString());
-		this.applicationWindows = applicationWindows;
+		this.mountFlagsSupported = selectedMountService.map(s -> s.hasCapability(MountCapability.MOUNT_FLAGS));
+		this.defaultMountServiceSelected = ObservableUtil.mapWithDefault(vaultSettings.mountService, _ -> false, true);
+		this.readOnlySupported = selectedMountService.map(s -> s.hasCapability(MountCapability.READ_ONLY));
+		this.mountpointDirSupported = selectedMountService.map(s -> s.hasCapability(MountCapability.MOUNT_TO_EXISTING_DIR) || s.hasCapability(MountCapability.MOUNT_WITHIN_EXISTING_PARENT));
+		this.mountpointDriveLetterSupported = selectedMountService.map(s -> s.hasCapability(MountCapability.MOUNT_AS_DRIVE_LETTER));
+		this.loopbackPortChangeable = selectedMountService.map(s -> s.hasCapability(MountCapability.LOOPBACK_PORT) && vaultSettings.mountService.getValue() != null);
+	}
+
+	private MountService reselectMountService() {
+		var desired = vaultSettings.mountService.getValue();
+		var defaultMS = defaultMountService.getValue();
+		return mountProviders.stream().filter(s -> s.getClass().getName().equals(desired)).findFirst().orElse(defaultMS);
 	}
 
 	@FXML
 	public void initialize() {
+		defaultMountService.addListener((_, _, _) -> vaultVolumeTypeChoiceBox.setConverter(new MountServiceConverter()));
+
 		// readonly:
 		readOnlyCheckbox.selectedProperty().bindBidirectional(vaultSettings.usesReadOnlyMode);
 
@@ -106,6 +150,20 @@ public class MountOptionsController implements FxController {
 			mountPointToggleGroup.selectToggle(mountPointDirBtn);
 		}
 		mountPointToggleGroup.selectedToggleProperty().addListener(this::selectedToggleChanged);
+
+		vaultVolumeTypeChoiceBox.getItems().add(null);
+		vaultVolumeTypeChoiceBox.getItems().addAll(mountProviders);
+		vaultVolumeTypeChoiceBox.setConverter(new MountServiceConverter());
+		vaultVolumeTypeChoiceBox.getSelectionModel().select(isDefaultMountServiceSelected() ? null : selectedMountService.getValue());
+		vaultVolumeTypeChoiceBox.valueProperty().addListener((_, _, newProvider) -> {
+			var toSet = Optional.ofNullable(newProvider).map(nP -> nP.getClass().getName()).orElse(null);
+			vaultSettings.mountService.set(toSet);
+		});
+
+		vaultLoopbackPortField.setText(String.valueOf(vaultSettings.port.get()));
+		vaultLoopbackPortApplyButton.visibleProperty().bind(vaultSettings.port.asString().isNotEqualTo(vaultLoopbackPortField.textProperty()));
+		vaultLoopbackPortApplyButton.disableProperty().bind(Bindings.createBooleanBinding(this::validateLoopbackPort, vaultLoopbackPortField.textProperty()).not());
+
 	}
 
 	@FXML
@@ -229,6 +287,26 @@ public class MountOptionsController implements FxController {
 
 	}
 
+	public void openDocs() {
+		application.get().getHostServices().showDocument(VolumePreferencesController.DOCS_MOUNTING_URL);
+	}
+
+	private boolean validateLoopbackPort() {
+		try {
+			int port = Integer.parseInt(vaultLoopbackPortField.getText());
+			return port == 0 // choose port automatically
+					|| port >= VolumePreferencesController.MIN_PORT && port <= VolumePreferencesController.MAX_PORT; // port within range
+		} catch (NumberFormatException e) {
+			return false;
+		}
+	}
+
+	public void doChangeLoopbackPort() {
+		if (validateLoopbackPort()) {
+			vaultSettings.port.set(Integer.parseInt(vaultLoopbackPortField.getText()));
+		}
+	}
+
 	//@formatter:off
 	private static class NoDirSelectedException extends Exception {}
 	//@formatter:on
@@ -243,6 +321,14 @@ public class MountOptionsController implements FxController {
 		return mountFlagsSupported.getValue();
 	}
 
+	public ObservableValue<Boolean> defaultMountServiceSelectedProperty() {
+		return defaultMountServiceSelected;
+	}
+
+	public boolean isDefaultMountServiceSelected() {
+		return defaultMountServiceSelected.getValue();
+	}
+
 	public ObservableValue<Boolean> mountpointDirSupportedProperty() {
 		return mountpointDirSupported;
 	}
@@ -274,4 +360,37 @@ public class MountOptionsController implements FxController {
 	public String getDirectoryPath() {
 		return directoryPath.getValue();
 	}
+
+	public ObservableValue<Boolean> selectedMountServiceRequiresRestartProperty() {
+		return selectedMountServiceRequiresRestart;
+	}
+
+	public boolean getSelectedMountServiceRequiresRestart() {
+		return selectedMountServiceRequiresRestart.getValue();
+	}
+
+	public ObservableValue<Boolean> loopbackPortChangeableProperty() {
+		return loopbackPortChangeable;
+	}
+
+	public boolean isLoopbackPortChangeable() {
+		return loopbackPortChangeable.getValue();
+	}
+
+	private class MountServiceConverter extends StringConverter<MountService> {
+
+		@Override
+		public String toString(MountService provider) {
+			if (provider == null) {
+				return String.format(resourceBundle.getString("vaultOptions.mount.volumeType.default"), defaultMountService.getValue().displayName());
+			} else {
+				return provider.displayName();
+			}
+		}
+
+		@Override
+		public MountService fromString(String string) {
+			throw new UnsupportedOperationException();
+		}
+	}
 }

src/main/java/org/cryptomator/ui/vaultoptions/VaultOptionsController.java

@@ -1,6 +1,7 @@
 package org.cryptomator.ui.vaultoptions;
 
 import org.cryptomator.common.vaults.Vault;
+import org.cryptomator.common.vaults.VaultState;
 import org.cryptomator.ui.common.FxController;
 import org.cryptomator.ui.keyloading.hub.HubKeyLoadingStrategy;
 import org.cryptomator.ui.keyloading.masterkeyfile.MasterkeyFileLoadingStrategy;
@@ -48,6 +49,10 @@ public class VaultOptionsController implements FxController {
 		if(!(vaultScheme.equals(HubKeyLoadingStrategy.SCHEME_HUB_HTTP) || vaultScheme.equals(HubKeyLoadingStrategy.SCHEME_HUB_HTTPS))){
 			tabPane.getTabs().remove(hubTab);
 		}
+
+		vault.stateProperty().addListener(observable -> {
+			tabPane.setDisable(vault.getState().equals(VaultState.Value.UNLOCKED));
+		});
 	}
 
 	private void selectChosenTab() {

src/main/resources/css/dark_theme.css

@@ -936,3 +936,16 @@
 	-fx-padding: 0.5px;
 	-fx-background-color: CONTROL_BORDER_NORMAL;
 }
+
+/*******************************************************************************
+ *                                                                             *
+ * Ad box                                                                   *
+ *                                                                             *
+ ******************************************************************************/
+
+.ad-box {
+	-fx-padding: 12px;
+	-fx-background-color: CONTROL_BORDER_NORMAL, CONTROL_BG_NORMAL;
+	-fx-background-insets: 0, 1px;
+	-fx-background-radius: 4px;
+}

src/main/resources/css/light_theme.css

@@ -935,3 +935,16 @@
 	-fx-padding: 0.5px;
 	-fx-background-color: CONTROL_BORDER_NORMAL;
 }
+
+/*******************************************************************************
+ *                                                                             *
+ * Ad box                                                                   *
+ *                                                                             *
+ ******************************************************************************/
+
+.ad-box {
+	-fx-padding: 12px;
+	-fx-background-color: CONTROL_BORDER_NORMAL, CONTROL_BG_NORMAL;
+	-fx-background-insets: 0, 1px;
+	-fx-background-radius: 4px;
+}

src/main/resources/fxml/hub_legacy_register_device.fxml

@@ -0,0 +1,76 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<?import org.cryptomator.ui.controls.FontAwesome5IconView?>
+<?import javafx.geometry.Insets?>
+<?import javafx.scene.control.Button?>
+<?import javafx.scene.control.ButtonBar?>
+<?import javafx.scene.control.Label?>
+<?import javafx.scene.control.TextField?>
+<?import javafx.scene.Group?>
+<?import javafx.scene.layout.HBox?>
+<?import javafx.scene.layout.Region?>
+<?import javafx.scene.layout.StackPane?>
+<?import javafx.scene.layout.VBox?>
+<?import javafx.scene.shape.Circle?>
+<?import org.cryptomator.ui.controls.FontAwesome5Spinner?>
+<HBox xmlns:fx="http://javafx.com/fxml"
+	  xmlns="http://javafx.com/javafx"
+	  fx:controller="org.cryptomator.ui.keyloading.hub.LegacyRegisterDeviceController"
+	  minWidth="400"
+	  maxWidth="400"
+	  minHeight="145"
+	  spacing="12"
+	  alignment="TOP_LEFT">
+	<padding>
+		<Insets topRightBottomLeft="12"/>
+	</padding>
+	<children>
+		<Group>
+			<StackPane>
+				<padding>
+					<Insets topRightBottomLeft="6"/>
+				</padding>
+				<Circle styleClass="glyph-icon-primary" radius="24"/>
+				<FontAwesome5IconView styleClass="glyph-icon-white" glyph="INFO" glyphSize="24"/>
+			</StackPane>
+		</Group>
+
+		<VBox HBox.hgrow="ALWAYS">
+			<Label styleClass="label-large" text="%hub.register.message" wrapText="true" textAlignment="LEFT">
+				<padding>
+					<Insets bottom="6" top="6"/>
+				</padding>
+			</Label>
+			<Label text="%hub.register.legacy.description" wrapText="true"/>
+			<HBox spacing="6" alignment="CENTER_LEFT">
+				<padding>
+					<Insets top="12"/>
+				</padding>
+				<Label text="%hub.register.nameLabel" labelFor="$deviceNameField"/>
+				<TextField fx:id="deviceNameField" HBox.hgrow="ALWAYS"/>
+			</HBox>
+			<HBox alignment="TOP_RIGHT">
+				<Label text="%hub.register.legacy.occupiedMsg" textAlignment="RIGHT" alignment="CENTER_RIGHT" visible="${controller.deviceNameAlreadyExists}" graphicTextGap="6">
+					<padding>
+						<Insets top="6"/>
+					</padding>
+					<graphic>
+						<FontAwesome5IconView glyph="TIMES" styleClass="glyph-icon-red"/>
+					</graphic>
+				</Label>
+			</HBox>
+
+			<Region VBox.vgrow="ALWAYS" minHeight="18"/>
+			<ButtonBar buttonMinWidth="120" buttonOrder="+CU">
+				<buttons>
+					<Button text="%generic.button.cancel" ButtonBar.buttonData="CANCEL_CLOSE" cancelButton="true" onAction="#close"/>
+					<Button fx:id="registerBtn" text="%hub.register.registerBtn" ButtonBar.buttonData="OTHER" defaultButton="true" onAction="#register" contentDisplay="TEXT_ONLY" >
+						<graphic>
+							<FontAwesome5Spinner glyphSize="12" />
+						</graphic>
+					</Button>
+				</buttons>
+			</ButtonBar>
+		</VBox>
+	</children>
+</HBox>

src/main/resources/fxml/hub_legacy_register_success.fxml

@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<?import org.cryptomator.ui.controls.FontAwesome5IconView?>
+<?import javafx.geometry.Insets?>
+<?import javafx.scene.control.Button?>
+<?import javafx.scene.control.ButtonBar?>
+<?import javafx.scene.control.Label?>
+<?import javafx.scene.Group?>
+<?import javafx.scene.layout.HBox?>
+<?import javafx.scene.layout.Region?>
+<?import javafx.scene.layout.StackPane?>
+<?import javafx.scene.layout.VBox?>
+<?import javafx.scene.shape.Circle?>
+<HBox xmlns:fx="http://javafx.com/fxml"
+	  xmlns="http://javafx.com/javafx"
+	  fx:controller="org.cryptomator.ui.keyloading.hub.LegacyRegisterSuccessController"
+	  minWidth="400"
+	  maxWidth="400"
+	  minHeight="145"
+	  spacing="12"
+	  alignment="TOP_LEFT">
+	<padding>
+		<Insets topRightBottomLeft="12"/>
+	</padding>
+	<children>
+		<Group>
+			<StackPane>
+				<padding>
+					<Insets topRightBottomLeft="6"/>
+				</padding>
+				<Circle styleClass="glyph-icon-primary" radius="24"/>
+				<FontAwesome5IconView styleClass="glyph-icon-white" glyph="CHECK" glyphSize="24"/>
+			</StackPane>
+		</Group>
+		<VBox HBox.hgrow="ALWAYS">
+			<Label styleClass="label-large" text="%hub.registerSuccess.message" wrapText="true" textAlignment="LEFT">
+				<padding>
+					<Insets bottom="6" top="6"/>
+				</padding>
+			</Label>
+			<Label text="%hub.registerSuccess.legacy.description" wrapText="true"/>
+
+			<Region VBox.vgrow="ALWAYS" minHeight="18"/>
+			<ButtonBar buttonMinWidth="120" buttonOrder="+C">
+				<buttons>
+					<Button text="%generic.button.close" ButtonBar.buttonData="CANCEL_CLOSE" defaultButton="true" onAction="#close"/>
+				</buttons>
+			</ButtonBar>
+		</VBox>
+	</children>
+</HBox>

src/main/resources/fxml/hub_register_device.fxml

@@ -42,6 +42,13 @@
 				</padding>
 			</Label>
 			<Label text="%hub.register.description" wrapText="true"/>
+			<HBox spacing="6" alignment="CENTER_LEFT">
+				<padding>
+					<Insets top="12"/>
+				</padding>
+				<Label text="Account Key" labelFor="$setupCodeField"/>
+				<TextField fx:id="setupCodeField" HBox.hgrow="ALWAYS"/>
+			</HBox>
 			<HBox spacing="6" alignment="CENTER_LEFT">
 				<padding>
 					<Insets top="12"/>
@@ -50,7 +57,7 @@
 				<TextField fx:id="deviceNameField" HBox.hgrow="ALWAYS"/>
 			</HBox>
 			<HBox alignment="TOP_RIGHT">
-				<Label text="%hub.register.occupiedMsg" textAlignment="RIGHT" alignment="CENTER_RIGHT" visible="${controller.deviceNameAlreadyExists}" graphicTextGap="6">
+				<Label text="%hub.register.invalidAccountKeyLabel" textAlignment="RIGHT" alignment="CENTER_RIGHT" visible="${controller.invalidSetupCode}" managed="${controller.invalidSetupCode}" graphicTextGap="6">
 					<padding>
 						<Insets top="6"/>
 					</padding>

src/main/resources/fxml/hub_register_device_already_exists.fxml

@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<?import org.cryptomator.ui.controls.FontAwesome5IconView?>
+<?import javafx.geometry.Insets?>
+<?import javafx.scene.control.Button?>
+<?import javafx.scene.control.ButtonBar?>
+<?import javafx.scene.control.Label?>
+<?import javafx.scene.Group?>
+<?import javafx.scene.layout.HBox?>
+<?import javafx.scene.layout.Region?>
+<?import javafx.scene.layout.StackPane?>
+<?import javafx.scene.layout.VBox?>
+<?import javafx.scene.shape.Circle?>
+<HBox xmlns:fx="http://javafx.com/fxml"
+	  xmlns="http://javafx.com/javafx"
+	  fx:controller="org.cryptomator.ui.keyloading.hub.RegisterFailedController"
+	  minWidth="400"
+	  maxWidth="400"
+	  minHeight="145"
+	  spacing="12"
+	  alignment="TOP_LEFT">
+	<padding>
+		<Insets topRightBottomLeft="12"/>
+	</padding>
+	<children>
+		<Group>
+			<StackPane>
+				<padding>
+					<Insets topRightBottomLeft="6"/>
+				</padding>
+				<Circle styleClass="glyph-icon-primary" radius="24"/>
+				<FontAwesome5IconView styleClass="glyph-icon-white" glyph="EXCLAMATION" glyphSize="24"/>
+			</StackPane>
+		</Group>
+		<VBox HBox.hgrow="ALWAYS">
+			<Label styleClass="label-large" text="%hub.registerFailed.message" wrapText="true" textAlignment="LEFT">
+				<padding>
+					<Insets bottom="6" top="6"/>
+				</padding>
+			</Label>
+			<Label text="%hub.registerFailed.description.deviceAlreadyExists" wrapText="true"/>
+
+			<Region VBox.vgrow="ALWAYS" minHeight="18"/>
+			<ButtonBar buttonMinWidth="120" buttonOrder="+C">
+				<buttons>
+					<Button text="%generic.button.close" ButtonBar.buttonData="CANCEL_CLOSE" defaultButton="true" onAction="#close"/>
+				</buttons>
+			</ButtonBar>
+		</VBox>
+	</children>
+</HBox>

src/main/resources/fxml/hub_register_failed.fxml

@@ -38,7 +38,7 @@
 					<Insets bottom="6" top="6"/>
 				</padding>
 			</Label>
-			<Label text="%hub.registerFailed.description" wrapText="true"/>
+			<Label text="%hub.registerFailed.description.generic" wrapText="true"/>
 
 			<Region VBox.vgrow="ALWAYS" minHeight="18"/>
 			<ButtonBar buttonMinWidth="120" buttonOrder="+C">

src/main/resources/fxml/hub_register_success.fxml

@@ -41,9 +41,9 @@
 			<Label text="%hub.registerSuccess.description" wrapText="true"/>
 
 			<Region VBox.vgrow="ALWAYS" minHeight="18"/>
-			<ButtonBar buttonMinWidth="120" buttonOrder="+C">
+			<ButtonBar buttonMinWidth="120" buttonOrder="+X">
 				<buttons>
-					<Button text="%generic.button.close" ButtonBar.buttonData="CANCEL_CLOSE" defaultButton="true" onAction="#close"/>
+					<Button text="%hub.registerSuccess.unlockBtn" ButtonBar.buttonData="NEXT_FORWARD" defaultButton="true" onAction="#complete"/>
 					<!-- TODO: add request access button -->
 				</buttons>
 			</ButtonBar>

src/main/resources/fxml/hub_require_account_init.fxml

@@ -0,0 +1,60 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<?import org.cryptomator.ui.controls.FontAwesome5IconView?>
+<?import javafx.geometry.Insets?>
+<?import javafx.scene.control.Button?>
+<?import javafx.scene.control.ButtonBar?>
+<?import javafx.scene.control.Label?>
+<?import javafx.scene.Group?>
+<?import javafx.scene.layout.HBox?>
+<?import javafx.scene.layout.Region?>
+<?import javafx.scene.layout.StackPane?>
+<?import javafx.scene.layout.VBox?>
+<?import javafx.scene.shape.Circle?>
+<?import javafx.scene.text.TextFlow?>
+<?import javafx.scene.text.Text?>
+<?import javafx.scene.control.Hyperlink?>
+<HBox xmlns:fx="http://javafx.com/fxml"
+	  xmlns="http://javafx.com/javafx"
+	  fx:controller="org.cryptomator.ui.keyloading.hub.RequireAccountInitController"
+	  minWidth="400"
+	  maxWidth="400"
+	  minHeight="145"
+	  spacing="12"
+	  alignment="TOP_LEFT">
+	<padding>
+		<Insets topRightBottomLeft="12"/>
+	</padding>
+	<children>
+		<Group>
+			<StackPane>
+				<padding>
+					<Insets topRightBottomLeft="6"/>
+				</padding>
+				<Circle styleClass="glyph-icon-primary" radius="24"/>
+				<FontAwesome5IconView styleClass="glyph-icon-white" glyph="USER_COG" glyphSize="24"/>
+			</StackPane>
+		</Group>
+		<VBox HBox.hgrow="ALWAYS">
+			<Label styleClass="label-large" text="%hub.requireAccountInit.message" wrapText="true" textAlignment="LEFT">
+				<padding>
+					<Insets bottom="6" top="6"/>
+				</padding>
+			</Label>
+
+			<TextFlow styleClass="text-flow">
+				<Text text="%hub.requireAccountInit.description.0"/>
+				<Text text=" "/>
+				<Hyperlink styleClass="hyperlink-underline" text="%hub.requireAccountInit.description.1" onAction="#completeSetup"/>
+				<Text text="%hub.requireAccountInit.description.2"/>
+			</TextFlow>
+
+			<Region VBox.vgrow="ALWAYS" minHeight="18"/>
+			<ButtonBar buttonMinWidth="120" buttonOrder="+C">
+				<buttons>
+					<Button text="%generic.button.close" ButtonBar.buttonData="CANCEL_CLOSE" defaultButton="true" onAction="#close"/>
+				</buttons>
+			</ButtonBar>
+		</VBox>
+	</children>
+</HBox>

src/main/resources/fxml/preferences_about.fxml

@@ -22,7 +22,7 @@
 			</ImageView>
 			<VBox spacing="3" HBox.hgrow="ALWAYS" alignment="CENTER_LEFT">
 				<FormattedLabel styleClass="label-extra-large" format="Cryptomator %s" arg1="${controller.fullApplicationVersion}"/>
-				<Label text="© 2016 – 2023 Skymatic GmbH"/>
+				<Label text="© 2016 – 2024 Skymatic GmbH"/>
 			</VBox>
 		</HBox>
 

src/main/resources/fxml/preferences_volume.fxml

@@ -32,8 +32,6 @@
 			</Hyperlink>
 		</HBox>
 
-		<Label styleClass="label-red" text="%preferences.volume.fuseRestartRequired" visible="${controller.fuseRestartRequired}" managed="${controller.fuseRestartRequired}"/>
-
 		<HBox spacing="12" alignment="CENTER_LEFT" visible="${controller.loopbackPortSupported}" managed="${controller.loopbackPortSupported}">
 			<Label text="%preferences.volume.tcp.port"/>
 			<NumericTextField fx:id="loopbackPortField"/>

src/main/resources/fxml/share_vault.fxml

@@ -0,0 +1,111 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<?import javafx.geometry.Insets?>
+<?import javafx.scene.control.Button?>
+<?import javafx.scene.control.ButtonBar?>
+<?import javafx.scene.control.Label?>
+<?import javafx.scene.layout.Region?>
+<?import javafx.scene.layout.VBox?>
+<?import javafx.scene.layout.HBox?>
+<?import javafx.scene.layout.StackPane?>
+<?import javafx.scene.shape.Circle?>
+<?import org.cryptomator.ui.controls.FontAwesome5IconView?>
+<?import javafx.scene.image.ImageView?>
+<?import javafx.scene.image.Image?>
+<?import javafx.scene.control.Hyperlink?>
+<?import javafx.scene.control.Tooltip?>
+<?import javafx.scene.Group?>
+<?import javafx.scene.text.Text?>
+<?import javafx.scene.text.TextFlow?>
+<HBox xmlns:fx="http://javafx.com/fxml"
+	  xmlns="http://javafx.com/javafx"
+	  fx:controller="org.cryptomator.ui.sharevault.ShareVaultController"
+	  prefWidth="540"
+	  spacing="12">
+	<padding>
+		<Insets topRightBottomLeft="12"/>
+	</padding>
+	<Group>
+		<StackPane>
+			<padding>
+				<Insets topRightBottomLeft="6"/>
+			</padding>
+			<Circle styleClass="glyph-icon-primary" radius="24"/>
+			<FontAwesome5IconView styleClass="glyph-icon-white" glyph="INFO" glyphSize="24"/>
+		</StackPane>
+	</Group>
+	<VBox>
+		<VBox HBox.hgrow="ALWAYS" visible="${controller.hubVault}" managed="${controller.hubVault}">
+			<Label text="%shareVault.hub.message" styleClass="label-large" wrapText="true">
+				<padding>
+					<Insets bottom="6" top="6"/>
+				</padding>
+			</Label>
+			<Label text="%shareVault.hub.description" wrapText="true"/>
+			<VBox>
+				<padding>
+					<Insets left="6"/>
+				</padding>
+				<Label text="%shareVault.hub.instruction.1" wrapText="true"/>
+				<Label text="%shareVault.hub.instruction.2" wrapText="true"/>
+			</VBox>
+		</VBox>
+		<VBox HBox.hgrow="ALWAYS" visible="${!controller.hubVault}" managed="${!controller.hubVault}">
+			<Label text="%shareVault.message" styleClass="label-large" wrapText="true">
+				<padding>
+					<Insets bottom="6" top="6"/>
+				</padding>
+			</Label>
+			<Label text="%shareVault.description" wrapText="true"/>
+			<VBox>
+				<padding>
+					<Insets left="6"/>
+				</padding>
+				<Label text="%shareVault.instruction.1" wrapText="true"/>
+				<Label text="%shareVault.instruction.2" wrapText="true"/>
+			</VBox>
+			<Region minHeight="6"/>
+			<TextFlow styleClass="text-flow">
+				<Text text="%shareVault.remarkBestPractices"/>
+				<Text text=" "/>
+				<Hyperlink contentDisplay="GRAPHIC_ONLY" onAction="#visitBestPractices">
+					<graphic>
+						<FontAwesome5IconView glyph="QUESTION_CIRCLE" styleClass="glyph-icon-muted"/>
+					</graphic>
+					<tooltip>
+						<Tooltip text="%shareVault.docsTooltip" showDelay="100ms"/>
+					</tooltip>
+				</Hyperlink>
+			</TextFlow>
+			<Region minHeight="12"/>
+			<HBox alignment="CENTER_LEFT" spacing="6" styleClass="ad-box">
+				<VBox spacing="6" alignment="CENTER_LEFT">
+					<ImageView HBox.hgrow="ALWAYS" fitWidth="180" preserveRatio="true" cache="true">
+						<Image url="@../img/hub_logo.png"/>
+					</ImageView>
+					<Label text="%shareVault.hubAd.description" style="-fx-font-weight: bold;" wrapText="true"/>
+					<VBox spacing="6" alignment="CENTER_LEFT">
+						<padding>
+							<Insets left="6"/>
+						</padding>
+						<Label text="%shareVault.hubAd.keyManagement" wrapText="true"/>
+						<Label text="%shareVault.hubAd.authentication" wrapText="true"/>
+						<Label text="%shareVault.hubAd.encryption" wrapText="true"/>
+					</VBox>
+				</VBox>
+				<Region HBox.hgrow="ALWAYS"/>
+				<ImageView HBox.hgrow="ALWAYS" fitWidth="180" preserveRatio="true" cache="true">
+					<Image url="@../img/group-magic.png"/>
+				</ImageView>
+			</HBox>
+		</VBox>
+		<Region VBox.vgrow="ALWAYS" minHeight="18"/>
+		<ButtonBar buttonMinWidth="120" buttonOrder="+CX">
+			<buttons>
+				<Button text="%generic.button.close" ButtonBar.buttonData="CANCEL_CLOSE" onAction="#close"/>
+				<Button text="%shareVault.hub.openHub" ButtonBar.buttonData="NEXT_FORWARD" defaultButton="true" onAction="#openHub" visible="${controller.hubVault}" managed="${controller.hubVault}"/>
+				<Button text="%shareVault.visitHub" ButtonBar.buttonData="NEXT_FORWARD" defaultButton="true" onAction="#visitHub" visible="${!controller.hubVault}" managed="${!controller.hubVault}"/>
+			</buttons>
+		</ButtonBar>
+	</VBox>
+</HBox>

src/main/resources/fxml/unlock_requires_restart.fxml

@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<?import org.cryptomator.ui.controls.FontAwesome5IconView?>
+<?import javafx.geometry.Insets?>
+<?import javafx.scene.control.Button?>
+<?import javafx.scene.control.ButtonBar?>
+<?import javafx.scene.control.Label?>
+<?import javafx.scene.control.Tooltip?>
+<?import javafx.scene.Group?>
+<?import javafx.scene.layout.HBox?>
+<?import javafx.scene.layout.Region?>
+<?import javafx.scene.layout.StackPane?>
+<?import javafx.scene.layout.VBox?>
+<?import javafx.scene.shape.Circle?>
+<HBox xmlns:fx="http://javafx.com/fxml"
+	  xmlns="http://javafx.com/javafx"
+	  fx:controller="org.cryptomator.ui.unlock.UnlockRequiresRestartController"
+	  minWidth="400"
+	  maxWidth="400"
+	  minHeight="145"
+	  spacing="12"
+	  alignment="TOP_LEFT">
+	<padding>
+		<Insets topRightBottomLeft="12"/>
+	</padding>
+	<children>
+		<Group>
+			<StackPane>
+				<padding>
+					<Insets topRightBottomLeft="6"/>
+				</padding>
+				<Circle styleClass="glyph-icon-red" radius="24"/>
+				<FontAwesome5IconView styleClass="glyph-icon-white" glyph="TIMES" glyphSize="24"/>
+			</StackPane>
+		</Group>
+		<VBox HBox.hgrow="ALWAYS">
+			<Label styleClass="label-large" text="%unlock.error.restartRequired.message" wrapText="true" textAlignment="LEFT">
+				<padding>
+					<Insets bottom="6" top="6"/>
+				</padding>
+			</Label>
+
+			<Label text="%unlock.error.restartRequired.description" wrapText="true" textAlignment="LEFT"/>
+
+			<Region VBox.vgrow="ALWAYS" minHeight="18"/>
+			<ButtonBar buttonMinWidth="120" buttonOrder="+CI">
+				<buttons>
+					<Button text="%generic.button.cancel" ButtonBar.buttonData="CANCEL_CLOSE" cancelButton="true" onAction="#close"/>
+					<Button text="%main.vaultlist.contextMenu.vaultoptions" ButtonBar.buttonData="FINISH" defaultButton="true" onAction="#closeAndOpenVaultOptions">
+						<tooltip>
+							<Tooltip text="%main.vaultlist.contextMenu.vaultoptions"/>
+						</tooltip>
+					</Button>
+				</buttons>
+			</ButtonBar>
+		</VBox>
+	</children>
+</HBox>

src/main/resources/fxml/vault_detail_locked.fxml

@@ -24,14 +24,17 @@
 				<FontAwesome5IconView glyph="KEY" glyphSize="15"/>
 			</graphic>
 		</Button>
-		<Hyperlink text="%main.vaultDetail.passwordSavedInKeychain" visible="${controller.passwordSaved}" onAction="#showKeyVaultOptions">
+		<Hyperlink text="%main.vaultDetail.passwordSavedInKeychain" visible="${controller.passwordSaved}" managed="${controller.passwordSaved}" onAction="#showKeyVaultOptions">
 			<graphic>
 				<FontAwesome5IconView glyph="LOCK"/>
 			</graphic>
 		</Hyperlink>
-
+		<Button text="%main.vaultDetail.share" minWidth="120" onAction="#share">
+			<graphic>
+				<FontAwesome5IconView glyph="SHARE" glyphSize="15"/>
+			</graphic>
+		</Button>
 		<Region VBox.vgrow="ALWAYS"/>
-
 		<HBox alignment="BOTTOM_RIGHT">
 			<Button text="%main.vaultDetail.optionsBtn" minWidth="120" onAction="#showVaultOptions">
 				<graphic>

src/main/resources/fxml/vault_options_mount.fxml

@@ -1,6 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 
 <?import org.cryptomator.ui.controls.FontAwesome5IconView?>
+<?import org.cryptomator.ui.controls.NumericTextField?>
 <?import javafx.geometry.Insets?>
 <?import javafx.scene.control.Button?>
 <?import javafx.scene.control.CheckBox?>
@@ -10,9 +11,9 @@
 <?import javafx.scene.control.RadioButton?>
 <?import javafx.scene.control.TextField?>
 <?import javafx.scene.control.ToggleGroup?>
+<?import javafx.scene.control.Tooltip?>
 <?import javafx.scene.layout.HBox?>
 <?import javafx.scene.layout.VBox?>
-<?import javafx.scene.text.TextFlow?>
 <VBox xmlns:fx="http://javafx.com/fxml"
 	  xmlns="http://javafx.com/javafx"
 	  fx:controller="org.cryptomator.ui.vaultoptions.MountOptionsController"
@@ -24,11 +25,35 @@
 		<Insets topRightBottomLeft="12"/>
 	</padding>
 	<children>
-		<TextFlow>
-			<Label text="%vaultOptions.mount.info"/>
-			<Label text=" "/>
-			<Hyperlink styleClass="hyperlink-underline" text="%vaultOptions.mount.linkToPreferences" onAction="#openVolumePreferences" wrapText="true"/>
-		</TextFlow>
+		<HBox spacing="12" alignment="CENTER_LEFT">
+			<Label text="%vaultOptions.mount.volume.type"/>
+			<ChoiceBox fx:id="vaultVolumeTypeChoiceBox"/>
+			<Hyperlink contentDisplay="GRAPHIC_ONLY" onAction="#openVolumePreferences" visible="${controller.defaultMountServiceSelected}" managed="${controller.defaultMountServiceSelected}">
+				<graphic>
+					<FontAwesome5IconView glyph="COGS" styleClass="glyph-icon-muted"/>
+				</graphic>
+				<tooltip>
+					<Tooltip text="%vaultOptions.mount.info" showDelay="100ms"/>
+				</tooltip>
+			</Hyperlink>
+			<Hyperlink contentDisplay="GRAPHIC_ONLY" onAction="#openDocs" visible="${!controller.defaultMountServiceSelected}" managed="${!controller.defaultMountServiceSelected}">
+				<graphic>
+					<FontAwesome5IconView glyph="QUESTION_CIRCLE" styleClass="glyph-icon-muted"/>
+				</graphic>
+				<tooltip>
+					<Tooltip text="%preferences.volume.docsTooltip" showDelay="100ms"/>
+				</tooltip>
+			</Hyperlink>
+		</HBox>
+
+		<Label styleClass="label-red" text="%vaultOptions.mount.volumeType.restartRequired" visible="${controller.selectedMountServiceRequiresRestart}" managed="${controller.selectedMountServiceRequiresRestart}"/>
+
+		<HBox spacing="12" alignment="CENTER_LEFT" visible="${controller.loopbackPortChangeable}" managed="${controller.loopbackPortChangeable}">
+			<Label text="%vaultOptions.mount.volume.tcp.port"/>
+			<NumericTextField fx:id="vaultLoopbackPortField"/>
+			<Button text="%generic.button.apply" fx:id="vaultLoopbackPortApplyButton" onAction="#doChangeLoopbackPort"/>
+		</HBox>
+
 		<CheckBox fx:id="readOnlyCheckbox" text="%vaultOptions.mount.readonly" visible="${controller.readOnlySupported}" managed="${controller.readOnlySupported}"/>
 
 		<VBox visible="${controller.mountFlagsSupported}" managed="${controller.mountFlagsSupported}">