diff --git a/app/src/main/java/me/impy/aegis/crypto/CryptParameters.java b/app/src/main/java/me/impy/aegis/crypto/CryptParameters.java
index c5971102..0faa4eb4 100644
--- a/app/src/main/java/me/impy/aegis/crypto/CryptParameters.java
+++ b/app/src/main/java/me/impy/aegis/crypto/CryptParameters.java
@@ -1,6 +1,36 @@
 package me.impy.aegis.crypto;
 
-public class CryptParameters {
+import org.json.JSONException;
+import org.json.JSONObject;
+
+import java.io.Serializable;
+
+import me.impy.aegis.encoding.Hex;
+import me.impy.aegis.encoding.HexException;
+
+public class CryptParameters implements Serializable {
     public byte[] Nonce;
     public byte[] Tag;
+
+    public JSONObject toJson() {
+        JSONObject obj = new JSONObject();
+
+        try {
+            obj.put("nonce", Hex.encode(Nonce));
+            obj.put("tag", Hex.encode(Tag));
+        } catch (JSONException e) {
+            throw new RuntimeException(e);
+        }
+
+        return obj;
+    }
+
+    public static CryptParameters parseJson(JSONObject obj) throws JSONException, HexException {
+        byte[] tag = Hex.decode(obj.getString("tag"));
+        byte[] nonce = Hex.decode(obj.getString("nonce"));
+        return new CryptParameters() {{
+            Tag = tag;
+            Nonce = nonce;
+        }};
+    }
 }
diff --git a/app/src/main/java/me/impy/aegis/crypto/CryptoUtils.java b/app/src/main/java/me/impy/aegis/crypto/CryptoUtils.java
index 37eb361e..9133b9fa 100644
--- a/app/src/main/java/me/impy/aegis/crypto/CryptoUtils.java
+++ b/app/src/main/java/me/impy/aegis/crypto/CryptoUtils.java
@@ -2,16 +2,13 @@ package me.impy.aegis.crypto;
 
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
-import java.lang.reflect.UndeclaredThrowableException;
 import java.nio.ByteBuffer;
 import java.nio.CharBuffer;
 import java.nio.charset.Charset;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.InvalidKeyException;
-import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
-import java.security.spec.InvalidKeySpecException;
 import java.util.Arrays;
 
 import javax.crypto.BadPaddingException;
@@ -20,20 +17,16 @@ import javax.crypto.IllegalBlockSizeException;
 import javax.crypto.KeyGenerator;
 import javax.crypto.NoSuchPaddingException;
 import javax.crypto.SecretKey;
-import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.GCMParameterSpec;
 import javax.crypto.spec.SecretKeySpec;
 
 import org.spongycastle.crypto.generators.SCrypt;
 
 public class CryptoUtils {
-    public static final String CRYPTO_HASH = "SHA-256";
-
-    public static final String CRYPTO_CIPHER_RAW = "AES/ECB/NoPadding";
-    public static final byte CRYPTO_KEY_SIZE = 32;
-
-    public static final String CRYPTO_CIPHER_AEAD = "AES/GCM/NoPadding";
-    public static final byte CRYPTO_TAG_SIZE = 16;
-    public static final byte CRYPTO_NONCE_SIZE = 12;
+    public static final String CRYPTO_AEAD = "AES/GCM/NoPadding";
+    public static final byte CRYPTO_AEAD_KEY_SIZE = 32;
+    public static final byte CRYPTO_AEAD_TAG_SIZE = 16;
+    public static final byte CRYPTO_AEAD_NONCE_SIZE = 12;
 
     public static final int CRYPTO_SCRYPT_N = 1 << 15;
     public static final int CRYPTO_SCRYPT_r = 8;
@@ -41,23 +34,36 @@ public class CryptoUtils {
 
     public static SecretKey deriveKey(char[] password, byte[] salt, int n, int r, int p) {
         byte[] bytes = toBytes(password);
-        byte[] keyBytes = SCrypt.generate(bytes, salt, n, r, p, CRYPTO_KEY_SIZE);
+        byte[] keyBytes = SCrypt.generate(bytes, salt, n, r, p, CRYPTO_AEAD_KEY_SIZE);
         return new SecretKeySpec(keyBytes, 0, keyBytes.length, "AES");
     }
 
-    public static Cipher createCipher(SecretKey key, int opmode)
+    public static Cipher createEncryptCipher(SecretKey key)
             throws NoSuchPaddingException, NoSuchAlgorithmException,
             InvalidAlgorithmParameterException, InvalidKeyException {
-        byte[] nonce = generateNonce();
-        return createCipher(key, opmode, nonce);
+        return createCipher(key, Cipher.ENCRYPT_MODE, null);
     }
 
-    public static Cipher createCipher(SecretKey key, int opmode, byte[] nonce)
+    public static Cipher createDecryptCipher(SecretKey key, byte[] nonce)
+            throws InvalidAlgorithmParameterException, NoSuchAlgorithmException,
+            InvalidKeyException, NoSuchPaddingException {
+        return createCipher(key, Cipher.DECRYPT_MODE, nonce);
+    }
+
+    private static Cipher createCipher(SecretKey key, int opmode, byte[] nonce)
             throws NoSuchPaddingException, NoSuchAlgorithmException,
             InvalidAlgorithmParameterException, InvalidKeyException {
-        IvParameterSpec spec = new IvParameterSpec(nonce);
-        Cipher cipher = Cipher.getInstance(CRYPTO_CIPHER_AEAD);
-        cipher.init(opmode, key, spec);
+        Cipher cipher = Cipher.getInstance(CRYPTO_AEAD);
+
+        // generate the nonce if none is given
+        // we are not allowed to do this ourselves as "setRandomizedEncryptionRequired" is set to true
+        if (nonce != null) {
+            GCMParameterSpec spec = new GCMParameterSpec(CRYPTO_AEAD_TAG_SIZE * 8, nonce);
+            cipher.init(opmode, key, spec);
+        } else {
+            cipher.init(opmode, key);
+        }
+
         return cipher;
     }
 
@@ -65,8 +71,8 @@ public class CryptoUtils {
             throws BadPaddingException, IllegalBlockSizeException {
         // split off the tag to store it separately
         byte[] result = cipher.doFinal(data);
-        byte[] tag = Arrays.copyOfRange(result, result.length - CRYPTO_TAG_SIZE, result.length);
-        byte[] encrypted = Arrays.copyOfRange(result, 0, result.length - CRYPTO_TAG_SIZE);
+        byte[] tag = Arrays.copyOfRange(result, result.length - CRYPTO_AEAD_TAG_SIZE, result.length);
+        byte[] encrypted = Arrays.copyOfRange(result, 0, result.length - CRYPTO_AEAD_TAG_SIZE);
 
         return new CryptResult() {{
             Parameters = new CryptParameters() {{
@@ -93,23 +99,10 @@ public class CryptoUtils {
         }};
     }
 
-    public static byte[] hashKey(SecretKey key) {
-        MessageDigest hash;
-        try {
-            hash = MessageDigest.getInstance(CRYPTO_HASH);
-        } catch (NoSuchAlgorithmException e) {
-            throw new AssertionError(e);
-        }
-
-        byte[] bytes = key.getEncoded();
-        hash.update(bytes);
-        return hash.digest();
-    }
-
     public static SecretKey generateKey() {
         try {
             KeyGenerator generator = KeyGenerator.getInstance("AES");
-            generator.init(CRYPTO_KEY_SIZE * 8);
+            generator.init(CRYPTO_AEAD_KEY_SIZE * 8);
             return generator.generateKey();
         } catch (NoSuchAlgorithmException e) {
             throw new AssertionError(e);
@@ -117,11 +110,7 @@ public class CryptoUtils {
     }
 
     public static byte[] generateSalt() {
-        return generateRandomBytes(CRYPTO_KEY_SIZE);
-    }
-
-    public static byte[] generateNonce() {
-        return generateRandomBytes(CRYPTO_NONCE_SIZE);
+        return generateRandomBytes(CRYPTO_AEAD_KEY_SIZE);
     }
 
     public static byte[] generateRandomBytes(int length) {
diff --git a/app/src/main/java/me/impy/aegis/crypto/KeyStoreHandle.java b/app/src/main/java/me/impy/aegis/crypto/KeyStoreHandle.java
index c7f3afe5..94826d06 100644
--- a/app/src/main/java/me/impy/aegis/crypto/KeyStoreHandle.java
+++ b/app/src/main/java/me/impy/aegis/crypto/KeyStoreHandle.java
@@ -1,6 +1,5 @@
 package me.impy.aegis.crypto;
 
-import android.annotation.SuppressLint;
 import android.os.Build;
 import android.security.keystore.KeyGenParameterSpec;
 import android.security.keystore.KeyPermanentlyInvalidatedException;
@@ -51,11 +50,11 @@ public class KeyStoreHandle {
             KeyGenerator generator = KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES, STORE_NAME);
             generator.init(new KeyGenParameterSpec.Builder(id,
                     KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
-                    .setBlockModes(KeyProperties.BLOCK_MODE_ECB)
+                    .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
                     .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
                     .setUserAuthenticationRequired(true)
-                    .setRandomizedEncryptionRequired(false)
-                    .setKeySize(CryptoUtils.CRYPTO_KEY_SIZE * 8)
+                    .setRandomizedEncryptionRequired(true)
+                    .setKeySize(CryptoUtils.CRYPTO_AEAD_KEY_SIZE * 8)
                     .build());
 
             return generator.generateKey();
@@ -81,8 +80,7 @@ public class KeyStoreHandle {
         // and see if KeyPermanentlyInvalidatedException is thrown
         if (isSupported()) {
             try {
-                @SuppressLint("GetInstance")
-                Cipher cipher = Cipher.getInstance(CryptoUtils.CRYPTO_CIPHER_RAW);
+                Cipher cipher = Cipher.getInstance(CryptoUtils.CRYPTO_AEAD);
                 cipher.init(Cipher.ENCRYPT_MODE, key);
             } catch (KeyPermanentlyInvalidatedException e) {
                 return null;
diff --git a/app/src/main/java/me/impy/aegis/crypto/MasterKey.java b/app/src/main/java/me/impy/aegis/crypto/MasterKey.java
index c41d1e30..85ba2f73 100644
--- a/app/src/main/java/me/impy/aegis/crypto/MasterKey.java
+++ b/app/src/main/java/me/impy/aegis/crypto/MasterKey.java
@@ -28,7 +28,7 @@ public class MasterKey implements Serializable {
 
     public CryptResult encrypt(byte[] bytes) throws MasterKeyException {
         try {
-            Cipher cipher = CryptoUtils.createCipher(_key, Cipher.ENCRYPT_MODE);
+            Cipher cipher = CryptoUtils.createEncryptCipher(_key);
             return CryptoUtils.encrypt(bytes, cipher);
         } catch (NoSuchPaddingException
                 | NoSuchAlgorithmException
@@ -42,7 +42,7 @@ public class MasterKey implements Serializable {
 
     public CryptResult decrypt(byte[] bytes, CryptParameters params) throws MasterKeyException {
         try {
-            Cipher cipher = CryptoUtils.createCipher(_key, Cipher.DECRYPT_MODE, params.Nonce);
+            Cipher cipher = CryptoUtils.createDecryptCipher(_key, params.Nonce);
             return CryptoUtils.decrypt(bytes, cipher, params);
         } catch (NoSuchPaddingException
                 | NoSuchAlgorithmException
@@ -55,10 +55,6 @@ public class MasterKey implements Serializable {
         }
     }
 
-    public byte[] getHash() {
-        return CryptoUtils.hashKey(_key);
-    }
-
     public byte[] getBytes() {
         return _key.getEncoded();
     }
diff --git a/app/src/main/java/me/impy/aegis/db/DatabaseFile.java b/app/src/main/java/me/impy/aegis/db/DatabaseFile.java
index 6e2f0878..ee1e26bc 100644
--- a/app/src/main/java/me/impy/aegis/db/DatabaseFile.java
+++ b/app/src/main/java/me/impy/aegis/db/DatabaseFile.java
@@ -1,5 +1,6 @@
 package me.impy.aegis.db;
 
+import org.json.JSONArray;
 import org.json.JSONException;
 import org.json.JSONObject;
 
@@ -9,11 +10,10 @@ import me.impy.aegis.crypto.CryptParameters;
 import me.impy.aegis.crypto.CryptResult;
 import me.impy.aegis.crypto.MasterKey;
 import me.impy.aegis.crypto.MasterKeyException;
-import me.impy.aegis.db.slots.SlotCollection;
-import me.impy.aegis.db.slots.SlotCollectionException;
+import me.impy.aegis.db.slots.SlotList;
+import me.impy.aegis.db.slots.SlotListException;
 import me.impy.aegis.encoding.Base64;
 import me.impy.aegis.encoding.Base64Exception;
-import me.impy.aegis.encoding.Hex;
 import me.impy.aegis.encoding.HexException;
 
 public class DatabaseFile {
@@ -21,22 +21,15 @@ public class DatabaseFile {
 
     private Object _content;
     private CryptParameters _cryptParameters;
-    private SlotCollection _slots;
+    private SlotList _slots;
 
     public byte[] serialize() {
         try {
-            JSONObject cryptObj = null;
-            if (isEncrypted()) {
-                cryptObj = new JSONObject();
-                cryptObj.put("nonce", Hex.encode(_cryptParameters.Nonce));
-                cryptObj.put("tag", Hex.encode(_cryptParameters.Tag));
-            }
-
-            // don't write the crypt parameters if the content is not encrypted
-            boolean plain = _content instanceof JSONObject || _slots == null || cryptObj == null;
+            // don't write the crypt parameters and slots if the content is not encrypted
+            boolean plain = _content instanceof JSONObject || !isEncrypted();
             JSONObject headerObj = new JSONObject();
-            headerObj.put("slots", plain ? JSONObject.NULL : SlotCollection.serialize(_slots));
-            headerObj.put("params", plain ? JSONObject.NULL : cryptObj);
+            headerObj.put("slots", plain ? JSONObject.NULL : SlotList.serialize(_slots));
+            headerObj.put("params", plain ? JSONObject.NULL : _cryptParameters.toJson());
 
             JSONObject obj = new JSONObject();
             obj.put("version", VERSION);
@@ -58,17 +51,14 @@ public class DatabaseFile {
                 throw new DatabaseFileException("unsupported version");
             }
 
-            JSONObject slotObj = headerObj.optJSONObject("slots");
+            JSONArray slotObj = headerObj.optJSONArray("slots");
             if (slotObj != null) {
-                _slots = SlotCollection.deserialize(slotObj);
+                _slots = SlotList.deserialize(slotObj);
             }
 
             JSONObject cryptObj = headerObj.optJSONObject("params");
             if (cryptObj != null) {
-                _cryptParameters = new CryptParameters() {{
-                    Nonce = Hex.decode(cryptObj.getString("nonce"));
-                    Tag = Hex.decode(cryptObj.getString("tag"));
-                }};
+                _cryptParameters = CryptParameters.parseJson(cryptObj);
             }
 
             if (cryptObj == null || slotObj == null) {
@@ -76,7 +66,7 @@ public class DatabaseFile {
             } else {
                 _content = obj.getString("db");
             }
-        } catch (SlotCollectionException | UnsupportedEncodingException | JSONException | HexException e) {
+        } catch (SlotListException | UnsupportedEncodingException | JSONException | HexException e) {
             throw new DatabaseFileException(e);
         }
     }
@@ -118,11 +108,11 @@ public class DatabaseFile {
         }
     }
 
-    public SlotCollection getSlots() {
+    public SlotList getSlots() {
         return _slots;
     }
 
-    public void setSlots(SlotCollection slots) {
+    public void setSlots(SlotList slots) {
         _slots = slots;
     }
 }
diff --git a/app/src/main/java/me/impy/aegis/db/DatabaseManager.java b/app/src/main/java/me/impy/aegis/db/DatabaseManager.java
index 87f29255..9f7939c1 100644
--- a/app/src/main/java/me/impy/aegis/db/DatabaseManager.java
+++ b/app/src/main/java/me/impy/aegis/db/DatabaseManager.java
@@ -14,7 +14,7 @@ import java.util.List;
 
 import me.impy.aegis.BuildConfig;
 import me.impy.aegis.crypto.MasterKey;
-import me.impy.aegis.db.slots.SlotCollection;
+import me.impy.aegis.db.slots.SlotList;
 
 public class DatabaseManager {
     private static final String FILENAME = "aegis.json";
@@ -196,7 +196,7 @@ public class DatabaseManager {
         return _file;
     }
 
-    public void enableEncryption(MasterKey key, SlotCollection slots) {
+    public void enableEncryption(MasterKey key, SlotList slots) {
         assertState(false, true);
         _key = key;
         _file.setSlots(slots);
diff --git a/app/src/main/java/me/impy/aegis/db/slots/Slot.java b/app/src/main/java/me/impy/aegis/db/slots/Slot.java
index cbb0278d..8bc0c33c 100644
--- a/app/src/main/java/me/impy/aegis/db/slots/Slot.java
+++ b/app/src/main/java/me/impy/aegis/db/slots/Slot.java
@@ -1,15 +1,16 @@
 package me.impy.aegis.db.slots;
 
-import android.annotation.SuppressLint;
-
 import org.json.JSONException;
 import org.json.JSONObject;
 
+import java.io.IOException;
 import java.io.Serializable;
+import java.security.InvalidAlgorithmParameterException;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
 import java.util.UUID;
 
+import javax.crypto.AEADBadTagException;
 import javax.crypto.BadPaddingException;
 import javax.crypto.Cipher;
 import javax.crypto.IllegalBlockSizeException;
@@ -17,6 +18,8 @@ import javax.crypto.NoSuchPaddingException;
 import javax.crypto.SecretKey;
 import javax.crypto.spec.SecretKeySpec;
 
+import me.impy.aegis.crypto.CryptParameters;
+import me.impy.aegis.crypto.CryptResult;
 import me.impy.aegis.crypto.CryptoUtils;
 import me.impy.aegis.crypto.MasterKey;
 import me.impy.aegis.encoding.Hex;
@@ -29,40 +32,55 @@ public abstract class Slot implements Serializable {
 
     protected UUID _uuid;
     protected byte[] _encryptedMasterKey;
+    protected CryptParameters _encryptedMasterKeyParams;
 
     protected Slot() {
         _uuid = UUID.randomUUID();
     }
 
-    // getKey decrypts the encrypted master key in this slot with the given key and returns it.
-    public SecretKey getKey(Cipher cipher) throws SlotException {
+    // getKey decrypts the encrypted master key in this slot using the given cipher and returns it.
+    public MasterKey getKey(Cipher cipher) throws SlotException, SlotIntegrityException {
         try {
-            byte[] decryptedKeyBytes = cipher.doFinal(_encryptedMasterKey);
-            return new SecretKeySpec(decryptedKeyBytes, CryptoUtils.CRYPTO_CIPHER_AEAD);
-        } catch (BadPaddingException | IllegalBlockSizeException e) {
+            CryptResult res = CryptoUtils.decrypt(_encryptedMasterKey, cipher, _encryptedMasterKeyParams);
+            SecretKey key = new SecretKeySpec(res.Data, CryptoUtils.CRYPTO_AEAD);
+            return new MasterKey(key);
+        } catch (AEADBadTagException e) {
+            throw new SlotIntegrityException(e);
+        } catch (IOException | BadPaddingException | IllegalBlockSizeException e) {
             throw new SlotException(e);
         }
     }
 
-    // setKey encrypts the given master key with the given key and stores the result in this slot.
+    // setKey encrypts the given master key using the given cipher and stores the result in this slot.
     public void setKey(MasterKey masterKey, Cipher cipher) throws SlotException {
         try {
             byte[] masterKeyBytes = masterKey.getBytes();
-            _encryptedMasterKey = cipher.doFinal(masterKeyBytes);
+            CryptResult res = CryptoUtils.encrypt(masterKeyBytes, cipher);
+            _encryptedMasterKey = res.Data;
+            _encryptedMasterKeyParams = res.Parameters;
         } catch (BadPaddingException | IllegalBlockSizeException e) {
             throw new SlotException(e);
         }
     }
 
-    // suppress the AES ECB warning
-    // this is perfectly safe because we discard this cipher after passing CryptoUtils.CRYPTO_KEY_SIZE bytes through it
-    @SuppressLint("getInstance")
-    public static Cipher createCipher(SecretKey key, int mode) throws SlotException {
+    public static Cipher createEncryptCipher(SecretKey key) throws SlotException {
         try {
-            Cipher cipher = Cipher.getInstance(CryptoUtils.CRYPTO_CIPHER_RAW);
-            cipher.init(mode, key);
-            return cipher;
-        } catch (NoSuchPaddingException | NoSuchAlgorithmException | InvalidKeyException e) {
+            return CryptoUtils.createEncryptCipher(key);
+        } catch (InvalidAlgorithmParameterException
+                | NoSuchPaddingException
+                | NoSuchAlgorithmException
+                | InvalidKeyException e) {
+            throw new SlotException(e);
+        }
+    }
+
+    public Cipher createDecryptCipher(SecretKey key) throws SlotException {
+        try {
+            return CryptoUtils.createDecryptCipher(key, _encryptedMasterKeyParams.Nonce);
+        } catch (InvalidAlgorithmParameterException
+                | NoSuchAlgorithmException
+                | InvalidKeyException
+                | NoSuchPaddingException e) {
             throw new SlotException(e);
         }
     }
@@ -70,9 +88,11 @@ public abstract class Slot implements Serializable {
     public JSONObject serialize() {
         try {
             JSONObject obj = new JSONObject();
+            JSONObject paramObj = _encryptedMasterKeyParams.toJson();
             obj.put("type", getType());
             obj.put("uuid", _uuid.toString());
             obj.put("key", Hex.encode(_encryptedMasterKey));
+            obj.put("key_params", paramObj);
             return obj;
         } catch (JSONException e) {
             throw new RuntimeException(e);
@@ -84,13 +104,17 @@ public abstract class Slot implements Serializable {
             if (obj.getInt("type") != getType()) {
                 throw new SlotException("slot type mismatch");
             }
+
             // if there is no uuid, generate a new one
             if (!obj.has("uuid")) {
                 _uuid = UUID.randomUUID();
             } else {
                 _uuid = UUID.fromString(obj.getString("uuid"));
             }
+
+            JSONObject paramObj = obj.getJSONObject("key_params");
             _encryptedMasterKey = Hex.decode(obj.getString("key"));
+            _encryptedMasterKeyParams = CryptParameters.parseJson(paramObj);
         } catch (JSONException | HexException e) {
             throw new SlotException(e);
         }
diff --git a/app/src/main/java/me/impy/aegis/db/slots/SlotCollectionException.java b/app/src/main/java/me/impy/aegis/db/slots/SlotCollectionException.java
deleted file mode 100644
index 6ded4dec..00000000
--- a/app/src/main/java/me/impy/aegis/db/slots/SlotCollectionException.java
+++ /dev/null
@@ -1,11 +0,0 @@
-package me.impy.aegis.db.slots;
-
-public class SlotCollectionException extends Exception {
-    public SlotCollectionException(Throwable cause) {
-        super(cause);
-    }
-
-    public SlotCollectionException(String message) {
-        super(message);
-    }
-}
diff --git a/app/src/main/java/me/impy/aegis/db/slots/SlotIntegrityException.java b/app/src/main/java/me/impy/aegis/db/slots/SlotIntegrityException.java
index 79061a5e..b83d6caf 100644
--- a/app/src/main/java/me/impy/aegis/db/slots/SlotIntegrityException.java
+++ b/app/src/main/java/me/impy/aegis/db/slots/SlotIntegrityException.java
@@ -1,5 +1,11 @@
 package me.impy.aegis.db.slots;
 
 public class SlotIntegrityException extends Exception {
+    public SlotIntegrityException() {
 
+    }
+
+    public SlotIntegrityException(Throwable cause) {
+        super(cause);
+    }
 }
diff --git a/app/src/main/java/me/impy/aegis/db/slots/SlotCollection.java b/app/src/main/java/me/impy/aegis/db/slots/SlotList.java
similarity index 51%
rename from app/src/main/java/me/impy/aegis/db/slots/SlotCollection.java
rename to app/src/main/java/me/impy/aegis/db/slots/SlotList.java
index 787f8666..a8c75733 100644
--- a/app/src/main/java/me/impy/aegis/db/slots/SlotCollection.java
+++ b/app/src/main/java/me/impy/aegis/db/slots/SlotList.java
@@ -6,47 +6,28 @@ import org.json.JSONObject;
 
 import java.io.Serializable;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Iterator;
 import java.util.List;
 
-import javax.crypto.Cipher;
-import me.impy.aegis.crypto.MasterKey;
-import me.impy.aegis.encoding.Hex;
-import me.impy.aegis.encoding.HexException;
-
-public class SlotCollection implements Iterable<Slot>, Serializable {
+public class SlotList implements Iterable<Slot>, Serializable {
     private List<Slot> _slots = new ArrayList<>();
-    private byte[] _masterHash;
 
-    public static JSONObject serialize(SlotCollection slots) {
-        try {
-            JSONObject obj = new JSONObject();
-            obj.put("hash", Hex.encode(slots.getMasterHash()));
-
-            JSONArray entries = new JSONArray();
-            for (Slot slot : slots) {
-                entries.put(slot.serialize());
-            }
-
-            obj.put("entries", entries);
-            return obj;
-        } catch (JSONException e) {
-            throw new RuntimeException(e);
+    public static JSONArray serialize(SlotList slots) {
+        JSONArray array = new JSONArray();
+        for (Slot slot : slots) {
+            array.put(slot.serialize());
         }
+
+        return array;
     }
 
-    public static SlotCollection deserialize(JSONObject obj) throws SlotCollectionException {
-        SlotCollection slots = new SlotCollection();
+    public static SlotList deserialize(JSONArray array) throws SlotListException {
+        SlotList slots = new SlotList();
 
         try {
-            byte[] masterHash = Hex.decode(obj.getString("hash"));
-            slots.setMasterHash(masterHash);
-
-            JSONArray entries = obj.getJSONArray("entries");
-            for (int i = 0; i < entries.length(); i++) {
+            for (int i = 0; i < array.length(); i++) {
                 Slot slot;
-                JSONObject slotObj = entries.getJSONObject(i);
+                JSONObject slotObj = array.getJSONObject(i);
 
                 switch (slotObj.getInt("type")) {
                     case Slot.TYPE_RAW:
@@ -65,8 +46,8 @@ public class SlotCollection implements Iterable<Slot>, Serializable {
                 slot.deserialize(slotObj);
                 slots.add(slot);
             }
-        } catch (SlotException | JSONException | HexException e) {
-            throw new SlotCollectionException(e);
+        } catch (SlotException | JSONException e) {
+            throw new SlotListException(e);
         }
 
         return slots;
@@ -116,26 +97,4 @@ public class SlotCollection implements Iterable<Slot>, Serializable {
     public Iterator<Slot> iterator() {
         return _slots.iterator();
     }
-
-    public void encrypt(Slot slot, MasterKey key, Cipher cipher) throws SlotException {
-        slot.setKey(key, cipher);
-        setMasterHash(key.getHash());
-    }
-
-    public MasterKey decrypt(Slot slot, Cipher cipher) throws SlotException, SlotIntegrityException {
-        byte[] hash = getMasterHash();
-        MasterKey key = new MasterKey(slot.getKey(cipher));
-        if (!Arrays.equals(hash, key.getHash())) {
-            throw new SlotIntegrityException();
-        }
-        return key;
-    }
-
-    private void setMasterHash(byte[] masterHash) {
-        _masterHash = masterHash;
-    }
-
-    private byte[] getMasterHash() {
-        return _masterHash;
-    }
 }
diff --git a/app/src/main/java/me/impy/aegis/db/slots/SlotListException.java b/app/src/main/java/me/impy/aegis/db/slots/SlotListException.java
new file mode 100644
index 00000000..32d51342
--- /dev/null
+++ b/app/src/main/java/me/impy/aegis/db/slots/SlotListException.java
@@ -0,0 +1,11 @@
+package me.impy.aegis.db.slots;
+
+public class SlotListException extends Exception {
+    public SlotListException(Throwable cause) {
+        super(cause);
+    }
+
+    public SlotListException(String message) {
+        super(message);
+    }
+}
diff --git a/app/src/main/java/me/impy/aegis/ui/AuthActivity.java b/app/src/main/java/me/impy/aegis/ui/AuthActivity.java
index ab3311ff..00237f2d 100644
--- a/app/src/main/java/me/impy/aegis/ui/AuthActivity.java
+++ b/app/src/main/java/me/impy/aegis/ui/AuthActivity.java
@@ -26,7 +26,7 @@ import me.impy.aegis.crypto.MasterKey;
 import me.impy.aegis.db.slots.FingerprintSlot;
 import me.impy.aegis.db.slots.PasswordSlot;
 import me.impy.aegis.db.slots.Slot;
-import me.impy.aegis.db.slots.SlotCollection;
+import me.impy.aegis.db.slots.SlotList;
 import me.impy.aegis.db.slots.SlotException;
 import me.impy.aegis.helpers.FingerprintHelper;
 import me.impy.aegis.helpers.FingerprintUiHelper;
@@ -36,7 +36,7 @@ import me.impy.aegis.ui.tasks.SlotCollectionTask;
 public class AuthActivity extends AegisActivity implements FingerprintUiHelper.Callback, SlotCollectionTask.Callback {
     private EditText _textPassword;
 
-    private SlotCollection _slots;
+    private SlotList _slots;
     private FingerprintUiHelper _fingerHelper;
     private Cipher _fingerCipher;
 
@@ -57,7 +57,7 @@ public class AuthActivity extends AegisActivity implements FingerprintUiHelper.C
         }
 
         Intent intent = getIntent();
-        _slots = (SlotCollection) intent.getSerializableExtra("slots");
+        _slots = (SlotList) intent.getSerializableExtra("slots");
 
         // only show the fingerprint controls if the api version is new enough, permission is granted, a scanner is found and a fingerprint slot is found
         FingerprintManager manager = FingerprintHelper.getManager(this);
@@ -75,7 +75,7 @@ public class AuthActivity extends AegisActivity implements FingerprintUiHelper.C
                             invalidated = true;
                             continue;
                         }
-                        _fingerCipher = Slot.createCipher(key, Cipher.DECRYPT_MODE);
+                        _fingerCipher = slot.createDecryptCipher(key);
                         _fingerHelper = new FingerprintUiHelper(manager, imgFingerprint, textFingerprint, this);
                         boxFingerprint.setVisibility(View.VISIBLE);
                         invalidated = false;
diff --git a/app/src/main/java/me/impy/aegis/ui/IntroActivity.java b/app/src/main/java/me/impy/aegis/ui/IntroActivity.java
index 7ebea295..076b6960 100644
--- a/app/src/main/java/me/impy/aegis/ui/IntroActivity.java
+++ b/app/src/main/java/me/impy/aegis/ui/IntroActivity.java
@@ -23,7 +23,7 @@ import me.impy.aegis.db.DatabaseManagerException;
 import me.impy.aegis.db.slots.FingerprintSlot;
 import me.impy.aegis.db.slots.PasswordSlot;
 import me.impy.aegis.db.slots.Slot;
-import me.impy.aegis.db.slots.SlotCollection;
+import me.impy.aegis.db.slots.SlotList;
 import me.impy.aegis.db.Database;
 import me.impy.aegis.db.DatabaseFile;
 import me.impy.aegis.db.DatabaseManager;
@@ -145,7 +145,7 @@ public class IntroActivity extends AppIntro implements DerivationTask.Callback {
             masterKey = MasterKey.generate();
         }
 
-        SlotCollection slots = null;
+        SlotList slots = null;
         if (cryptType != CustomAuthenticationSlide.CRYPT_TYPE_NONE) {
             // encrypt the master key with a key derived from the user's password
             // and add it to the list of slots
@@ -153,8 +153,8 @@ public class IntroActivity extends AppIntro implements DerivationTask.Callback {
                 throw new RuntimeException();
             }
             try {
-                slots = new SlotCollection();
-                slots.encrypt(_passwordSlot, masterKey, _passwordCipher);
+                _passwordSlot.setKey(masterKey, _passwordCipher);
+                slots = new SlotList();
                 slots.add(_passwordSlot);
                 _databaseFile.setSlots(slots);
             } catch (SlotException e) {
@@ -168,7 +168,7 @@ public class IntroActivity extends AppIntro implements DerivationTask.Callback {
                 // and add it to the list of slots
                 FingerprintSlot slot = _authenticatedSlide.getFingerSlot();
                 Cipher cipher = _authenticatedSlide.getFingerCipher();
-                slots.encrypt(slot, masterKey, cipher);
+                slot.setKey(masterKey, cipher);
                 slots.add(slot);
             } catch (SlotException e) {
                 setException(e);
@@ -204,7 +204,7 @@ public class IntroActivity extends AppIntro implements DerivationTask.Callback {
     public void onTaskFinished(SecretKey key) {
         if (key != null) {
             try {
-                _passwordCipher = Slot.createCipher(key, Cipher.ENCRYPT_MODE);
+                _passwordCipher = Slot.createEncryptCipher(key);
             } catch (SlotException e) {
                 setException(e);
             }
diff --git a/app/src/main/java/me/impy/aegis/ui/PreferencesFragment.java b/app/src/main/java/me/impy/aegis/ui/PreferencesFragment.java
index a51f4609..f1134d80 100644
--- a/app/src/main/java/me/impy/aegis/ui/PreferencesFragment.java
+++ b/app/src/main/java/me/impy/aegis/ui/PreferencesFragment.java
@@ -32,7 +32,7 @@ import me.impy.aegis.db.DatabaseEntry;
 import me.impy.aegis.db.DatabaseManager;
 import me.impy.aegis.db.DatabaseManagerException;
 import me.impy.aegis.db.slots.Slot;
-import me.impy.aegis.db.slots.SlotCollection;
+import me.impy.aegis.db.slots.SlotList;
 import me.impy.aegis.db.slots.SlotException;
 import me.impy.aegis.helpers.PermissionHelper;
 import me.impy.aegis.importers.AegisImporter;
@@ -369,7 +369,7 @@ public class PreferencesFragment extends PreferenceFragmentCompat implements Pas
             return;
         }
 
-        SlotCollection slots = (SlotCollection) data.getSerializableExtra("slots");
+        SlotList slots = (SlotList) data.getSerializableExtra("slots");
         _db.getFile().setSlots(slots);
         saveDatabase();
     }
@@ -390,9 +390,9 @@ public class PreferencesFragment extends PreferenceFragmentCompat implements Pas
     public void onSlotResult(Slot slot, Cipher cipher) {
         MasterKey masterKey = MasterKey.generate();
 
-        SlotCollection slots = new SlotCollection();
+        SlotList slots = new SlotList();
         try {
-            slots.encrypt(slot, masterKey, cipher);
+            slot.setKey(masterKey, cipher);
         } catch (SlotException e) {
             onException(e);
             return;
diff --git a/app/src/main/java/me/impy/aegis/ui/SlotManagerActivity.java b/app/src/main/java/me/impy/aegis/ui/SlotManagerActivity.java
index fb0f453b..461cac7c 100644
--- a/app/src/main/java/me/impy/aegis/ui/SlotManagerActivity.java
+++ b/app/src/main/java/me/impy/aegis/ui/SlotManagerActivity.java
@@ -20,7 +20,7 @@ import me.impy.aegis.crypto.MasterKey;
 import me.impy.aegis.db.slots.FingerprintSlot;
 import me.impy.aegis.db.slots.PasswordSlot;
 import me.impy.aegis.db.slots.Slot;
-import me.impy.aegis.db.slots.SlotCollection;
+import me.impy.aegis.db.slots.SlotList;
 import me.impy.aegis.db.slots.SlotException;
 import me.impy.aegis.helpers.FingerprintHelper;
 import me.impy.aegis.ui.dialogs.Dialogs;
@@ -31,7 +31,7 @@ import me.impy.aegis.ui.dialogs.SlotDialogFragment;
 
 public class SlotManagerActivity extends AegisActivity implements SlotAdapter.Listener, SlotDialogFragment.Listener {
     private MasterKey _masterKey;
-    private SlotCollection _slots;
+    private SlotList _slots;
     private SlotAdapter _adapter;
 
     private boolean _edited = false;
@@ -65,7 +65,7 @@ public class SlotManagerActivity extends AegisActivity implements SlotAdapter.Li
 
         // load the slots and masterKey
         _masterKey = (MasterKey) getIntent().getSerializableExtra("masterKey");
-        _slots = (SlotCollection) getIntent().getSerializableExtra("slots");
+        _slots = (SlotList) getIntent().getSerializableExtra("slots");
         for (Slot slot : _slots) {
             _adapter.addSlot(slot);
         }
@@ -176,7 +176,7 @@ public class SlotManagerActivity extends AegisActivity implements SlotAdapter.Li
     @Override
     public void onSlotResult(Slot slot, Cipher cipher) {
         try {
-            _slots.encrypt(slot, _masterKey, cipher);
+            slot.setKey(_masterKey, cipher);
         } catch (SlotException e) {
             onException(e);
             return;
diff --git a/app/src/main/java/me/impy/aegis/ui/dialogs/FingerprintDialogFragment.java b/app/src/main/java/me/impy/aegis/ui/dialogs/FingerprintDialogFragment.java
index c34a2cf9..225b0a14 100644
--- a/app/src/main/java/me/impy/aegis/ui/dialogs/FingerprintDialogFragment.java
+++ b/app/src/main/java/me/impy/aegis/ui/dialogs/FingerprintDialogFragment.java
@@ -38,7 +38,7 @@ public class FingerprintDialogFragment extends SlotDialogFragment implements Fin
         try {
             _slot = new FingerprintSlot();
             SecretKey key = new KeyStoreHandle().generateKey(_slot.getUUID().toString());
-            _cipher = Slot.createCipher(key, Cipher.ENCRYPT_MODE);
+            _cipher = Slot.createEncryptCipher(key);
             _helper = new FingerprintUiHelper(manager, imgFingerprint, textFingerprint, this);
         } catch (KeyStoreHandleException | SlotException e) {
             throw new RuntimeException(e);
diff --git a/app/src/main/java/me/impy/aegis/ui/dialogs/PasswordDialogFragment.java b/app/src/main/java/me/impy/aegis/ui/dialogs/PasswordDialogFragment.java
index 3f46a1e6..a3dc9f7c 100644
--- a/app/src/main/java/me/impy/aegis/ui/dialogs/PasswordDialogFragment.java
+++ b/app/src/main/java/me/impy/aegis/ui/dialogs/PasswordDialogFragment.java
@@ -51,7 +51,7 @@ public class PasswordDialogFragment extends SlotDialogFragment {
                 DerivationTask task = new DerivationTask(getActivity(), key -> {
                     Cipher cipher;
                     try {
-                        cipher = Slot.createCipher(key, Cipher.ENCRYPT_MODE);
+                        cipher = Slot.createEncryptCipher(key);
                     } catch (SlotException e) {
                         getListener().onException(e);
                         dialog.cancel();
diff --git a/app/src/main/java/me/impy/aegis/ui/slides/CustomAuthenticatedSlide.java b/app/src/main/java/me/impy/aegis/ui/slides/CustomAuthenticatedSlide.java
index ef7f32b3..b0f6fe8f 100644
--- a/app/src/main/java/me/impy/aegis/ui/slides/CustomAuthenticatedSlide.java
+++ b/app/src/main/java/me/impy/aegis/ui/slides/CustomAuthenticatedSlide.java
@@ -113,7 +113,7 @@ public class CustomAuthenticatedSlide extends Fragment implements FingerprintUiH
                 }
 
                 try {
-                    _fingerCipher = Slot.createCipher(key, Cipher.ENCRYPT_MODE);
+                    _fingerCipher = Slot.createEncryptCipher(key);
                 } catch (Exception e) {
                     throw new UndeclaredThrowableException(e);
                 }
diff --git a/app/src/main/java/me/impy/aegis/ui/tasks/SlotCollectionTask.java b/app/src/main/java/me/impy/aegis/ui/tasks/SlotCollectionTask.java
index ba784a59..fa23c469 100644
--- a/app/src/main/java/me/impy/aegis/ui/tasks/SlotCollectionTask.java
+++ b/app/src/main/java/me/impy/aegis/ui/tasks/SlotCollectionTask.java
@@ -2,8 +2,6 @@ package me.impy.aegis.ui.tasks;
 
 import android.content.Context;
 
-import java.lang.reflect.UndeclaredThrowableException;
-
 import javax.crypto.Cipher;
 import javax.crypto.SecretKey;
 
@@ -11,7 +9,7 @@ import me.impy.aegis.crypto.MasterKey;
 import me.impy.aegis.db.slots.FingerprintSlot;
 import me.impy.aegis.db.slots.PasswordSlot;
 import me.impy.aegis.db.slots.Slot;
-import me.impy.aegis.db.slots.SlotCollection;
+import me.impy.aegis.db.slots.SlotList;
 import me.impy.aegis.db.slots.SlotException;
 import me.impy.aegis.db.slots.SlotIntegrityException;
 
@@ -41,15 +39,17 @@ public class SlotCollectionTask<T extends Slot> extends ProgressDialogTask<SlotC
                     if (slot instanceof PasswordSlot) {
                         char[] password = (char[])params.Obj;
                         SecretKey key = ((PasswordSlot)slot).deriveKey(password);
-                        Cipher cipher = Slot.createCipher(key, Cipher.DECRYPT_MODE);
-                        masterKey = params.Slots.decrypt(slot, cipher);
+                        Cipher cipher = slot.createDecryptCipher(key);
+                        masterKey = slot.getKey(cipher);
                     } else if (slot instanceof FingerprintSlot) {
-                        masterKey = params.Slots.decrypt(slot, (Cipher)params.Obj);
+                        masterKey = slot.getKey((Cipher)params.Obj);
                     } else {
                         throw new RuntimeException();
                     }
                     break;
-                } catch (SlotIntegrityException e) { }
+                } catch (SlotIntegrityException e) {
+
+                }
             }
 
             if (masterKey == null) {
@@ -60,7 +60,7 @@ public class SlotCollectionTask<T extends Slot> extends ProgressDialogTask<SlotC
         } catch (SlotIntegrityException e) {
             return null;
         } catch (SlotException e) {
-            throw new UndeclaredThrowableException(e);
+            throw new RuntimeException(e);
         }
     }
 
@@ -71,7 +71,7 @@ public class SlotCollectionTask<T extends Slot> extends ProgressDialogTask<SlotC
     }
 
     public static class Params {
-        public SlotCollection Slots;
+        public SlotList Slots;
         public Object Obj;
     }
 
diff --git a/testdata/aegis_export.json b/testdata/aegis_export.json
index 55498e23..821c98e1 100644
--- a/testdata/aegis_export.json
+++ b/testdata/aegis_export.json
@@ -1,29 +1,34 @@
 {
     "version": 1,
     "header": {
-        "slots": {
-            "hash": "42ac2b4a85099475945bcb8e25768692331423a18f7ee105aa85109ae7817ddc",
-            "entries": [
-                {
-                    "type": 1,
-                    "uuid": "18f1a6b0-bc69-4bce-aec9-954d21ade664",
-                    "key": "b34a0eeccaba12528df2271d60f77081cb1d806977d17f9bb927d8fb028ced6c",
-                    "n": 32768,
-                    "r": 8,
-                    "p": 1,
-                    "salt": "a6172706a2bea2962e6322fb9f2d541977c93533359458dd151782251d502320"
+        "slots": [
+            {
+                "type": 1,
+                "uuid": "faa80a1d-1f64-4983-90c8-67d8b0a09509",
+                "key": "4ecda6896ea0713e270021c6e7878765a2569fa00f1e12ebd65c866ee1738bde",
+                "key_params": {
+                    "nonce": "d7bfdff7de45aa7c6166d595",
+                    "tag": "07dedd167226d49a1fca347ef0d0f885"
                 },
-                {
-                    "type": 2,
-                    "uuid": "e8640118-0f22-4bf9-9cb0-cd3091041e5f",
-                    "key": "1be26256e99803e79f825110cea824e851b13e117a39420e44635ccf821b679c"
+                "n": 32768,
+                "r": 8,
+                "p": 1,
+                "salt": "20b7f2a7029f3d35b5fa3cf0435414f8a8b84099b93cf75ee4871b266b2b5e27"
+            },
+            {
+                "type": 2,
+                "uuid": "b56dcbd4-0533-4288-8119-6dc2ef82d23b",
+                "key": "f32f816e1d43099832c7a23110f1349304ea1489ff65ce6e29ea79c0d42d38f4",
+                "key_params": {
+                    "nonce": "65b342b6780c02d1d22b1505",
+                    "tag": "940a05c01838a6f1163f984c38f58c1e"
                 }
-            ]
-        },
+            }
+        ],
         "params": {
-            "nonce": "e0e2b985f2fe2a0e13df031c",
-            "tag": "f8da17ad4671e2c128014fd618fcc52a"
+            "nonce": "5598c18c429ce521f46c68ab",
+            "tag": "60d612995b5d44f8be41399dad3d2734"
         }
     },
-    "db": "e2+A3JubuOUXt5eRARGp5FFunAx9UHmLqyo6ziu4qaG5lRXfcMlTxiMOqHfwnK5\/ydDS66AwxnpFN5se54Ub54t6qNKGFbswZY2UwQhG2Lxw4EMQ7iHsvRccIua3YHLgH9UgBb7fFl3TOEGB0H+yZTYQ1a0j3seARve9+YfPQHM+IaCPvt\/bZG7GK3hDgrWKWbYCJNgXAXX5G6ZdaxFIQOWG1Vpt2C9FiT22xIeEdh61jOMn1jvVi7U8WJv6xSdCYje3tVa58Vok08YZQfazMLkAik3V1dzcIhM\/Uijd9lRlYtGrVoeXh1Wj1w6DfdP\/RjQKSC7nCNhv5Kuf71ZYvisMh8lF2fb\/Sim6dPtfCpYcUgsEGb09VfEOI0wBDZENXJQ6UpVzfScXhv77qdeypU2+6DSDhhqX64HOTSQ1T33NSWet1vXUyFG9k51hXzB3zdHkjZHUC1Wlpfhtcm0R6aQ77Diw0HVR82GuHI3Rcb6OvESxjI9ETXIM1xQDxdVmKMNrgpCFU\/107og30m5\/iVQ68nyqMJWY1WI1xAtbJmbJJyrjv7Hz3MbJmtiXTsDuJj1NjFqVGVVztuNspQToEsdhcgzU7mDY24QaQT\/E7H+RNfIpxpUfDi3DAM1aLxzld7SkBxAPYKdY8fvYJagn5OBFja8j95tdDCvsK+jaEbTF7VEpkN8cwnItK2kgZIT9lak4NDO2AO6SBh6iApaVEcfBgzNPQmff+\/eCpHxLKNfRVRu\/G\/BIq8plJM2IuiKUWjPciXCzmzdzoIIEAHbtz3Xf8ADnih4aqh\/MGgxIOEQpUp\/Cc7JE+23UE1Kc6PILPoAzPyJc8AbNnwxEVPZKvMKnSWmtnYtGHF\/38LRha4crvL+EOd3IMMFS3Bje13\/tseLg0fYeASZ2kZozflC2wa7k17Sx0xHfe4sh6IoCL3+9LK1hL86VpO9nncqDePHlJn2kiBdNQlQ1dZnaKXcU95E7QHL7KDhiNJnU6\/E+U7k+GSV7dRtJvpw8sH0IgBkFcrNm04R6iyrMLKlS5nEn3fv9spZAFZYrT7Lo6zPEvIwGSGTuL7hk+f4AgChBK81guZPMQ7x7exSg6\/9Z4yFAST5hK5ADIvwtJy4lyw1hwjwwKK+TpzDDaeXQMVXqtecKy+tYsdRXJYrjo8ugDJaoUUmIR8zyNV8A1E4pjfT8Om88Nct\/g1xc5ehV5g4uOQz8RCJk64iPfG4kwn2yN5q+A40ln9KXTdnCDMAsWurXd1CxSIpyV2uRCqiCMTM9IdRwMUG36dcVN711jSW+KpvufM1oN2A87g5JHganFdTyd2vp1tYyBGAPDfCDfsO4LuQtPskqp9aAnzE8rAZxqk\/uIWsBH7Vqh22Tg9qP0riKmZUgDyG2iZ1GSZWn\/kE64tRZrrFhyyds49HNWHhjJpbK8+naH0gXiX+Orh6pKBMLPrUG0JPQABGl7thFGdLbtY9LhORvhX62WHVcSIKI93yVtbaFMYyQ63PnmHveNg5IdFDlTwRzpe7vcuN3VhEWzZAAz8iPq3IqSDTEiSLvI4l3trEZ58D2f+nFMK3D5UUIQb4hPG6XPC3gh81BkTrdizNMuHeepflqtzrim5hAay+F0Lt4ZbsbKDb2aO5ZUP5qNfNZHh7O4HFWIhz2bid1YoL+DWjNsIMhojWf2XdZnkJT1nCXD5VSYOmLWRPCl64cEJmjcLDWj8b0TpDIR7XWU6nF5f1cjNKj1tttSP45lnVGW+dkEZTggT72nk1AkJIjxT5EpucjSdrZLQr7nLGbTfgLF4G93zXLhJUnX\/nvm1zhLNOBjRmj\/OvIS5rPn\/ILw3iq8A2I42LSlHeGRATPucHrjl5AiKD3JalZQI8DmqK8yRzM6CCNQ2cuD1EavnUc5eYVbLvj\/+ufZLzRkNagfF1fJyR9lE5UQXaSnq+ZnN\/zkpXHPxP\/7SXlBoCqkSqvbhxPUrca6zHeJ7Y76r7ha73wsEscymiPLCNhBiz5IltLgNmXV2IqUzPpWny1IlpgNnSbALDqFFI3ns7E2bMkXdJU1x8Zz3tpuOBSNFSmIiaIAILHFB5gStm+4ZKIOJrs9Vdi3fgJfdDjxk5csdVA0T2Jxw1h3H8vTouEQcH59kQXenf7ap1L6E9wOq11XMfZy51vO6iA54j7Kxfu7y6RyQEvOCyxr3JkgMFLmbN9d5gffOjEh\/AWLZ0UxGl34J9M+4UAvOFVtrbHSGQRwY2qphVsluGHXnzL+pZSrOU4v7qWkhQbyySB\/6Pp1V3\/rna8BpXoyjRNFgj44YtH2zL1Fuqarhe2YNq8Dihp\/oc2PWDZ4LOgvXjH82N06PAEwzpQMwGZQKdXcGHdKPuDbSS2lLFq1cCLBhsA2IiNzt+bbMpGS35Q8LSXNrqVuYaaheyq2xWw2Ed\/uxH+PPFrz0kgiOYC8LNwuW1pdO9xPm6mdWrnL\/lhleKnKagpMCbfkUWMO2006f76L5fzqmuXU4ce+9zMddP+HewWVLm+szISuUdHptvOM8DCaeIahlYourfL5YfBQKk1RPnEqQEoZtAuwZdXKcEgFBUBO81Qyc2sHtAy2yPUCuBRqA9oa+aoAxSW63MPScfLXkrRop3bQJGYUuwsMNhnwE4yp5uHfd8jRJwFnOjDJmoxkp+TUDNkVbir\/Q7sIJi199Y4lMAjyzXUOucVETL8EF2rl6JRckflbgRxu6zwjA0j+Ql34vPAQ0RLWzIY1HKrCxE30S8gf+KUr8h\/VqxulcmQTE5GmfvANHMMnfRkCtKKrAsvuhlFc\/IUKhiOAa5TZUowCsdC4glNRMPd6RZeco1EPEvb6mLeX7PGkS4ej\/OZqHEPKvnNKBfkITciq1fPBWVxU7f3yTy21cMXfIQxWC0IaA0kpDDZD7cTz6yZRLSwFbULSpuoGpgrcRnnpa9QYvS4cDipkmZBVyXK0EHRk+vAQACIPb+lU67JNFWdu\/S82Jl8EwY1Q7sifIUyoDPrIPRr4kBMSEFTSrbz8Ea488gOtrjyaSZ7V9opIKaJzrDn2kNCv+bG9ryvtVfLfF1cgZ7Hn02CTeV2QGJhwR3vrieV2TGjDFG\/a\/ntbukE6IQLVp3EuVoY5qa8Hx\/42r7iFaT6sS2m6tFJmjfnN\/Ctp+dNb5\/ygyKLDSlDxpg04y7FBXK7VwmkEcBA6sIreht9vjNZRGiz1li3UZjUdLe3CjkcMKUEpfhUxz76Urnp7BsZLXGtO0CU7ViVAEZ8H\/W62Nv7CwAPJdR2oWDXDvZwt\/e5GaqQ6YtY1xYN\/RRQ0ETxJ0LMe5kCW8EsfGQZp5MM3lRR\/RgbOi22SvfWiBfl88Tg65Kw1HbquU30TngRYbbzS4WV5S0ujKN8FFA7sixhMONQKp9l+nGpSk\/onK3yKIXiB4qNuoAiuSSeKeXYwhPcgaD5SLQe9wfqvLye0QoQKopVdRxFSpsPBL6p7ROoaZzTAGxJOUp7\/+9W6je1E3A6BJqASqK2w9u92dLWEFDCm8luEJjoC4fI6qNSF1kA5xAHuqw2MFao5AzZfJZsVGszCdwGkNw1m0QyuRbKIKaRrST5+nSI48iudSBwdrx6rBbfCFDyWIpFVT73JYFOspx2GkTG4molXrBNWkptqFrJgJjSkv+wpSFqok9Zfrpk+\/wkuYaZ7UXIaWP37+6ewz9eHHVJMh5M1womdckpjgBL1K1kRa7viX\/QoxvaEVFBVRUFeWdNW2Su8uLz4Lk80MBO0hIebJZU+0tDE2j4v92wCxINuPEh8frbeRkJ6SvSJE0hIZYqNLJVmzbiCZgmluX97tdx9mro7j27zPbP4iMLe38J2t\/y2jjrZR4nWYyQ7h1U9Pc6CZhRboqEPmVZkutPzTyjyAfdRZf8KQ7pxHDNCOG8tTjH+BKHE\/iJ+\/uiMduZ6OCfeZysi4BGxCj58X\/eoPbfiqBzUwaznP1tcPTyEO42IcQEa6HidqCnpDbVVQXiO7DkdWkNQ81BESaVVindTMNYkdhvEMDUOHZSpU7sERyag8DkTgZ9bvmhBfp7Fa5fSUe+xe2Kvyhu1356lrjs98yKDyJCW\/kH3Jray0RPd6t+cDXY+vRpmDzoJhfhxKqfdUxFrb5l\/YItPoMGia9LIP89ZqB+wiwTZfDEOpgOLUlC7XSl2H50S9Ul\/\/rxQ+1POK1t8MypPLWNRlIeh\/evZ6GKqI3IK7597pTEnwYE8wU+Qqb61mCQ1e9nDJNSr1GvTcDDq29oZ3viP4yXq2dBzIiWgdXwgtg833nbyToaMgx6BBvtnQ35P3t28wL3To0S0HRoRRQhJ3\/pgsD2rregVPiCMWk+qptY7\/JIXkXFbQLQJ9D0MvINcNLgYuuOvAeO3aXAbg7sBLTu4zbOXwP2c+Z5d3MBrl47pmbMtGv2sPcEM1Hk+XdIm6AHh9FRAiVNJ09nDKmTqIa3gsnibfHEkKdKCMpS40PYTz0Q8XLsjFajbhk7NkqyzVv3mFpO5synVLjOUAfMsX6ZKXWXvbsmekjvAdzTEmua50IbtCpY26T5b0vaZtzC+72je73mH3lcTRay\/1Z8V6ilEyo0AEBjOYG5Ly55a\/u\/pCZe8AFAgvtgkh3kwrAF24sUi\/REpgRpieaZYbmr4Ap6FjWW8TqJOn8j0PruxV1wwnrK8n\/cLSIJqPbeXOb3qR0W9U\/etadTe5E73Me\/MiWJ\/BFGrJlINh970Sbvyshbbvnmg\/XsGXfyLMMpAIYWpTuoy\/aFESYg98h752pLZFJ1oljPvQ5lRdXCrIv9QSMhDkyuYlLeHfbYZOpn\/ORKf2uPYRDRpxsKbbJ80Y6xlccjapo6qQTKUWqGCpmDvk2E1EqXGQ6N4z1+xpDBtTkvF9Vfib4H4qcyOEM\/3X7sWfSXnIXmgC8pg2kthe8NaG4F96UB3vaovDCgAElCMZltQnsyFg=="
+    "db": "ILPzlJEAurVJJUrCgUDDLrkz4Yy45HhUPumMwr3Us0rC8NHMQgVmJcEKxxq7zPfBdOBWS\/hv0sj1PmqlHi4c0rAN0rXQqKcT7beK7QaszVRq8kW0gfV7PwN9uF+am9IKBVgs\/mtCec1S1eFMHDcU+mawfwNAea7n0dM+eLk89gBp2kiMBlCYW3f+ucjLgicUX2Rl8hiThZSrhK\/UCxmOO4hPLO0\/viVgpFy9y3V+LOefpJHdYyd6wymKSXx6cDX9iiVqczc2jM9RRazZ9ve6Ks2rndZvmIsmOugAXXS3f2\/Q9iLcXBO4y39O3v9h7nfugl5\/NbwL\/JQrPT8bcEAI9x1uoVqpPlsBzpjyq79LkXSa+wMuzaX4xq\/ox1zuVMZgzudE4BvlSBgAzXuM4KL4Ra7CIUbf0RJV5BtwH+2j7zt2Xh8lkP7BY1mbqnN+Vg8z8MTnwo6G\/WOo8zaz6gbA4yCvPO0xegeJZmbggQveC3YkZT9RQ45zD8StS7dkB2dcNMH9qUnA1RyTlrGyJX5G5MTSLsW8QunqikFmElWkNsgV9Ex+M+3z1TIu9f8hT9yF\/iQAIC0tNERgT5RcDtPVLiMSUl0uWZhZ56\/m+k18nN\/8oEf0FZGYBzKR8cNcvK+cM6Inu6VpEqjfpx951SXF+sSo5j80xqDZFbWycgQzBrS1f+mfsV\/S1V3RR\/aG5HVntB8NtwH0PlGIi155QE8Yu+jnUCl7yz5L9QhJN4TVqmSIxXCT3EBN3EhB6MYw4LpPPJc3yTIKK6ltDhtp3yrBWSfzgZiwZL1jLLpJ9V\/fCtdzuC33AQbxgjPIVBJ8bW2G1\/Qp8SQKGRdVX6MR8L6XK03tvYasRgnhRo4\/8RtW\/tzhUUaRPGO66sF9ztLoeMwR8blgUcLcDRTFbZKOgmyPqo+a23jCi32H8+WJsB04XyltGSkAPN1jZJsdQ+2FCG2pW34KkPxUvl5+pULXaLOs1twsR\/K7iCbs3lOLvA4bDoZ+5EyvFcJDhmguP2s3Su64mXdfcQqh68UegDdyTutOt9TjLQhGfby8URyLVilFs8gUoCLr5E7tHlSg9GZthTWew0+jOmr06HWytD5Eu9N\/aUPcxadeM6js9XSH5OC4VUv+qZeUtfsmfGyYd8kIU5e4wz4lQZj4kbbZGsYzFlQI2OT4yTEsfwcee10FafOiCM86yfPnPKPQEnLxUV6PNx\/MmIq2UgGHT8xn9IttwwUa4KJZ9dgeB6iVk0MexzLaOHEa\/wK5dkQxvKxKe+sbdHIFbsLm3eOU5o3ourPIRYd0HTVcAjuOcnHdS6CiGgga4PqH0wJ7ZQ6R1cbCsMagW2FpivyBbJ2Y8hwrQyYCKmcR9cGEom1UTHSHPbUXw6Mmz3j85f5eQGzfDH6HW1YuGcKtgvjUoiW96PFInZxymg5opWnnvpH9+p9XLhObxOmDDhKGnz\/VfflvjqepvA7d6tNRg34uQF2bxykvfb8\/a9TGNVckLfcV02W6R4p+pLK2nVyewds9LBhNAl+PpW0dVFwKo4spn4Nwop1A657NL31ojNCnB3JowTD5g4sqSI4oc43EZgLspi\/\/Pw2meHlLhrhwGICJgyeoTISnw16agdrVnqFsuAYuHM5NlYy8+2UlwOGatGBumbgmbHq7z4VmRbmaGWXPirKO6P4sHaMq9Antqw2T3xjgFEVxFCWnY\/BsAQUE+pNzNCCAKoVlBk3S1CYgpB2ZyQYXOv98Y7MwSrsObem7p1Rdd7elvjE8CkGd3UfUFkbXoV8e+hwUUDk325ND68jzsfP4m1iQIH4B92Gces04oNT3T\/RcS3HJxs6\/\/2\/wUPOpRELys9YNqbOGB3FSse66nJheYqGTEaVacu9zEy5Ye9b8dUE5axbXvbtS+vlKCMrjlW7hBeO5tOGtvZf1BM0hbK\/unpW9MCk\/7YVoQckHuA0mq9z0FgTfdlMZ376OYI8ZWQPyiYxcw0AfiDKMGt0qe+Mcjgwcpj6ilM\/YvJSaD6zq1siuVwSDU7Ep1JBC\/rBw+OsIfgELsKU\/zpbhl6tEau3qiTetl\/XvU\/wz5derqzAZDimPVN0BSWl7foP4V17VFjENz\/BfEf28sQYuh59Y2OvMCcSu5MHyxY6frVUPshPGoo7zv809I47uXedbTVBd5Z9Zg\/GGhpc7TDasWUYPLF6ErHIGC+OQN3Thx2P7sv3SLFbh4+yIutB4EPOo8anw7wIJv+1veWGgYGSCb9E51ZXv6IxW5i2JbJil98vnTpHH+b0miCbUFNlZ8eu+MopZosaZ8CFJkLUSDhAT4Adc1TIuzj\/8FhnH\/z5n98ClyWjbnYDH7yFluUDsA9\/\/jZXbHaZKzN5dDr2AQzKArnGz\/JGASBfbNBwfQ5Y2X00tS+9VoBBFqV8gi0L4QqYiYRkxTiL4fRrbKdMohdCmZ\/R\/DRJJs1nHIT\/J2zpAaNTTuEwwCuBj2lPfPiMOpkPY2WeZELY51x7tvhTZD6tXA+K1VBldeWMcUddxg\/KdWlV5vryvR3fh8nhkTjn3S5Wnto0v9jTItxpQfAzytOurNdGa4sMJIWpcLZ\/e15KQXTnDTOb+6gwaUCDYM9CfbK+RJsdBowUNGTmLRcWh\/I45SMPMrrjAvCekM1yTfDhwmIT\/rZMKCkZOlM2hKtFnzttrVTRE8Nh+AgXc3nVeflnAoXK+5b0aKDRgppFPdmZcxvuy0TZgMDS+zptdPOysrQ6L1jTmMoTfjm4BZOYIEvrEV70aqlHfaET8wVGEFeeOxyewYt\/n3l55VhUo155bc3zYUJdJOTLsLD\/0NxaQEgLUyKUsXNFwETQPJU60WtxpvvM05x\/S09qfPCHtgcwLI+cP77D3L46QT8kZlkGesXzb96wHPf2717+yZxqdI\/tWfgq\/MMF\/lqGTRPzsvLY\/3dglqN\/\/hAJtZ\/RS1JFI7Yw0QUb2Dj3cwWkMnXjN7w3YC\/qi7G+tr+knsSE7zgBa5ooRFIQMDl8xj4uOR2VT\/aXvrBmblqmjJv1H5CxCG5XyxBkTPr9Ju\/8QMABS1in24HUrB9v2VP2jjv1l16aGJZpwSwlJtuY4eT06X3od6k5ZBY\/sPoHj\/9tkdqw9UgNO8IWXRIH9lXuplAVtE9R5BRLMcD9xFrWweXK+YW4Vlxqncbtg3IQvLhvdaCUqG6qfR8ml9bCqVqU4PXLXaVBOYU0BUjZV4UqkRPn3JA8RzlxAebthnPEnhb8xevhUAHcZSkNrZoICPL06hXn7KUBCnQMuOLYoPe2tbd+Mz8j8F5KMmAa8m2IRLeFeIU51U25Uq6f6ON1N+GuXjjvXGG8UD+OC8o1HjzH+cWDFTppxu7twZoLYoY3qPYClI1FCHIdWat1juaFjdfXxaCW8z26Vnv\/+lPwfdb6XXw3VIlhi5PCltTOPyJ\/LaaWAeQ9lkb7qoQB3dOgnRwF+IP7VztnsT4cyJlbld5qWfY3XUvKQEO0jg5f93MM6MCnso9SdC5mBkWY6UuULZYxSTgYDX\/uCm0iuV4l8Z+amKspLYWvbCq8IFIjTZ+95bDNroQJkNgYpZBj0cl3GyMCW6cmcSf2SmhnchKqdHfQrZ4kQoafr5ACkPrx0tLbjgCh1c6fGZ1aRUd+nWFNz2P7xVS8G8RvTV3xdulk+3KfdqZzpiY6b0LiKT0yjyWC++X64hHeh3S9M72k6rQmzwc+4P97jVPYUVt0K2EdjM9+0eRxeQoB4EFiit3+vB7Chpj91oqs\/pz2DMQOSEpuIzIgBLDOnqYYQFEW0s\/9OBnx6j0IwH9dmU3DOGjBRrU8T35rft+15W7M5RdC3rr2Z66MqNnrHDzhAnxJuZDOXA7BYMpkq0nlNxpc2pRnZEPUkjzDfpwVmv7foMLSAGeYoQdlrhrbSa0A7skF6FGMUDT7baYoJucTE+EoPUELFE86ZxxoLCSg2PTtCI25AeABjYm7TaapbicxTQb9GtvCy7mBzOo1C5rtDq\/5CiwxZDcCuVfGvaJT7nOJvXvD42m0F7rQNPh+DJhxfCs+rfW6wmxqW8kz57ssiSfQ5lJwMbCBMRjYu5fDtl8uLN0HrnEz6XGS83GnGqK9Q+flGyQhpZ5aBuSrOxjuO43BDpXKrB+dbgUJp3jZIK41fFTZr8YcGiBeGq9f+zE\/oeAfcvH0twRQzO5vsZUqp\/OK4dClEpsPsQmR8bUqbdrj2ETGoH2Ih2i8ijBhGyc+7uMOox6XgySFvy8sVaMfryINUgt6OCSH4Xu7RQwkDbYDzNbw1KS3fXJ5TWyOaIZJTUlVJ\/UWQLjGvxNrVlmZPmJMJ\/lUaansai1BlLViY0gmfqavLDAU2qpudgW7C1Ncm\/3gP6\/DZiWDq+P0RCZ2xcAm9GjC8PvZGLtQSCrxEzalQWPrMVe+zwlPoU3lkv4lFc2SGIKlyBKZ+NjMwoDd2a7rRvsQlynPpJqQXlFy+sewQqngjbXZ0LYkKwCjEnqUb4ip8YkkIS1GAFZe5vp3aqBXEF5ID2YdYnZEJWLCNSoTGr6d9XMNLXB62sSoxgeacZtLrNuZ2mi7CrRVj7ee4mVPnN0LedBweBy6sxYdhAIcWAwYTA2htM93ppT36m8qifXcledgiqzDmlYRRIJXITMtt1xlR683RfySVnBmp\/CoaOHpjrllbU9y69yzzIwt7umhf0nMxx8tO1lngdcLWlUkLK5rkDeDby2mvFOHs9awTPFdgVjdwGKtBUvlt64\/JOrbKeNu3Lv2a84RccV\/IbKkqjhTKulbHuqM7Kgq3Ju7deH7Xe91kZFf5JUo050s9z3hMqgbjeDRGjGy6kF7eKv900ejtGuibx7kqFIOBrinc6QrrsG1bPKulSAiJe34cmM19sXfNmo0WMBMaVvJ6xgu9FRwJXoZ1jSRCfWLF79dC2Oin0Zn9TTMeGKz9+sogAiEUIw=="
 }
\ No newline at end of file
diff --git a/testdata/aegis_export_plain.json b/testdata/aegis_export_plain.json
index 03501755..a3ab399d 100644
--- a/testdata/aegis_export_plain.json
+++ b/testdata/aegis_export_plain.json
@@ -52,7 +52,7 @@
                     "secret": "6CAIGVYB5MQ6TSZLJ56HJBWU5S3H7FUC",
                     "algo": "SHA512",
                     "digits": 6,
-                    "counter": 30
+                    "counter": 96
                 }
             },
             {
@@ -100,7 +100,7 @@
                     "secret": "EIQMT7NHFYJUMBKQ35P34JGLG3MO7L2W",
                     "algo": "SHA1",
                     "digits": 8,
-                    "counter": 20
+                    "counter": 30
                 }
             },
             {