diff --git a/src/desktop/DesktopMain.ts b/src/desktop/DesktopMain.ts
index eb108cdd7cb7..81bf550e8ca2 100644
--- a/src/desktop/DesktopMain.ts
+++ b/src/desktop/DesktopMain.ts
@@ -30,8 +30,8 @@ import child_process from "child_process"
 import {LocalShortcutManager} from "./electron-localshortcut/LocalShortcut"
 import {cryptoFns} from "./CryptoFns"
 import {DesktopConfigMigrator} from "./config/migrations/DesktopConfigMigrator"
-import type {DesktopDeviceKeyProvider} from "./DeviceKeyProviderImpl"
-import {DeviceKeyProviderImpl} from "./DeviceKeyProviderImpl"
+import type {DesktopKeyStoreFacade} from "./KeyStoreFacadeImpl"
+import {KeyStoreFacadeImpl} from "./KeyStoreFacadeImpl"
 import {AlarmSchedulerImpl} from "../calendar/date/AlarmScheduler"
 import {SchedulerImpl} from "../misc/Scheduler"
 import {DateProviderImpl} from "../calendar/date/CalendarUtils"
@@ -46,7 +46,7 @@ type Components = {
 	readonly dl: DesktopDownloadManager
 	readonly sse: DesktopSseClient
 	readonly conf: DesktopConfig
-	readonly deviceKeyProvider: DesktopDeviceKeyProvider
+	readonly keyStoreFacade: DesktopKeyStoreFacade
 	readonly notifier: DesktopNotifier
 	readonly sock: Socketeer
 	readonly updater: ElectronUpdater
@@ -94,9 +94,9 @@ if (opts.registerAsMailHandler && opts.unregisterAsMailHandler) {
 async function createComponents(): Promise<Components> {
 	lang.init(en)
 	const secretStorage = new KeytarSecretStorage()
-	const deviceKeyProvider = new DeviceKeyProviderImpl(secretStorage, desktopCrypto)
-	const configMigrator = new DesktopConfigMigrator(desktopCrypto, deviceKeyProvider, electron)
-	const conf = new DesktopConfig(app, configMigrator, deviceKeyProvider, desktopCrypto)
+	const keyStoreFacade = new KeyStoreFacadeImpl(secretStorage, desktopCrypto)
+	const configMigrator = new DesktopConfigMigrator(desktopCrypto, keyStoreFacade, electron)
+	const conf = new DesktopConfig(app, configMigrator, keyStoreFacade, desktopCrypto)
 	// Fire config loading, dont wait for it
 	conf.init().catch(e => {
 		console.error("Could not load config", e)
@@ -108,11 +108,11 @@ async function createComponents(): Promise<Components> {
 	const notifier = new DesktopNotifier(tray, new ElectronNotificationFactory())
 	const dateProvider = new DateProviderImpl()
 	const dl = new DesktopDownloadManager(conf, desktopNet, desktopUtils, dateProvider, fs, electron)
-	const alarmStorage = new DesktopAlarmStorage(conf, desktopCrypto, deviceKeyProvider)
+	const alarmStorage = new DesktopAlarmStorage(conf, desktopCrypto, keyStoreFacade)
 	const updater = new ElectronUpdater(conf, notifier, desktopCrypto, app, tray, new UpdaterWrapperImpl())
 	const shortcutManager = new LocalShortcutManager()
 	const themeManager = new ThemeManager(conf)
-	const credentialsEncryption = new ElectronCredentialsEncryptionImpl(deviceKeyProvider, desktopCrypto)
+	const credentialsEncryption = new ElectronCredentialsEncryptionImpl(keyStoreFacade, desktopCrypto)
 	const wm = new WindowManager(conf, tray, notifier, electron, shortcutManager, dl, themeManager)
 	const alarmScheduler = new AlarmSchedulerImpl(dateProvider, new SchedulerImpl(dateProvider, global))
 	const desktopAlarmScheduler = new DesktopAlarmScheduler(wm, notifier, alarmStorage, desktopCrypto, alarmScheduler)
@@ -153,7 +153,7 @@ async function createComponents(): Promise<Components> {
 		dl,
 		sse,
 		conf,
-		deviceKeyProvider,
+		keyStoreFacade: keyStoreFacade,
 		sock,
 		notifier,
 		updater,
@@ -205,8 +205,8 @@ async function startupInstance(components: Components) {
 }
 
 async function onAppReady(components: Components) {
-	const {ipc, wm, deviceKeyProvider, conf} = components
-	deviceKeyProvider.getDeviceKey().catch(() => {
+	const {ipc, wm, keyStoreFacade, conf} = components
+	keyStoreFacade.getDeviceKey().catch(() => {
 		electron.dialog.showErrorBox("Could not access secret storage", "Please see the FAQ at tutanota.com/faq/#secretstorage")
 	})
 	app.on("window-all-closed", async () => {
diff --git a/src/desktop/DeviceKeyProviderImpl.ts b/src/desktop/KeyStoreFacadeImpl.ts
similarity index 95%
rename from src/desktop/DeviceKeyProviderImpl.ts
rename to src/desktop/KeyStoreFacadeImpl.ts
index b83147974317..331fe15504d0 100644
--- a/src/desktop/DeviceKeyProviderImpl.ts
+++ b/src/desktop/KeyStoreFacadeImpl.ts
@@ -13,13 +13,13 @@ export enum KeyAccountName {
 	CREDENTIALS_KEY = "credentials-device-lock-key"
 }
 
-export interface DesktopDeviceKeyProvider {
+export interface DesktopKeyStoreFacade {
 	getDeviceKey(): Promise<Aes256Key>
 
 	getCredentialsKey(): Promise<Aes256Key>
 }
 
-export class DeviceKeyProviderImpl implements DesktopDeviceKeyProvider {
+export class KeyStoreFacadeImpl implements DesktopKeyStoreFacade {
 	_secretStorage: SecretStorage
 	_resolvedKeys: Record<string, DeferredObject<Aes256Key>>
 	_crypto: DesktopCryptoFacade
diff --git a/src/desktop/config/DesktopConfig.ts b/src/desktop/config/DesktopConfig.ts
index f3c63feedbcc..fb16415cbd3b 100644
--- a/src/desktop/config/DesktopConfig.ts
+++ b/src/desktop/config/DesktopConfig.ts
@@ -7,7 +7,7 @@ import fs from "fs"
 import type {Config} from "./ConfigCommon"
 import {BuildConfigKey, DesktopConfigEncKey, DesktopConfigKey} from "./ConfigKeys"
 import type {App} from "electron"
-import type {DesktopDeviceKeyProvider} from "../DeviceKeyProviderImpl"
+import type {DesktopKeyStoreFacade} from "../KeyStoreFacadeImpl"
 import {DesktopCryptoFacade} from "../DesktopCryptoFacade"
 import {CryptoError} from "../../api/common/error/CryptoError"
 import {log} from "../DesktopLog"
@@ -28,14 +28,14 @@ export class DesktopConfig {
 	_buildConfig: DeferredObject<Config>;
 	_desktopConfig: DeferredObject<Config>; // user preferences as set for this installation
 	_desktopConfigFile: ConfigFileType;
-	_deviceKeyProvider: DesktopDeviceKeyProvider
+	_keyStoreFacade: DesktopKeyStoreFacade
 	_cryptoFacade: DesktopCryptoFacade
 	_app: App
 	_migrator: DesktopConfigMigrator
 	_onValueSetListeners: OnValueSetListeners
 
-	constructor(app: App, migrator: DesktopConfigMigrator, deviceKeyProvider: DesktopDeviceKeyProvider, cryptFacade: DesktopCryptoFacade) {
-		this._deviceKeyProvider = deviceKeyProvider
+	constructor(app: App, migrator: DesktopConfigMigrator, keyStoreFacade: DesktopKeyStoreFacade, cryptFacade: DesktopCryptoFacade) {
+		this._keyStoreFacade = keyStoreFacade
 		this._cryptoFacade = cryptFacade
 		this._app = app
 		this._migrator = migrator
@@ -94,7 +94,7 @@ export class DesktopConfig {
 			return null
 		}
 
-		const deviceKey = await this._deviceKeyProvider.getDeviceKey()
+		const deviceKey = await this._keyStoreFacade.getDeviceKey()
 		try {
 			return this._cryptoFacade.aesDecryptObject(deviceKey, downcast<string>(encryptedValue))
 		} catch (e) {
@@ -107,7 +107,7 @@ export class DesktopConfig {
 	}
 
 	async _setEncryptedVar(key: DesktopConfigEncKey, value: ConfigValue | null) {
-		const deviceKey = await this._deviceKeyProvider.getDeviceKey()
+		const deviceKey = await this._keyStoreFacade.getDeviceKey()
 		let encryptedValue
 		if (value != null) {
 			encryptedValue = this._cryptoFacade.aesEncryptObject(deviceKey, value)
diff --git a/src/desktop/config/migrations/DesktopConfigMigrator.ts b/src/desktop/config/migrations/DesktopConfigMigrator.ts
index ebab31030b15..66c26ec37ddb 100644
--- a/src/desktop/config/migrations/DesktopConfigMigrator.ts
+++ b/src/desktop/config/migrations/DesktopConfigMigrator.ts
@@ -11,19 +11,19 @@ import * as migration0004 from "./migration-0004"
 import * as migration0005 from "./migration-0005"
 import type {Config, ConfigMigration} from "../ConfigCommon"
 import {DesktopCryptoFacade} from "../../DesktopCryptoFacade"
-import type {DesktopDeviceKeyProvider} from "../../DeviceKeyProviderImpl"
+import type {DesktopKeyStoreFacade} from "../../KeyStoreFacadeImpl"
 
 export type MigrationKind = "migrateClient" | "migrateAdmin"
 export type ElectronExports = typeof Electron.CrossProcessExports;
 
 export class DesktopConfigMigrator {
 	readonly crypto: DesktopCryptoFacade
-	_deviceKeyProvider: DesktopDeviceKeyProvider
+	_keyStoreFacade: DesktopKeyStoreFacade
 	_electron: ElectronExports
 
-	constructor(crypto: DesktopCryptoFacade, deviceKeyProvider: DesktopDeviceKeyProvider, electron: ElectronExports) {
+	constructor(crypto: DesktopCryptoFacade, keyStoreFacade: DesktopKeyStoreFacade, electron: ElectronExports) {
 		this.crypto = crypto
-		this._deviceKeyProvider = deviceKeyProvider
+		this._keyStoreFacade = keyStoreFacade
 		this._electron = electron
 	}
 
@@ -41,7 +41,7 @@ export class DesktopConfigMigrator {
 				await applyMigration(migration0002[migrationFunction], oldConfig)
 
 			case 2:
-				await applyMigration(config => migration0003[migrationFunction](config, this.crypto, this._deviceKeyProvider), oldConfig)
+				await applyMigration(config => migration0003[migrationFunction](config, this.crypto, this._keyStoreFacade), oldConfig)
 
 			case 3:
 				await applyMigration(migration0004[migrationFunction], oldConfig)
diff --git a/src/desktop/config/migrations/migration-0003.ts b/src/desktop/config/migrations/migration-0003.ts
index 438005960632..c00455ccd41d 100644
--- a/src/desktop/config/migrations/migration-0003.ts
+++ b/src/desktop/config/migrations/migration-0003.ts
@@ -1,17 +1,17 @@
 import {DesktopCryptoFacade} from "../../DesktopCryptoFacade"
 import type {Config} from "../ConfigCommon"
 import {downcast} from "@tutao/tutanota-utils"
-import type {DesktopDeviceKeyProvider} from "../../DeviceKeyProviderImpl"
+import type {DesktopKeyStoreFacade} from "../../KeyStoreFacadeImpl"
 import {log} from "../../DesktopLog"
 
-async function migrate(oldConfig: Config, crypto: DesktopCryptoFacade, deviceKeyProvider: DesktopDeviceKeyProvider): Promise<void> {
+async function migrate(oldConfig: Config, crypto: DesktopCryptoFacade, keyStoreFacade: DesktopKeyStoreFacade): Promise<void> {
 	Object.assign(oldConfig, {
 		desktopConfigVersion: 3,
 	})
 
 	if (oldConfig.pushIdentifier) {
 		try {
-			const deviceKey = await deviceKeyProvider.getDeviceKey()
+			const deviceKey = await keyStoreFacade.getDeviceKey()
 			Object.assign(oldConfig, {
 				sseInfo: crypto.aesEncryptObject(deviceKey, downcast(oldConfig.pushIdentifier)),
 			})
diff --git a/src/desktop/credentials/ElectronCredentialsEncryption.ts b/src/desktop/credentials/ElectronCredentialsEncryption.ts
index 327965a8b4f9..aba8458b38f7 100644
--- a/src/desktop/credentials/ElectronCredentialsEncryption.ts
+++ b/src/desktop/credentials/ElectronCredentialsEncryption.ts
@@ -1,7 +1,7 @@
 import {CredentialEncryptionMode} from "../../misc/credentials/CredentialEncryptionMode"
-import {ProgrammingError} from "../../api/common/error/ProgrammingError"
-import {DesktopDeviceKeyProvider} from "../DeviceKeyProviderImpl"
+import {DesktopKeyStoreFacade} from "../KeyStoreFacadeImpl"
 import {DesktopCryptoFacade} from "../DesktopCryptoFacade"
+import {assert} from "@tutao/tutanota-utils"
 
 export interface ElectronCredentialsEncryption {
 	/**
@@ -20,28 +20,26 @@ export interface ElectronCredentialsEncryption {
 
 export class ElectronCredentialsEncryptionImpl implements ElectronCredentialsEncryption {
 
-	private readonly _desktopDeviceKeyProvider: DesktopDeviceKeyProvider
+	private readonly _desktopKeyStoreFacade: DesktopKeyStoreFacade
 	private readonly _crypto: DesktopCryptoFacade
 
-	constructor(deviceKeyProvider: DesktopDeviceKeyProvider, crypto: DesktopCryptoFacade) {
-		this._desktopDeviceKeyProvider = deviceKeyProvider
+	constructor(keyStoreFacade: DesktopKeyStoreFacade, crypto: DesktopCryptoFacade) {
+		this._desktopKeyStoreFacade = keyStoreFacade
 		this._crypto = crypto
 	}
 
-	async decryptUsingKeychain(base64EncodedEncryptedData: string, encryptionMode: CredentialEncryptionMode): Promise<string> {
-		if (encryptionMode !== CredentialEncryptionMode.DEVICE_LOCK) {
-			throw new ProgrammingError("should not use unsupported encryption mode")
-		}
-		const key = await this._desktopDeviceKeyProvider.getCredentialsKey()
+	async decryptUsingKeychain(base64EncodedEncryptedData: string, encryptionMode: CredentialEncryptionMode.DEVICE_LOCK): Promise<string> {
+		// making extra sure that the mode is the right one since this comes over IPC
+		assert(encryptionMode === CredentialEncryptionMode.DEVICE_LOCK, "should not use unsupported encryption mode")
+		const key = await this._desktopKeyStoreFacade.getCredentialsKey()
 		const decryptedData = this._crypto.aes256DecryptKeyToB64(key, base64EncodedEncryptedData)
 		return Promise.resolve(decryptedData)
 	}
 
-	async encryptUsingKeychain(base64EncodedData: string, encryptionMode: CredentialEncryptionMode): Promise<string> {
-		if (encryptionMode !== CredentialEncryptionMode.DEVICE_LOCK) {
-			throw new ProgrammingError("should not use unsupported encryption mode")
-		}
-		const key = await this._desktopDeviceKeyProvider.getCredentialsKey()
+	async encryptUsingKeychain(base64EncodedData: string, encryptionMode: CredentialEncryptionMode.DEVICE_LOCK): Promise<string> {
+		// making extra sure that the mode is the right one since this comes over IPC
+		assert(encryptionMode === CredentialEncryptionMode.DEVICE_LOCK, "should not use unsupported encryption mode")
+		const key = await this._desktopKeyStoreFacade.getCredentialsKey()
 		const encryptedData = this._crypto.aes256EncryptKeyToB64(key, base64EncodedData)
 		return Promise.resolve(encryptedData)
 	}
diff --git a/src/desktop/sse/DesktopAlarmStorage.ts b/src/desktop/sse/DesktopAlarmStorage.ts
index bb9cc322e9e0..8a327eec3727 100644
--- a/src/desktop/sse/DesktopAlarmStorage.ts
+++ b/src/desktop/sse/DesktopAlarmStorage.ts
@@ -3,7 +3,7 @@ import type {EncryptedAlarmNotification, NotificationSessionKey} from "./Desktop
 import {DesktopCryptoFacade} from "../DesktopCryptoFacade"
 import {elementIdPart} from "../../api/common/utils/EntityUtils"
 import {DesktopConfigKey} from "../config/ConfigKeys"
-import type {DesktopDeviceKeyProvider} from "../DeviceKeyProviderImpl"
+import type {DesktopKeyStoreFacade} from "../KeyStoreFacadeImpl"
 import type {Base64} from "@tutao/tutanota-utils"
 import {findAllAndRemove} from "@tutao/tutanota-utils"
 import {log} from "../DesktopLog"
@@ -12,13 +12,13 @@ import {log} from "../DesktopLog"
  * manages session keys used for decrypting alarm notifications, encrypting & persisting them to disk
  */
 export class DesktopAlarmStorage {
-	_deviceKeyProvider: DesktopDeviceKeyProvider
+	_desktopKeyStoreFacade: DesktopKeyStoreFacade
 	_conf: DesktopConfig
 	_crypto: DesktopCryptoFacade
 	_sessionKeysB64: Record<string, string>
 
-	constructor(conf: DesktopConfig, desktopCryptoFacade: DesktopCryptoFacade, deviceKeyProvider: DesktopDeviceKeyProvider) {
-		this._deviceKeyProvider = deviceKeyProvider
+	constructor(conf: DesktopConfig, desktopCryptoFacade: DesktopCryptoFacade, keyStoreFacade: DesktopKeyStoreFacade) {
+		this._desktopKeyStoreFacade = keyStoreFacade
 		this._conf = conf
 		this._crypto = desktopCryptoFacade
 		this._sessionKeysB64 = {}
@@ -35,7 +35,7 @@ export class DesktopAlarmStorage {
 
 		if (!keys[pushIdentifierId]) {
 			this._sessionKeysB64[pushIdentifierId] = pushIdentifierSessionKeyB64
-			return this._deviceKeyProvider.getDeviceKey().then(pw => {
+			return this._desktopKeyStoreFacade.getDeviceKey().then(pw => {
 				keys[pushIdentifierId] = this._crypto.aes256EncryptKeyToB64(pw, pushIdentifierSessionKeyB64)
 				return this._conf.setVar(DesktopConfigKey.pushEncSessionKeys, keys)
 			})
@@ -61,7 +61,7 @@ export class DesktopAlarmStorage {
 	 * @return {Promise<?Base64>} a stored pushIdentifierSessionKey that should be able to decrypt the given notificationSessionKey
 	 */
 	async getPushIdentifierSessionKey(notificationSessionKey: NotificationSessionKey): Promise<Base64 | null> {
-		const pw = await this._deviceKeyProvider.getDeviceKey()
+		const pw = await this._desktopKeyStoreFacade.getDeviceKey()
 		const pushIdentifierId = elementIdPart(notificationSessionKey.pushIdentifier)
 
 		if (this._sessionKeysB64[pushIdentifierId]) {
diff --git a/src/desktop/sse/SecretStorage.ts b/src/desktop/sse/SecretStorage.ts
index 68c0a449f5f9..76fa80a81fd2 100644
--- a/src/desktop/sse/SecretStorage.ts
+++ b/src/desktop/sse/SecretStorage.ts
@@ -11,7 +11,9 @@ export class KeytarSecretStorage implements SecretStorage {
 	getPassword(service: string, account: string): Promise<string | null> {
 		return getPassword(service, account)
 			.catch(e => {
-				if (e.message === CANCELLED) throw new CancelledError("user cancelled keychain unlock")
+				if (e.message === CANCELLED) {
+					throw new CancelledError("user cancelled keychain unlock")
+				}
 				throw e
 			})
 	}
diff --git a/test/api/TestUtils.ts b/test/api/TestUtils.ts
index 1d98e97e46ae..956c2250631d 100644
--- a/test/api/TestUtils.ts
+++ b/test/api/TestUtils.ts
@@ -5,7 +5,7 @@ import {IndexerCore} from "../../src/api/worker/search/IndexerCore"
 import {EventQueue} from "../../src/api/worker/search/EventQueue"
 import {DbFacade, DbTransaction} from "../../src/api/worker/search/DbFacade"
 import {assertNotNull, neverNull} from "@tutao/tutanota-utils"
-import type {DesktopDeviceKeyProvider} from "../../src/desktop/DeviceKeyProviderImpl"
+import type {DesktopKeyStoreFacade} from "../../src/desktop/KeyStoreFacadeImpl"
 import {mock} from "@tutao/tutanota-test-utils"
 import {aes256RandomKey, fixedIv, uint8ArrayToKey} from "@tutao/tutanota-crypto"
 
@@ -64,7 +64,7 @@ export function reportTest(results: any, stats: any) {
 	})()
 }
 
-export function makeDeviceKeyProvider(uint8ArrayKey: Uint8Array): DesktopDeviceKeyProvider {
+export function makeKeyStoreFacade(uint8ArrayKey: Uint8Array): DesktopKeyStoreFacade {
 	return {
 		getDeviceKey() {
 			return Promise.resolve(uint8ArrayToKey(uint8ArrayKey))
diff --git a/test/client/Suite.ts b/test/client/Suite.ts
index 3ef0cecf51f2..e6b47ba3d4f7 100644
--- a/test/client/Suite.ts
+++ b/test/client/Suite.ts
@@ -75,7 +75,7 @@ import {preTest, reportTest} from "../api/TestUtils"
 		await import("./desktop/integration/RegistryScriptGeneratorTest.js")
 		await import("./desktop/DesktopCryptoFacadeTest.js")
 		await import("./desktop/DesktopContextMenuTest.js")
-		await import("./desktop/DeviceKeyProviderTest.js")
+		await import("./desktop/KeyStoreFacadeTest.js")
 		await import ("./desktop/config/ConfigFileTest.js")
 		await import ("./desktop/credentials/ElectronCredentialsEncryptionTest")
 	}
diff --git a/test/client/desktop/DeviceKeyProviderTest.ts b/test/client/desktop/KeyStoreFacadeTest.ts
similarity index 72%
rename from test/client/desktop/DeviceKeyProviderTest.ts
rename to test/client/desktop/KeyStoreFacadeTest.ts
index 48379afb8564..65104e3aed50 100644
--- a/test/client/desktop/DeviceKeyProviderTest.ts
+++ b/test/client/desktop/KeyStoreFacadeTest.ts
@@ -1,16 +1,16 @@
 import o from "ospec"
-import {DeviceKeyProviderImpl, KeyAccountName, SERVICE_NAME} from "../../../src/desktop/DeviceKeyProviderImpl"
+import {KeyAccountName, KeyStoreFacadeImpl, SERVICE_NAME} from "../../../src/desktop/KeyStoreFacadeImpl"
 import {DesktopCryptoFacade} from "../../../src/desktop/DesktopCryptoFacade"
 import type {SecretStorage} from "../../../src/desktop/sse/SecretStorage"
 import {spyify} from "../nodemocker"
 import {downcast} from "@tutao/tutanota-utils"
 import {keyToBase64, uint8ArrayToKey} from "@tutao/tutanota-crypto"
 
-function initDeviceKeyProvider(secretStorage: SecretStorage, crypto: DesktopCryptoFacade): DeviceKeyProviderImpl {
-	return new DeviceKeyProviderImpl(secretStorage, crypto)
+function initKeyStoreFacade(secretStorage: SecretStorage, crypto: DesktopCryptoFacade): KeyStoreFacadeImpl {
+	return new KeyStoreFacadeImpl(secretStorage, crypto)
 }
 
-o.spec("DeviceKeyProvider test", function () {
+o.spec("KeyStoreFacade test", function () {
 	const aes256Key = uint8ArrayToKey(new Uint8Array([1, 2]))
 	o("getDeviceKey should return stored key", async function () {
 		const secretStorageSpy: SecretStorage = spyify({
@@ -22,8 +22,8 @@ o.spec("DeviceKeyProvider test", function () {
 			},
 		})
 		const cryptoFacadeSpy: DesktopCryptoFacade = spyify(downcast({}))
-		const deviceKeyProvider = initDeviceKeyProvider(secretStorageSpy, cryptoFacadeSpy)
-		const actualKey = await deviceKeyProvider.getDeviceKey()
+		const keyStoreFacade = initKeyStoreFacade(secretStorageSpy, cryptoFacadeSpy)
+		const actualKey = await keyStoreFacade.getDeviceKey()
 		o(actualKey).deepEquals(aes256Key)
 		o(secretStorageSpy.getPassword.callCount).equals(1)
 		o(secretStorageSpy.getPassword.calls[0].args).deepEquals([SERVICE_NAME, KeyAccountName.DEVICE_KEY])
@@ -42,8 +42,8 @@ o.spec("DeviceKeyProvider test", function () {
 				return aes256Key
 			},
 		})
-		const deviceKeyProvider = initDeviceKeyProvider(secretStorageSpy, cryptoFacadeSpy)
-		await deviceKeyProvider.getDeviceKey()
+		const keyStoreFacade = initKeyStoreFacade(secretStorageSpy, cryptoFacadeSpy)
+		await keyStoreFacade.getDeviceKey()
 		o(secretStorageSpy.setPassword.args).deepEquals([SERVICE_NAME, KeyAccountName.DEVICE_KEY, keyToBase64(aes256Key)])
 	})
 })
\ No newline at end of file
diff --git a/test/client/desktop/config/migrations/DesktopConfigMigratorTest.ts b/test/client/desktop/config/migrations/DesktopConfigMigratorTest.ts
index ab7d5e02ea5e..a4ce1426beea 100644
--- a/test/client/desktop/config/migrations/DesktopConfigMigratorTest.ts
+++ b/test/client/desktop/config/migrations/DesktopConfigMigratorTest.ts
@@ -2,13 +2,13 @@ import o from "ospec"
 import {DesktopConfigMigrator} from "../../../../../src/desktop/config/migrations/DesktopConfigMigrator"
 import {DesktopCryptoFacade} from "../../../../../src/desktop/DesktopCryptoFacade"
 import {downcast} from "@tutao/tutanota-utils"
-import {makeDeviceKeyProvider} from "../../../../api/TestUtils"
-import {DesktopDeviceKeyProvider} from "../../../../../src/desktop/DeviceKeyProviderImpl";
+import {makeKeyStoreFacade} from "../../../../api/TestUtils"
+import {DesktopKeyStoreFacade} from "../../../../../src/desktop/KeyStoreFacadeImpl";
 
 o.spec('desktop config migrator test', function () {
 	let migrator
 	let crypto: DesktopCryptoFacade
-	let deviceKeyProvider: DesktopDeviceKeyProvider
+	let keyStoreFacade: DesktopKeyStoreFacade
 	const key = new Uint8Array([1, 2, 3])
 
 	o.before(function () {
@@ -27,8 +27,8 @@ o.spec('desktop config migrator test', function () {
 		})
 
 
-		deviceKeyProvider = makeDeviceKeyProvider(key)
-		migrator = new DesktopConfigMigrator(crypto, deviceKeyProvider, electron)
+		keyStoreFacade = makeKeyStoreFacade(key)
+		migrator = new DesktopConfigMigrator(crypto, keyStoreFacade, electron)
 	})
 	o("migrations result in correct default config, client", async function () {
 		const oldConfig = {
diff --git a/test/client/desktop/credentials/ElectronCredentialsEncryptionTest.ts b/test/client/desktop/credentials/ElectronCredentialsEncryptionTest.ts
index 38f1da313c61..d6ef57b6ac50 100644
--- a/test/client/desktop/credentials/ElectronCredentialsEncryptionTest.ts
+++ b/test/client/desktop/credentials/ElectronCredentialsEncryptionTest.ts
@@ -2,12 +2,11 @@ import o from "ospec"
 import n from "../../nodemocker"
 
 import {ElectronCredentialsEncryptionImpl} from "../../../../src/desktop/credentials/ElectronCredentialsEncryption"
-import {DesktopDeviceKeyProvider} from "../../../../src/desktop/DeviceKeyProviderImpl"
+import {DesktopKeyStoreFacade} from "../../../../src/desktop/KeyStoreFacadeImpl"
 import {DesktopCryptoFacade} from "../../../../src/desktop/DesktopCryptoFacade"
 import {CredentialEncryptionMode} from "../../../../src/misc/credentials/CredentialEncryptionMode"
-import {makeDeviceKeyProvider} from "../../../api/TestUtils"
+import {makeKeyStoreFacade} from "../../../api/TestUtils"
 import {assertThrows} from "@tutao/tutanota-test-utils"
-import {ProgrammingError} from "../../../../src/api/common/error/ProgrammingError"
 
 o.spec("ElectronCredentialsEncryption Test", () => {
 	const crypto = {
@@ -15,18 +14,22 @@ o.spec("ElectronCredentialsEncryption Test", () => {
 		aes256EncryptKeyToB64: (key, b64KeyToDecrypt) => "encryptedB64Key",
 	}
 	const key = new Uint8Array([1, 2, 3])
-	const deviceKeyProvider = makeDeviceKeyProvider(key)
+	const keyStoreFacade = makeKeyStoreFacade(key)
 
 	const getSubject = (): ElectronCredentialsEncryptionImpl => new ElectronCredentialsEncryptionImpl(
-		n.mock<DesktopDeviceKeyProvider>("__deviceKeyProvider", deviceKeyProvider).set(),
+		n.mock<DesktopKeyStoreFacade>("__keyStoreFacade", keyStoreFacade).set(),
 		n.mock<DesktopCryptoFacade>("__crypto", crypto).set()
 	)
 
 	o("throws when using wrong encryption mode", async function () {
 		const ece = getSubject()
-		await assertThrows(ProgrammingError, () => ece.decryptUsingKeychain("base64", CredentialEncryptionMode.BIOMETRICS))
-		await assertThrows(ProgrammingError, () => ece.decryptUsingKeychain("base64", CredentialEncryptionMode.SYSTEM_PASSWORD))
-		await assertThrows(ProgrammingError, () => ece.encryptUsingKeychain("base64", CredentialEncryptionMode.BIOMETRICS))
-		await assertThrows(ProgrammingError, () => ece.encryptUsingKeychain("base64", CredentialEncryptionMode.SYSTEM_PASSWORD))
+		// @ts-ignore
+		await assertThrows(Error, () => ece.decryptUsingKeychain("base64", CredentialEncryptionMode.BIOMETRICS))
+		// @ts-ignore
+		await assertThrows(Error, () => ece.decryptUsingKeychain("base64", CredentialEncryptionMode.SYSTEM_PASSWORD))
+		// @ts-ignore
+		await assertThrows(Error, () => ece.encryptUsingKeychain("base64", CredentialEncryptionMode.BIOMETRICS))
+		// @ts-ignore
+		await assertThrows(Error, () => ece.encryptUsingKeychain("base64", CredentialEncryptionMode.SYSTEM_PASSWORD))
 	})
 })
\ No newline at end of file
diff --git a/test/client/desktop/sse/DesktopAlarmStorageTest.ts b/test/client/desktop/sse/DesktopAlarmStorageTest.ts
index a5ff532b0b78..c575e25abad2 100644
--- a/test/client/desktop/sse/DesktopAlarmStorageTest.ts
+++ b/test/client/desktop/sse/DesktopAlarmStorageTest.ts
@@ -5,8 +5,8 @@ import {DesktopAlarmStorage} from "../../../../src/desktop/sse/DesktopAlarmStora
 import type {DesktopConfig} from "../../../../src/desktop/config/DesktopConfig"
 import {downcast} from "@tutao/tutanota-utils"
 import type {DesktopCryptoFacade} from "../../../../src/desktop/DesktopCryptoFacade"
-import type {DesktopDeviceKeyProvider} from "../../../../src/desktop/DeviceKeyProviderImpl"
-import {makeDeviceKeyProvider} from "../../../api/TestUtils"
+import type {DesktopKeyStoreFacade} from "../../../../src/desktop/KeyStoreFacadeImpl"
+import {makeKeyStoreFacade} from "../../../api/TestUtils"
 import {uint8ArrayToBitArray} from "@tutao/tutanota-crypto"
 
 o.spec("DesktopAlarmStorageTest", function () {
@@ -75,12 +75,12 @@ o.spec("DesktopAlarmStorageTest", function () {
 		}
 	}
 
-	const deviceKeyProvider: DesktopDeviceKeyProvider = makeDeviceKeyProvider(new Uint8Array([1, 2, 3]))
+	const keyStoreFacade: DesktopKeyStoreFacade = makeKeyStoreFacade(new Uint8Array([1, 2, 3]))
 
 	o("getPushIdentifierSessionKey with uncached sessionKey", async function () {
 		const {confMock, cryptoMock} = standardMocks()
 
-		const desktopStorage = new DesktopAlarmStorage(confMock, cryptoMock, deviceKeyProvider)
+		const desktopStorage = new DesktopAlarmStorage(confMock, cryptoMock, keyStoreFacade)
 		const key1 = await desktopStorage.getPushIdentifierSessionKey({
 			pushIdentifierSessionEncSessionKey: "abc",
 			pushIdentifier: ["oneId", "twoId"]
@@ -96,7 +96,7 @@ o.spec("DesktopAlarmStorageTest", function () {
 				getVar: key => {}
 			}).set()
 		)
-		const desktopStorage = new DesktopAlarmStorage(confMock, cryptoMock, deviceKeyProvider)
+		const desktopStorage = new DesktopAlarmStorage(confMock, cryptoMock, keyStoreFacade)
 		await desktopStorage.storePushIdentifierSessionKey("fourId", "user4pw=")
 
 		o(confMock.setVar.callCount).equals(1)
@@ -113,7 +113,7 @@ o.spec("DesktopAlarmStorageTest", function () {
 
 	o("getPushIdentifierSessionKey when sessionKey is unavailable", async function () {
 		const {cryptoMock, confMock} = standardMocks()
-		const desktopStorage = new DesktopAlarmStorage(confMock, cryptoMock, deviceKeyProvider)
+		const desktopStorage = new DesktopAlarmStorage(confMock, cryptoMock, keyStoreFacade)
 		const key1 = await desktopStorage.getPushIdentifierSessionKey({
 			pushIdentifierSessionEncSessionKey: "def",
 			pushIdentifier: ["fiveId", "sixId"]