diff --git a/bramble-api/src/main/java/org/briarproject/bramble/api/crypto/CryptoComponent.java b/bramble-api/src/main/java/org/briarproject/bramble/api/crypto/CryptoComponent.java
index 95e89c2d0..1cfffa3c2 100644
--- a/bramble-api/src/main/java/org/briarproject/bramble/api/crypto/CryptoComponent.java
+++ b/bramble-api/src/main/java/org/briarproject/bramble/api/crypto/CryptoComponent.java
@@ -132,6 +132,9 @@ public interface CryptoComponent {
 	 * storage. The encryption and authentication keys are derived from the
 	 * given password. The ciphertext will be decryptable using the same
 	 * password after the app restarts.
+	 *
+	 * @param keyStoreConfig Configures the use of a stored key to strengthen
+	 * the password-based key. If null, no stored key will be used
 	 */
 	byte[] encryptWithPassword(byte[] plaintext, String password,
 			@Nullable KeyStoreConfig keyStoreConfig);
@@ -141,6 +144,10 @@ public interface CryptoComponent {
 	 * storage. The encryption and authentication keys are derived from the
 	 * given password. Returns null if the ciphertext cannot be decrypted and
 	 * authenticated (for example, if the password is wrong).
+	 *
+	 * @param keyStoreConfig Configures the use of a stored key to strengthen
+	 * the password-based key. If null, or if no stored key was used when
+	 * encrypting the ciphertext, then no stored key will be used
 	 */
 	@Nullable
 	byte[] decryptWithPassword(byte[] ciphertext, String password,
diff --git a/bramble-api/src/main/java/org/briarproject/bramble/api/crypto/KeyStoreConfig.java b/bramble-api/src/main/java/org/briarproject/bramble/api/crypto/KeyStoreConfig.java
index f3c44740b..39f545f2f 100644
--- a/bramble-api/src/main/java/org/briarproject/bramble/api/crypto/KeyStoreConfig.java
+++ b/bramble-api/src/main/java/org/briarproject/bramble/api/crypto/KeyStoreConfig.java
@@ -4,12 +4,20 @@ import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
 
 import java.security.spec.AlgorithmParameterSpec;
 
+/**
+ * Configures the use of a stored key to strengthen password-based encryption.
+ * The key may be stored in a hardware security module, but this is not
+ * guaranteed. See
+ * {@link CryptoComponent#encryptWithPassword(byte[], String, KeyStoreConfig)}
+ * and
+ * {@link CryptoComponent#decryptWithPassword(byte[], String, KeyStoreConfig)}.
+ */
 @NotNullByDefault
 public interface KeyStoreConfig {
 
 	String getKeyStoreType();
 
-	String getAlias();
+	String getKeyAlias();
 
 	String getProviderName();
 
diff --git a/bramble-api/src/main/java/org/briarproject/bramble/api/db/DatabaseConfig.java b/bramble-api/src/main/java/org/briarproject/bramble/api/db/DatabaseConfig.java
index bd916a9c6..36982595d 100644
--- a/bramble-api/src/main/java/org/briarproject/bramble/api/db/DatabaseConfig.java
+++ b/bramble-api/src/main/java/org/briarproject/bramble/api/db/DatabaseConfig.java
@@ -10,10 +10,20 @@ import javax.annotation.Nullable;
 @NotNullByDefault
 public interface DatabaseConfig {
 
+	/**
+	 * Returns the directory where the database stores its data.
+	 */
 	File getDatabaseDirectory();
 
+	/**
+	 * Returns the directory where the encrypted database key is stored.
+	 */
 	File getDatabaseKeyDirectory();
 
+	/**
+	 * Returns a {@link KeyStoreConfig} for strengthening the encryption of the
+	 * database key, or null if no keystore should be used.
+	 */
 	@Nullable
 	KeyStoreConfig getKeyStoreConfig();
 }
diff --git a/bramble-core/src/main/java/org/briarproject/bramble/crypto/CryptoComponentImpl.java b/bramble-core/src/main/java/org/briarproject/bramble/crypto/CryptoComponentImpl.java
index 2bf96007c..27052d737 100644
--- a/bramble-core/src/main/java/org/briarproject/bramble/crypto/CryptoComponentImpl.java
+++ b/bramble-core/src/main/java/org/briarproject/bramble/crypto/CryptoComponentImpl.java
@@ -383,7 +383,7 @@ class CryptoComponentImpl implements CryptoComponent {
 			ks.load(null);
 			// Load or generate the stored key
 			javax.crypto.SecretKey storedKey;
-			Entry e = ks.getEntry(config.getAlias(), null);
+			Entry e = ks.getEntry(config.getKeyAlias(), null);
 			if (e == null) {
 				if (!generateIfMissing) {
 					LOG.warning("Key not found in keystore");
diff --git a/briar-android/src/main/java/org/briarproject/briar/android/AndroidKeyStoreConfig.java b/briar-android/src/main/java/org/briarproject/briar/android/AndroidKeyStoreConfig.java
index 752272c15..83ce8db6b 100644
--- a/briar-android/src/main/java/org/briarproject/briar/android/AndroidKeyStoreConfig.java
+++ b/briar-android/src/main/java/org/briarproject/briar/android/AndroidKeyStoreConfig.java
@@ -31,7 +31,7 @@ class AndroidKeyStoreConfig implements KeyStoreConfig {
 	}
 
 	@Override
-	public String getAlias() {
+	public String getKeyAlias() {
 		return "db";
 	}