I have written analysis/design notes for KeyManager/KeyStore improvement in Elytron: Analysis / Design - KeyStore password as default KeyManager password https://developer.jboss.org/wiki/AnalysisDesign-KeyStorePasswordAsDefault... The goal is to allow not specifying keystore item password - only keystore password would be specified. Item (private key) would be in such case decrypted using keystore password. (This is how it works in legacy security) Problem in Elytron is how to deliver this password from KeyStore into KeyManager, as KeyManager and KeyStore are two independent resources in Elytron.