diff --git a/ChangeLog b/ChangeLog
index 757e0eb..1596d7f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -14,6 +14,10 @@ NEXT
 	Added check for weak passphrases using entropy
 	test. Used with -k.
 
+	Removed support for unencrypted secret key storage
+	so, pcp aims to be secure by default and fails
+	safely.
+
 0.3.0
 	Changed publuc key signature storage, previously
 	I didn't add the actual signature, therefore a
diff --git a/libpcp/readpass.c b/libpcp/readpass.c
index 6a3ac60..65430b3 100644
--- a/libpcp/readpass.c
+++ b/libpcp/readpass.c
@@ -24,6 +24,9 @@
  * SUCH DAMAGE.
  */
 
+/*
+ * Modifications (c) 2013 - 2015 by T.v.Dein, same license as this file.
+ */
 
 #include "readpass.h"
 
@@ -101,6 +104,8 @@ retry:
 		goto err2;
 	}
 
+
+
 	/* Confirm the password if necessary. */
 	if (confirmprompt != NULL) {
 		if (usingtty)
@@ -119,6 +124,13 @@ retry:
 	/* Terminate the string at the first "\r" or "\n" (if any). */
 	passbuf[strcspn(passbuf, "\r\n")] = '\0';
 
+	/* enforce no empty passwords */
+	if (strnlen(passbuf, MAXPASSLEN) == 0) {
+	  fprintf(stderr,
+		  "Empty password not allowed, please try again\n");
+	  goto retry;
+	}
+	
 	/* If we changed terminal settings, reset them. */
 	if (usingtty)
 		tcsetattr(fileno(readfrom), TCSANOW, &term_old);
diff --git a/man/options.pod b/man/options.pod
index 48550e4..ff81986 100644
--- a/man/options.pod
+++ b/man/options.pod
@@ -38,9 +38,7 @@
                            been specified, don't store the generated
                            key to the vault but export it to the
                            file instead. You will be asked for
-                           an owner, mail and a passphrase. If you
-                           leave the passphrase empty, the key will
-                           be stored unencrypted.
+                           an owner, mail and a passphrase.
  -l --listkeys             List all keys currently stored in your
                            vault. Only the key id's and some info
                            about the keys will be printed, not the
diff --git a/src/encryption.c b/src/encryption.c
index 78cc0a9..58108a3 100644
--- a/src/encryption.c
+++ b/src/encryption.c
@@ -95,29 +95,27 @@ int pcpdecrypt(char *id, int useid, char *infile, char *outfile, char *passwd, i
 	  goto errde3;
 	}
       }
-      if(secret->secret[0] == 0) {
-	/*  encrypted, decrypt it */
-	char *passphrase;
-	if(passwd == NULL) {
-	  pcp_readpass(ptx, &passphrase,
-		       "Enter passphrase to decrypt your secret key", NULL, 1, NULL);
-	}
-	else {
-	  passphrase = smalloc(strlen(passwd)+1);
-	  memcpy(passphrase, passwd, strlen(passwd)+1);
-	}
 
-	secret = pcpkey_decrypt(ptx, secret, passphrase);
-	sfree(passphrase);
-	if(secret == NULL)
-	  goto errde3;
-
-	if(head == PCP_ASYM_CIPHER_ANON)
-	  anon = 1;
-
-	if(head == PCP_ASYM_CIPHER_SIG)
-	  verify = 1;
+      char *passphrase;
+      if(passwd == NULL) {
+	pcp_readpass(ptx, &passphrase,
+		     "Enter passphrase to decrypt your secret key", NULL, 1, NULL);
       }
+      else {
+	passphrase = smalloc(strlen(passwd)+1);
+	memcpy(passphrase, passwd, strlen(passwd)+1);
+      }
+
+      secret = pcpkey_decrypt(ptx, secret, passphrase);
+      sfree(passphrase);
+      if(secret == NULL)
+	goto errde3;
+      
+      if(head == PCP_ASYM_CIPHER_ANON)
+	anon = 1;
+
+      if(head == PCP_ASYM_CIPHER_SIG)
+	verify = 1;
     }
     else {
       fatal(ptx, "Could not determine input file type (got: %02x)\n", head);
@@ -264,22 +262,20 @@ int pcpencrypt(char *id, char *infile, char *outfile, char *passwd, plist_t *rec
 	goto erren2;
       }
 
-      if(secret->secret[0] == 0) {
-        /*  encrypted, decrypt it */
-        char *passphrase;
-	if(passwd == NULL) {
-          pcp_readpass(ptx, &passphrase,
-		       "Enter passphrase to decrypt your secret key", NULL, 1, NULL);
-        }
-	else {
-          passphrase = smalloc(strlen(passwd)+1);
-	  memcpy(passphrase, passwd, strlen(passwd)+1);
-        }
-	secret = pcpkey_decrypt(ptx, secret, passphrase);
-	sfree(passphrase);
-	if(secret == NULL)
-	  goto erren2;
+      char *passphrase;
+      if(passwd == NULL) {
+	pcp_readpass(ptx, &passphrase,
+		     "Enter passphrase to decrypt your secret key", NULL, 1, NULL);
       }
+      else {
+	passphrase = smalloc(strlen(passwd)+1);
+	memcpy(passphrase, passwd, strlen(passwd)+1);
+      }
+      secret = pcpkey_decrypt(ptx, secret, passphrase);
+      sfree(passphrase);
+      if(secret == NULL)
+	goto erren2;
+      
     }
   }
 
diff --git a/src/keymgmt.c b/src/keymgmt.c
index ab74194..09043e3 100644
--- a/src/keymgmt.c
+++ b/src/keymgmt.c
@@ -1,7 +1,7 @@
 /*
     This file is part of Pretty Curved Privacy (pcp1).
 
-    Copyright (C) 2013-2015 T.Linden.
+    Copyright (C) 2013-2015 T.v.Dein.
 
     This program is free software: you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -97,14 +97,10 @@ void pcp_keygen(char *passwd) {
     key = pcpkey_encrypt(ptx, k, passphrase);
   }
   else {
-    char *yes = pcp_getstdin("WARNING: secret key will be stored unencrypted. Are you sure [yes|NO]?");
-    if(strncmp(yes, "yes", 1024) == 0)
-      key = k;
-    else {
-      memset(key, 0, sizeof(pcp_key_t));
-      free(key);
-      goto errkg1;
-    }
+    /* No unencrypted secret key allowed anymore [19.08.2015, tom] */
+    memset(k, 0, sizeof(pcp_key_t));
+    free(k);
+    goto errkg1;
   }
 
   if(key != NULL) {
@@ -239,24 +235,21 @@ void pcp_exportsecret(char *keyid, int useid, char *outfile, int armor, char *pa
     if(debug)
       pcp_dumpkey(key);
 
-    if(key->secret[0] == 0) {
-      /* decrypt the secret key */
-      if(passwd == NULL) {
-	char *passphrase;
-	pcp_readpass(ptx, &passphrase,
-		     "Enter passphrase to decrypt your secret key", NULL, 1, NULL);
-	key = pcpkey_decrypt(ptx, key, passphrase);
-	if(key == NULL) {
-	  sfree(passphrase);
-	  goto errexpse1;
-	}
+    if(passwd == NULL) {
+      char *passphrase;
+      pcp_readpass(ptx, &passphrase,
+		   "Enter passphrase to decrypt your secret key", NULL, 1, NULL);
+      key = pcpkey_decrypt(ptx, key, passphrase);
+      if(key == NULL) {
 	sfree(passphrase);
+	goto errexpse1;
       }
-      else {
-	key = pcpkey_decrypt(ptx, key, passwd);
-	if(key == NULL) {
-	  goto errexpse1;
-	}
+      sfree(passphrase);
+    }
+    else {
+      key = pcpkey_decrypt(ptx, key, passwd);
+      if(key == NULL) {
+	goto errexpse1;
       }
     }
 
diff --git a/src/pcp.c b/src/pcp.c
index 0b9fc3f..fa4b881 100644
--- a/src/pcp.c
+++ b/src/pcp.c
@@ -270,8 +270,6 @@ int main (int argc, char **argv)  {
       case 'x':
 	xpass = smalloc(strlen(optarg)+1);
 	strncpy(xpass, optarg, strlen(optarg)+1);
-	if(strncmp(xpass, "n/a", 3) == 0)
-	  xpass[0] = '\0';
 	break;
       case LONG_EXTPASS:
 	askpass = malloc(strlen(optarg)+1);
diff --git a/src/signature.c b/src/signature.c
index 97c16d5..5406c81 100644
--- a/src/signature.c
+++ b/src/signature.c
@@ -54,23 +54,20 @@ int pcpsign(char *infile, char *outfile, char *passwd, int z85, int detach) {
     }
   }
 
-  if(secret->secret[0] == 0) {
-    /*  encrypted, decrypt it */
-    char *passphrase;
-    if(passwd == NULL) {
-      pcp_readpass(ptx, &passphrase,
-		   "Enter passphrase to decrypt your secret key", NULL, 1, NULL);
-    }
-    else {
-      passphrase = smalloc(strlen(passwd)+1);
-      memcpy(passphrase, passwd, strlen(passwd)+1);
-    }
-
-    secret = pcpkey_decrypt(ptx, secret, passphrase);
-    sfree(passphrase);
-    if(secret == NULL)
-      goto errs1;
+  char *passphrase;
+  if(passwd == NULL) {
+    pcp_readpass(ptx, &passphrase,
+		 "Enter passphrase to decrypt your secret key", NULL, 1, NULL);
   }
+  else {
+    passphrase = smalloc(strlen(passwd)+1);
+    memcpy(passphrase, passwd, strlen(passwd)+1);
+  }
+
+  secret = pcpkey_decrypt(ptx, secret, passphrase);
+  sfree(passphrase);
+  if(secret == NULL)
+    goto errs1;
 
   Pcpstream *pin = ps_new_file(in);
   Pcpstream *pout = ps_new_file(out);
diff --git a/tests/unittests.cfg b/tests/unittests.cfg
index 99e55f1..cc854a6 100644
--- a/tests/unittests.cfg
+++ b/tests/unittests.cfg
@@ -2,7 +2,7 @@
 #
 #    This file is part of Pretty Curved Privacy (pcp1).
 #
-#    Copyright (C) 2013 T.Linden.
+#    Copyright (C) 2013-2015 T.v.Dein.
 #
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
@@ -259,55 +259,15 @@ temporarily disabled
 
 #
 # symetric encryption test
-# FIXME: we currently use -V ve, but this one has to work without a vault
 <test check-sym-encrypt>
-  cmd = echo HELLOWORLD | $pcp -V ve -e -O testsymencrypted -x a
+  cmd = echo HELLOWORLD | $pcp -e -O testsymencrypted -x a
   expect = /symetrically/
 </test>
 <test check-sym-decrypt>
-  cmd = $pcp -V ve -d -I testsymencrypted -x a
+  cmd = $pcp -d -I testsymencrypted -x a
   expect = /HELLO/
 </test>
 
-#
-# check usage of unencrypted secret key
-<test vcl>
-  prepare = rm -f vb2 vcl
-  <test check-vcl-crypto-unencrypted-secret>
-    cmd = (echo dau; echo foo; echo yes) | $pcp -V vcl -k -x "n/a"
-    expect = /added to/
-  </test>
-  
-  <test check-vcl-prepare-import-bpub>
-    cmd = $pcp -V vcl -I key-bobby-pub -K
-    expect = /added/
-  </test>
-
-  <test check-vcl-export-unencrypted-pubkey>
-    cmd = $pcp -V vcl -p -O testkeyvcl
-    expect = /exported/
-  </test>
-
-  <test check-vcl-import-bsecret>
-    cmd = $pcp -V vb2 -K -I key-bobby-sec -x b
-    expect = /${idbobby}/
-  </test>
-
-  <test check-vcl-import-unencrypted-pubkey>
-    cmd =  $pcp -V vb2 -K -I testkeyvcl
-    expect = /added/
-  </test>
-
-  <test check-vcl-crypto-unencrypted-secret-message>
-    cmd     = echo HALLO | $pcp -V vcl -e -O testencrypted -i ${idbobby}
-    expect  = /Bobby/
-  </test>
-
-  <test check-vcl-crypto-unencrypted-secret-read>
-    cmd = $pcp -V vb2 -d -I testencrypted -x b
-    expect  = /HALLO/
-  </test>
-</test>
 
 #
 # signature tests