diff --git a/data/src/main/java/org/cryptomator/data/cloud/crypto/CryptoCloudFactory.java b/data/src/main/java/org/cryptomator/data/cloud/crypto/CryptoCloudFactory.java
index a1729c24..4caa9d2d 100644
--- a/data/src/main/java/org/cryptomator/data/cloud/crypto/CryptoCloudFactory.java
+++ b/data/src/main/java/org/cryptomator/data/cloud/crypto/CryptoCloudFactory.java
@@ -12,6 +12,7 @@ import org.cryptomator.domain.usecases.vault.UnlockToken;
 import org.cryptomator.util.Optional;
 
 import java.io.ByteArrayOutputStream;
+import java.security.SecureRandom;
 
 import javax.inject.Inject;
 import javax.inject.Singleton;
@@ -27,6 +28,7 @@ public class CryptoCloudFactory {
 
 	private final CloudContentRepository cloudContentRepository;
 	private final CryptoCloudContentRepositoryFactory cryptoCloudContentRepositoryFactory;
+	private final SecureRandom secureRandom = new SecureRandom();
 
 	@Inject
 	public CryptoCloudFactory(CloudContentRepository cloudContentRepository, //
@@ -84,12 +86,12 @@ public class CryptoCloudFactory {
 		if (unverifiedVaultConfigOptional.isPresent()) {
 			switch (unverifiedVaultConfigOptional.get().getKeyId().getScheme()) {
 				case MASTERKEY_SCHEME: {
-					return new MasterkeyCryptoCloudProvider(cloudContentRepository, cryptoCloudContentRepositoryFactory);
+					return new MasterkeyCryptoCloudProvider(cloudContentRepository, cryptoCloudContentRepositoryFactory, secureRandom);
 				}
 				default: throw new IllegalStateException(String.format("Provider with scheme %s not supported", unverifiedVaultConfigOptional.get().getKeyId().getScheme()));
 			}
 		} else {
-			return new MasterkeyCryptoCloudProvider(cloudContentRepository, cryptoCloudContentRepositoryFactory);
+			return new MasterkeyCryptoCloudProvider(cloudContentRepository, cryptoCloudContentRepositoryFactory, secureRandom);
 		}
 	}
 }
diff --git a/data/src/main/java/org/cryptomator/data/cloud/crypto/MasterkeyCryptoCloudProvider.java b/data/src/main/java/org/cryptomator/data/cloud/crypto/MasterkeyCryptoCloudProvider.java
index d1720dd7..e7b7739f 100644
--- a/data/src/main/java/org/cryptomator/data/cloud/crypto/MasterkeyCryptoCloudProvider.java
+++ b/data/src/main/java/org/cryptomator/data/cloud/crypto/MasterkeyCryptoCloudProvider.java
@@ -49,19 +49,22 @@ public class MasterkeyCryptoCloudProvider implements CryptoCloudProvider {
 
 	private final CloudContentRepository cloudContentRepository;
 	private final CryptoCloudContentRepositoryFactory cryptoCloudContentRepositoryFactory;
+	private final SecureRandom secureRandom;
 
 	public MasterkeyCryptoCloudProvider(CloudContentRepository cloudContentRepository, //
-			CryptoCloudContentRepositoryFactory cryptoCloudContentRepositoryFactory) {
+			CryptoCloudContentRepositoryFactory cryptoCloudContentRepositoryFactory,
+			SecureRandom secureRandom) {
 		this.cloudContentRepository = cloudContentRepository;
 		this.cryptoCloudContentRepositoryFactory = cryptoCloudContentRepositoryFactory;
+		this.secureRandom = secureRandom;
 	}
 
 	@Override
 	public void create(CloudFolder location, CharSequence password) throws BackendException {
 		// 1. write masterkey:
-		Masterkey masterkey = Masterkey.generate(new SecureRandom());
+		Masterkey masterkey = Masterkey.generate(secureRandom);
 		try (ByteArrayOutputStream data = new ByteArrayOutputStream()) {
-			new MasterkeyFileAccess(PEPPER, new SecureRandom()).persist(masterkey, data, password, DEFAULT_MASTERKEY_FILE_VERSION);
+			new MasterkeyFileAccess(PEPPER, secureRandom).persist(masterkey, data, password, DEFAULT_MASTERKEY_FILE_VERSION);
 			cloudContentRepository.write(legacyMasterkeyFile(location), ByteArrayDataSource.from(data.toByteArray()), NO_OP_PROGRESS_AWARE, false, data.size());
 		} catch (IOException e) {
 			throw new FatalBackendException("Failed to write masterkey", e);
@@ -174,7 +177,7 @@ public class MasterkeyCryptoCloudProvider implements CryptoCloudProvider {
 	}
 
 	private Cryptor cryptorFor(Masterkey keyFile, VaultCipherCombo vaultCipherCombo) {
-		return vaultCipherCombo.getCryptorProvider(new SecureRandom()).withKey(keyFile);
+		return vaultCipherCombo.getCryptorProvider(secureRandom).withKey(keyFile);
 	}
 
 	@Override
@@ -269,7 +272,7 @@ public class MasterkeyCryptoCloudProvider implements CryptoCloudProvider {
 
 	private void createNewMasterKeyFile(byte[] data, int vaultVersion, String oldPassword, String newPassword, CloudFile masterkeyFile) throws BackendException {
 		try {
-			byte[] newMasterKeyFile = new MasterkeyFileAccess(PEPPER, new SecureRandom()) //
+			byte[] newMasterKeyFile = new MasterkeyFileAccess(PEPPER, secureRandom) //
 					.changePassphrase(data, normalizePassword(oldPassword, vaultVersion), normalizePassword(newPassword, vaultVersion));
 			cloudContentRepository.write(masterkeyFile, //
 					ByteArrayDataSource.from(newMasterKeyFile), //