diff --git a/media/js/client_crypto.js b/media/js/client_crypto.js
new file mode 100644
index 0000000000..5a35f7d8d6
--- /dev/null
+++ b/media/js/client_crypto.js
@@ -0,0 +1,62 @@
+var salt = sjcl.codec.bytes.toBits([0xda, 0x90, 0x45, 0xc3, 0x06, 0xc7, 0xcc, 0x26]);
+
+// gen magic_str
+function gen_magic_str(repo_id, passwd) {
+    var magic_array = sjcl.misc.pbkdf2(repo_id + passwd, salt, 1000, 32*8, null);
+    var magic_str = sjcl.codec.hex.fromBits(magic_array); //convert to hex
+    return magic_str;
+}
+
+function FileKey(passwd) {
+    this.passwd = passwd;
+}
+FileKey.prototype.pre = function() {
+    var passwd = this.passwd;
+
+    var key_array = sjcl.misc.pbkdf2(passwd, salt, 1000, 32*8, null);
+    var iv_array = sjcl.misc.pbkdf2(key_array, salt, 10, 32*8, null);
+    var key =  sjcl.codec.hex.fromBits(key_array);
+    var iv = sjcl.codec.hex.fromBits(iv_array);
+    
+    return {key: key, iv:iv};
+};
+// generate an encrypted file key
+FileKey.prototype.gen_enc = function() {
+    var file_key_array;
+    if (window.crypto && window.crypto.getRandomValues) {
+        file_key_array = new Uint32Array(8);
+        window.crypto.getRandomValues(file_key_array);
+    } else {
+        file_key_array = []; 
+        for (var i = 0; i < 8; i++) {
+            file_key_array.push(parseInt(Math.random() * Math.pow(2,32)));
+        }
+    }
+
+    var pre = this.pre();
+    var key = pre.key, iv = pre.iv;
+
+    var encrypted_file_key_obj = CryptoJS.AES.encrypt(CryptoJS.lib.WordArray.create(file_key_array), CryptoJS.enc.Hex.parse(key), {iv: CryptoJS.enc.Hex.parse(iv)});
+    var encrypted_file_key = encrypted_file_key_obj.ciphertext.toString(CryptoJS.enc.Hex); // convert to hex
+    
+    return encrypted_file_key;
+};
+FileKey.prototype.decrypt = function(encrypted_file_key) {
+    var pre = this.pre();
+    var key = pre.key, iv = pre.iv;
+
+    var file_key_array = CryptoJS.AES.decrypt(CryptoJS.enc.Hex.parse(encrypted_file_key).toString(CryptoJS.enc.Base64), CryptoJS.enc.Hex.parse(key), {iv: CryptoJS.enc.Hex.parse(iv)});
+    var file_key = file_key_array.toString(CryptoJS.enc.Hex);
+    
+    return file_key;
+};
+
+// gen key, iv: used in file encrypt/decrypt
+function gen_enc_key_iv(file_key) {
+    var enc_key_array = sjcl.misc.pbkdf2(sjcl.codec.hex.toBits(file_key), salt, 1000, 32*8, null);
+    var enc_iv_array = sjcl.misc.pbkdf2(enc_key_array, salt, 10, 32*8, null);
+    var enc_key = sjcl.codec.hex.fromBits(enc_key_array);
+    var enc_iv = sjcl.codec.hex.fromBits(enc_iv_array);
+    
+    return {key: enc_key, iv:enc_iv}; 
+}
diff --git a/media/js/codecBytes.js b/media/js/codecBytes.js
deleted file mode 100644
index cde2af3aec..0000000000
--- a/media/js/codecBytes.js
+++ /dev/null
@@ -1,37 +0,0 @@
-/** @fileOverview Bit array codec implementations.
- *
- * @author Emily Stark
- * @author Mike Hamburg
- * @author Dan Boneh
- */
-
-/** @namespace Arrays of bytes */
-sjcl.codec.bytes = {
-  /** Convert from a bitArray to an array of bytes. */
-  fromBits: function (arr) {
-    var out = [], bl = sjcl.bitArray.bitLength(arr), i, tmp;
-    for (i=0; i<bl/8; i++) {
-      if ((i&3) === 0) {
-        tmp = arr[i/4];
-      }
-      out.push(tmp >>> 24);
-      tmp <<= 8;
-    }
-    return out;
-  },
-  /** Convert from an array of bytes to a bitArray. */
-  toBits: function (bytes) {
-    var out = [], i, tmp=0;
-    for (i=0; i<bytes.length; i++) {
-      tmp = tmp << 8 | bytes[i];
-      if ((i&3) === 3) {
-        out.push(tmp);
-        tmp = 0;
-      }
-    }
-    if (i&3) {
-      out.push(sjcl.bitArray.partial(8*(i&3), tmp));
-    }
-    return out;
-  }
-};
diff --git a/media/js/sjcl.min.js b/media/js/sjcl.js
similarity index 95%
rename from media/js/sjcl.min.js
rename to media/js/sjcl.js
index fc65105484..c2973719fc 100644
--- a/media/js/sjcl.min.js
+++ b/media/js/sjcl.js
@@ -46,3 +46,40 @@ q(new sjcl.exception.invalid("json encode: invalid property name")),c+=d+'"'+b+'
 {},c,d;for(c=0;c<a.length;c++)(d=a[c].match(/^(?:(["']?)([a-z][a-z0-9]*)\1):(?:(\d+)|"([a-z0-9+\/%*_.@=\-]*)")$/i))||q(new sjcl.exception.invalid("json decode: this isn't json!")),b[d[2]]=d[3]?parseInt(d[3],10):d[2].match(/^(ct|salt|iv)$/)?sjcl.codec.base64.toBits(d[4]):unescape(d[4]);return b},d:function(a,b,c){a===t&&(a={});if(b===t)return a;for(var d in b)b.hasOwnProperty(d)&&(c&&(a[d]!==t&&a[d]!==b[d])&&q(new sjcl.exception.invalid("required parameter overridden")),a[d]=b[d]);return a},X:function(a,
 b){var c={},d;for(d in a)a.hasOwnProperty(d)&&a[d]!==b[d]&&(c[d]=a[d]);return c},W:function(a,b){var c={},d;for(d=0;d<b.length;d++)a[b[d]]!==t&&(c[b[d]]=a[b[d]]);return c}};sjcl.encrypt=sjcl.json.encrypt;sjcl.decrypt=sjcl.json.decrypt;sjcl.misc.V={};
 sjcl.misc.cachedPbkdf2=function(a,b){var c=sjcl.misc.V,d;b=b||{};d=b.iter||1E3;c=c[a]=c[a]||{};d=c[d]=c[d]||{firstSalt:b.salt&&b.salt.length?b.salt.slice(0):sjcl.random.randomWords(2,0)};c=b.salt===t?d.firstSalt:b.salt;d[c]=d[c]||sjcl.misc.pbkdf2(a,c,b.iter);return{key:d[c].slice(0),salt:c.slice(0)}};
+/** @fileOverview Bit array codec implementations.
+ *
+ * @author Emily Stark
+ * @author Mike Hamburg
+ * @author Dan Boneh
+ */
+
+/** @namespace Arrays of bytes */
+sjcl.codec.bytes = {
+  /** Convert from a bitArray to an array of bytes. */
+  fromBits: function (arr) {
+    var out = [], bl = sjcl.bitArray.bitLength(arr), i, tmp;
+    for (i=0; i<bl/8; i++) {
+      if ((i&3) === 0) {
+        tmp = arr[i/4];
+      }
+      out.push(tmp >>> 24);
+      tmp <<= 8;
+    }
+    return out;
+  },
+  /** Convert from an array of bytes to a bitArray. */
+  toBits: function (bytes) {
+    var out = [], i, tmp=0;
+    for (i=0; i<bytes.length; i++) {
+      tmp = tmp << 8 | bytes[i];
+      if ((i&3) === 3) {
+        out.push(tmp);
+        tmp = 0;
+      }
+    }
+    if (i&3) {
+      out.push(sjcl.bitArray.partial(8*(i&3), tmp));
+    }
+    return out;
+  }
+};
diff --git a/seahub/base/context_processors.py b/seahub/base/context_processors.py
index 74b35ff97a..9339e7abcc 100644
--- a/seahub/base/context_processors.py
+++ b/seahub/base/context_processors.py
@@ -7,7 +7,7 @@ These are referenced from the setting TEMPLATE_CONTEXT_PROCESSORS and used by
 RequestContext.
 """
 from seahub.settings import SEAFILE_VERSION, SITE_TITLE, SITE_NAME, SITE_BASE, \
-    ENABLE_SIGNUP, MAX_FILE_NAME, BRANDING_CSS, LOGO_PATH, LOGO_URL, KEEP_ENC_REPO_PASSWD
+    ENABLE_SIGNUP, MAX_FILE_NAME, BRANDING_CSS, LOGO_PATH, LOGO_URL, SERVER_CRYPTO
 try:
     from seahub.settings import BUSINESS_MODE
 except ImportError:
@@ -54,6 +54,6 @@ def base(request):
         'max_file_name': MAX_FILE_NAME,
         'has_file_search': HAS_FILE_SEARCH,
         'enable_pubfile': ENABLE_PUBFILE,
-        'keep_enc_repo_passwd': KEEP_ENC_REPO_PASSWD,
+        'server_crypto': SERVER_CRYPTO,
         }
 
diff --git a/seahub/base/decorators.py b/seahub/base/decorators.py
index 057c9825dc..d3a1a85f06 100644
--- a/seahub/base/decorators.py
+++ b/seahub/base/decorators.py
@@ -5,7 +5,7 @@ from seaserv import get_repo, is_passwd_set
 
 from seahub.utils import check_and_get_org_by_repo, check_and_get_org_by_group, render_error
 from django.utils.translation import ugettext as _
-from seahub.settings import KEEP_ENC_REPO_PASSWD
+from seahub.settings import SERVER_CRYPTO
 
 def sys_staff_required(func):
     """
@@ -65,7 +65,7 @@ def repo_passwd_set_required(func):
             raise Http404
         username = request.user.username
         if repo.encrypted:
-            if (repo.enc_version == 1 or (repo.enc_version == 2 and KEEP_ENC_REPO_PASSWD)) \
+            if (repo.enc_version == 1 or (repo.enc_version == 2 and SERVER_CRYPTO)) \
                 and not is_passwd_set(repo_id, username):
                 # Redirect uesr to decrypt repo page.
                 return render_to_response('decrypt_repo_form.html', {
@@ -73,7 +73,7 @@ def repo_passwd_set_required(func):
                         'next': request.get_full_path(),
                         }, context_instance=RequestContext(request))
 
-            if repo.enc_version == 2 and not KEEP_ENC_REPO_PASSWD:
+            if repo.enc_version == 2 and not SERVER_CRYPTO:
                 return render_error(request, _(u'Files in this library can not be viewed online.'))
 
         return func(request, *args, **kwargs)
diff --git a/seahub/forms.py b/seahub/forms.py
index e1b42c85b6..499e6c5b65 100644
--- a/seahub/forms.py
+++ b/seahub/forms.py
@@ -66,7 +66,7 @@ class RepoCreateForm(forms.Form):
             })
     uuid = forms.CharField(required=False)
     magic_str = forms.CharField(required=False)
-    random_key = forms.CharField(required=False)
+    encrypted_file_key = forms.CharField(required=False)
     def clean_repo_name(self):
         repo_name = self.cleaned_data['repo_name']
         if not is_valid_filename(repo_name):
@@ -80,7 +80,7 @@ class RepoCreateForm(forms.Form):
         if int(encryption) == 0:
             return self.cleaned_data
 
-        if settings.KEEP_ENC_REPO_PASSWD:
+        if settings.SERVER_CRYPTO:
             passwd = self.cleaned_data['passwd']
             passwd_again = self.cleaned_data['passwd_again']
             if not (passwd and passwd_again):
@@ -90,8 +90,8 @@ class RepoCreateForm(forms.Form):
         else:
             uuid = self.cleaned_data['uuid']
             magic_str = self.cleaned_data['magic_str']
-            random_key = self.cleaned_data['random_key']
-            if not (uuid and magic_str and random_key):
+            encrypted_file_key = self.cleaned_data['encrypted_file_key']
+            if not (uuid and magic_str and encrypted_file_key):
                 raise forms.ValidationError(_("Argument missing"))
 
         return self.cleaned_data
diff --git a/seahub/group/templates/group/group_info.html b/seahub/group/templates/group/group_info.html
index f1ee2859fd..f4ee898b3c 100644
--- a/seahub/group/templates/group/group_info.html
+++ b/seahub/group/templates/group/group_info.html
@@ -169,12 +169,7 @@
 {% endblock %}
 
 {% block extra_script %}
-{% if not keep_enc_repo_passwd %}
-<script type="text/javascript" src="{{MEDIA_URL}}js/uuid.js"></script>
-<script type="text/javascript" src="{{MEDIA_URL}}js/sjcl.min.js"></script>
-<script type="text/javascript" src="{{MEDIA_URL}}js/codecBytes.js"></script>
-<script type="text/javascript" src="{{MEDIA_URL}}js/CryptoJS/rollups/aes.js"></script>
-{% endif %}
+{% include 'snippets/repo_create_js_files.html' %}
 <script type="text/javascript">
 addConfirmTo($('#quit-group'), {
         'title':'{% trans "Quit Group" %}',
diff --git a/seahub/group/views.py b/seahub/group/views.py
index 9a8db58b32..5e41ee9aa3 100644
--- a/seahub/group/views.py
+++ b/seahub/group/views.py
@@ -47,7 +47,7 @@ from seahub.wiki import get_group_wiki_repo, get_group_wiki_page, convert_wiki_l
     get_wiki_pages
 from seahub.wiki.models import WikiDoesNotExist, WikiPageMissing, GroupWiki
 from seahub.wiki.utils import clean_page_name, get_wiki_dirent
-from seahub.settings import SITE_ROOT, SITE_NAME, MEDIA_URL, KEEP_ENC_REPO_PASSWD
+from seahub.settings import SITE_ROOT, SITE_NAME, MEDIA_URL, SERVER_CRYPTO
 from seahub.shortcuts import get_first_object_or_none
 from seahub.utils import render_error, render_permission_error, string2list, \
     check_and_get_org_by_group, gen_file_get_url, get_file_type_and_ext, \
@@ -939,7 +939,7 @@ def create_group_repo(request, group_id):
         passwd = form.cleaned_data['passwd']
         uuid = form.cleaned_data['uuid']
         magic_str = form.cleaned_data['magic_str']
-        random_key = form.cleaned_data['random_key']
+        encrypted_file_key = form.cleaned_data['encrypted_file_key']
         user = request.user.username
 
         org, base_template = check_and_get_org_by_group(group.id, user)
@@ -976,10 +976,10 @@ def create_group_repo(request, group_id):
                 if not encryption:
                     repo_id = seafile_api.create_repo(repo_name, repo_desc, user, None)
                 else:
-                    if KEEP_ENC_REPO_PASSWD:
+                    if SERVER_CRYPTO:
                         repo_id = seafile_api.create_repo(repo_name, repo_desc, user, passwd)
                     else:
-                        repo_id = seafile_api.create_enc_repo(uuid, repo_name, repo_desc, user, magic_str, random_key, enc_version=2)
+                        repo_id = seafile_api.create_enc_repo(uuid, repo_name, repo_desc, user, magic_str, encrypted_file_key, enc_version=2)
 
             except SearpcError, e:
                 repo_id = None 
diff --git a/seahub/settings.py b/seahub/settings.py
index 9aee5a4933..ebdec8ee26 100644
--- a/seahub/settings.py
+++ b/seahub/settings.py
@@ -180,8 +180,8 @@ AUTHENTICATION_BACKENDS = (
 
 ACCOUNT_ACTIVATION_DAYS = 7
 
-# keep password of encrypted repo (on the server)
-KEEP_ENC_REPO_PASSWD = True
+# for v2 enc repo: encrypt/decrypt on the server
+SERVER_CRYPTO = True
 
 # File preview
 FILE_PREVIEW_MAX_SIZE = 30 * 1024 * 1024
diff --git a/seahub/templates/myhome.html b/seahub/templates/myhome.html
index 5c8c1cd751..ea97f8d9ab 100644
--- a/seahub/templates/myhome.html
+++ b/seahub/templates/myhome.html
@@ -115,12 +115,7 @@
 {% endblock %}
 
 {% block extra_script %}
-{% if not keep_enc_repo_passwd %}
-<script type="text/javascript" src="{{MEDIA_URL}}js/uuid.js"></script>
-<script type="text/javascript" src="{{MEDIA_URL}}js/sjcl.min.js"></script>
-<script type="text/javascript" src="{{MEDIA_URL}}js/codecBytes.js"></script>
-<script type="text/javascript" src="{{MEDIA_URL}}js/CryptoJS/rollups/aes.js"></script>
-{% endif %}
+{% include 'snippets/repo_create_js_files.html' %}
 <script type="text/javascript">
 {% if quota > 0 %}
     {% if CALC_SHARE_USAGE %}  
diff --git a/seahub/templates/pubrepo.html b/seahub/templates/pubrepo.html
index b333fcd5ad..45cfcd1d74 100644
--- a/seahub/templates/pubrepo.html
+++ b/seahub/templates/pubrepo.html
@@ -56,12 +56,7 @@
 {% endblock %}
 
 {% block extra_script %}
-{% if not keep_enc_repo_passwd %}
-<script type="text/javascript" src="{{MEDIA_URL}}js/uuid.js"></script>
-<script type="text/javascript" src="{{MEDIA_URL}}js/sjcl.min.js"></script>
-<script type="text/javascript" src="{{MEDIA_URL}}js/codecBytes.js"></script>
-<script type="text/javascript" src="{{MEDIA_URL}}js/CryptoJS/rollups/aes.js"></script>
-{% endif %}
+{% include 'snippets/repo_create_js_files.html' %}
 <script type="text/javascript">
     $(".download-btn").click(function() {
         window.open('{{ SITE_ROOT }}seafile_access_check/?repo_id=' + $(this).attr('data'));
diff --git a/seahub/templates/repo.html b/seahub/templates/repo.html
index 49d14bf086..fe8d202347 100644
--- a/seahub/templates/repo.html
+++ b/seahub/templates/repo.html
@@ -7,7 +7,7 @@
 <style type="text/css">
 #main { width:auto; }
 #footer { display:none; }
-{% if repo.enc_version == 2 and not keep_enc_repo_passwd and repo.encrypted %}
+{% if repo.enc_version == 2 and not server_crypto and repo.encrypted %}
 #main { display:none; }
 {% endif %}
 </style>    
@@ -60,7 +60,7 @@
         <p class="error">{% trans "The owner of this library has ran out of space." %}</p>
         {% else %}
         <form id="upload-file-form" enctype="multipart/form-data" method="post" action="{{ajax_upload_url}}">{% csrf_token %}
-            {% if repo.enc_version == 2 and not keep_enc_repo_passwd and repo.encrypted %}
+            {% if repo.enc_version == 2 and not server_crypto and repo.encrypted %}
             <input type="file" name="file" /><br />
             <p class="error hide">{% trans "Please select a file at first." %}</p>
             <input type="button" value="{% trans "Submit" %}" />
@@ -107,7 +107,7 @@
         <form id="update-file-form" enctype="multipart/form-data" method="post" action="">{% csrf_token %}
             <input type="hidden" name="target_file" />
 
-            {% if repo.enc_version == 2 and not keep_enc_repo_passwd and repo.encrypted %}
+            {% if repo.enc_version == 2 and not server_crypto and repo.encrypted %}
             <input type="file" name="file" /><br />
             <p class="error hide">{% trans "Please select a file at first." %}</p>
             <input type="button" value="{% trans "Submit" %}" />
@@ -200,12 +200,14 @@
 {% endblock %}
 
 {% block extra_script %}
-{% if repo.enc_version == 2 and not keep_enc_repo_passwd and repo.encrypted %}
-<script type="text/javascript" src="{{MEDIA_URL}}js/sjcl.min.js"></script>
-<script type="text/javascript" src="{{MEDIA_URL}}js/codecBytes.js"></script>
+{% if repo.enc_version == 2 and not server_crypto and repo.encrypted %}
+<script type="text/javascript" src="{{MEDIA_URL}}js/sjcl.js"></script>
 <script type="text/javascript" src="{{MEDIA_URL}}js/CryptoJS/rollups/aes.js"></script>
+<script type="text/javascript" src="{{MEDIA_URL}}js/client_crypto.js"></script>
 <script type="text/javascript">
-var valid_time_period = 60 * 60 * 1000; // passwd will be kept for 1 h
+// 'passwd' will be kept for 1 hour.
+var valid_time_period = 60 * 60 * 1000;
+// key, iv used in file encrypt/decrypt
 var enc_key, enc_iv;
 if ('localStorage' in window && window['localStorage'] !== null) {
     // 'localStorage' is supported
@@ -232,27 +234,18 @@ function decrypt_repo() {
             err.html("{% trans "Please enter the password." %}").removeClass('hide');
             return false;
         }
-
-        var salt = sjcl.codec.bytes.toBits([0xda, 0x90, 0x45, 0xc3, 0x06, 0xc7, 0xcc, 0x26]);
-        var magic_array = sjcl.misc.pbkdf2('{{repo.id}}' + passwd, salt, 1000, 32*8, null),
-            magic_str = sjcl.codec.hex.fromBits(magic_array); //convert to hex
+        
+        var magic_str = gen_magic_str('{{repo.id}}', passwd);
         if (magic_str == '{{repo.magic}}') {
             decrypt_form.remove();
             $('#main').show();
+            
+            var fileKey = new FileKey(passwd);
+            var file_key = fileKey.decrypt('{{repo.random_key}}');
 
-            var key_array = sjcl.misc.pbkdf2(passwd, salt, 1000, 32*8, null);
-            var iv_array = sjcl.misc.pbkdf2(key_array, salt, 10, 32*8, null);
-            var key =  sjcl.codec.hex.fromBits(key_array);
-            var iv = sjcl.codec.hex.fromBits(iv_array);
-
-            var secret_key_array = CryptoJS.AES.decrypt(CryptoJS.enc.Hex.parse('{{repo.random_key}}').toString(CryptoJS.enc.Base64), CryptoJS.enc.Hex.parse(key), {iv: CryptoJS.enc.Hex.parse(iv)});
-            var secret_key = secret_key_array.toString(CryptoJS.enc.Hex);
-
-            var enc_key_array = sjcl.misc.pbkdf2(sjcl.codec.hex.toBits(secret_key), salt, 1000, 32*8, null);
-            var enc_iv_array = sjcl.misc.pbkdf2(enc_key_array, salt, 10, 32*8, null);
-
-            enc_key = sjcl.codec.hex.fromBits(enc_key_array);
-            enc_iv = sjcl.codec.hex.fromBits(enc_iv_array);
+            var enc_obj = gen_enc_key_iv(file_key);
+            enc_key = enc_obj.key;
+            enc_iv = enc_obj.iv;
             if ('localStorage' in window && window['localStorage'] !== null) {
                 var repo_id = '{{repo.id}}';
                 localStorage[repo_id + '_decrypt_t'] = new Date().getTime();
@@ -512,7 +505,7 @@ $('#mv-dirents, #cp-dirents').click(function() {
     });
 });
 
-{% if repo.enc_version == 2 and not keep_enc_repo_passwd and repo.encrypted %}
+{% if repo.enc_version == 2 and not server_crypto and repo.encrypted %}
 function wordArray2ab(wordArray) {
     // Shortcuts
     var words = wordArray.words;
@@ -533,15 +526,19 @@ function encAndSubmitFile(file, prepare_fd, submit_url) {
         file.slice = file.mozSlice || file.webkitSlice || file.slice; // compatibility
         var pos = 0;
         var slices = [];
-        if (file.size == 0) {
-            return [file]; // It is required to be encrypted.
-        }
         while(pos < file.size){
           slices.push(file.slice(pos, pos += 1024 * 1024));
         }     
         return slices;
     }
     var blocks = sliceFile(file), encrypted_blocks = [];
+
+    // file.size is 0, do not encrypt
+    if (blocks.length == 0) {
+        onFinish();
+        return;
+    }
+
     var workers = [], workersCount = 4, i, len;
     for (i = 0; i < workersCount; i++) {
         workers.push(new Worker('{{MEDIA_URL}}js/file_crypto.js'));
@@ -608,7 +605,7 @@ function dirOP() {
 
 $('.path .dir-link').click(dirlinkClick);
 
-{% if repo.enc_version == 2 and not keep_enc_repo_passwd and repo.encrypted %}
+{% if repo.enc_version == 2 and not server_crypto and repo.encrypted %}
 $('#upload-file').click(function () {
     $('#upload-file-dialog').modal();
     $('#simplemodal-container').css({'height':'auto'});
@@ -883,7 +880,7 @@ $('.checkbox-orig', context).unbind().click(function() {
 
 $('.dir-link', context).click(dirlinkClick);
 
-{% if repo.enc_version == 2 and not keep_enc_repo_passwd and repo.encrypted %}
+{% if repo.enc_version == 2 and not server_crypto and repo.encrypted %}
 
 $('.file-download').click(function() {
     var file_name = $(this).parents('tr').attr('data-name'),
@@ -1172,7 +1169,7 @@ $('.file-cp, .file-mv, .dir-cp, .dir-mv', context).click(function () {
     return false;
 });
 
-{% if repo.enc_version == 2 and not keep_enc_repo_passwd and repo.encrypted %}
+{% if repo.enc_version == 2 and not server_crypto and repo.encrypted %}
 $('.file-update', context).click(function() {
     $('#update-file-dialog').modal();
     $('#simplemodal-container').css({'width':'auto', 'height':'auto'});
diff --git a/seahub/templates/snippets/repo_create_js.html b/seahub/templates/snippets/repo_create_js.html
index 4eaadc07b4..df37e8510f 100644
--- a/seahub/templates/snippets/repo_create_js.html
+++ b/seahub/templates/snippets/repo_create_js.html
@@ -63,30 +63,14 @@ $('#repo-create-form').submit(function() {
             return false;
         }
 
-        {% if not keep_enc_repo_passwd %}
-        // don't send the password to the server
-        var salt = sjcl.codec.bytes.toBits([0xda, 0x90, 0x45, 0xc3, 0x06, 0xc7, 0xcc, 0x26]);
+        {% if not server_crypto %}
+        // gen uu_id as new repo_id
         var uu_id = uuid.v4();
-        var magic_array = sjcl.misc.pbkdf2(uu_id + passwd, salt, 1000, 32*8, null); // 32 bytes
-        var magic_str = sjcl.codec.hex.fromBits(magic_array);
 
-        var secret_array;
-        if (window.crypto && window.crypto.getRandomValues) {
-            secret_array = new Uint32Array(8);
-            window.crypto.getRandomValues(secret_array);
-        } else {
-            secret_array = [];
-            for (var i = 0; i < 8; i++) {
-                secret_array.push(parseInt(Math.random() * Math.pow(2,32)));
-            }
-        }
+        var magic_str = gen_magic_str(uu_id, passwd);
 
-        var key_array = sjcl.misc.pbkdf2(passwd, salt, 1000, 32*8, null);
-        var iv_array = sjcl.misc.pbkdf2(key_array, salt, 10, 32*8, null);
-        var key =  sjcl.codec.hex.fromBits(key_array);
-        var iv = sjcl.codec.hex.fromBits(iv_array);
-        var random_key_obj = CryptoJS.AES.encrypt(CryptoJS.lib.WordArray.create(secret_array), CryptoJS.enc.Hex.parse(key), {iv: CryptoJS.enc.Hex.parse(iv)});
-        var random_key = random_key_obj.ciphertext.toString(CryptoJS.enc.Hex); // convert to hex
+        var fileKey = new FileKey(passwd);
+        var encrypted_file_key = fileKey.gen_enc();
         {% endif %}
     }
 
@@ -105,7 +89,7 @@ $('#repo-create-form').submit(function() {
     {% endif %}
 
     if (encrypted) {
-        {% if keep_enc_repo_passwd %}
+        {% if server_crypto %}
         $.extend(post_data, {
             'passwd': passwd,
             'passwd_again': passwd_again
@@ -114,7 +98,7 @@ $('#repo-create-form').submit(function() {
         $.extend(post_data, {
             'uuid': uu_id,
             'magic_str': magic_str,
-            'random_key': random_key
+            'encrypted_file_key': encrypted_file_key
         });
         {% endif %}
     }
diff --git a/seahub/templates/snippets/repo_create_js_files.html b/seahub/templates/snippets/repo_create_js_files.html
new file mode 100644
index 0000000000..140d585646
--- /dev/null
+++ b/seahub/templates/snippets/repo_create_js_files.html
@@ -0,0 +1,6 @@
+{% if not server_crypto %}
+<script type="text/javascript" src="{{MEDIA_URL}}js/uuid.js"></script>
+<script type="text/javascript" src="{{MEDIA_URL}}js/sjcl.js"></script>
+<script type="text/javascript" src="{{MEDIA_URL}}js/CryptoJS/rollups/aes.js"></script>
+<script type="text/javascript" src="{{MEDIA_URL}}js/client_crypto.js"></script>
+{% endif %}
diff --git a/seahub/views/__init__.py b/seahub/views/__init__.py
index 7fcced473a..ab6d9ee3f4 100644
--- a/seahub/views/__init__.py
+++ b/seahub/views/__init__.py
@@ -89,7 +89,7 @@ if HAS_OFFICE_CONVERTER:
 import seahub.settings as settings
 from seahub.settings import FILE_PREVIEW_MAX_SIZE, INIT_PASSWD, USE_PDFJS, FILE_ENCODING_LIST, \
     FILE_ENCODING_TRY_LIST, SEND_EMAIL_ON_ADDING_SYSTEM_MEMBER, SEND_EMAIL_ON_RESETTING_USER_PASSWD, \
-    ENABLE_SUB_LIBRARY, KEEP_ENC_REPO_PASSWD
+    ENABLE_SUB_LIBRARY, SERVER_CRYPTO
 
 # Get an instance of a logger
 logger = logging.getLogger(__name__)
@@ -610,7 +610,7 @@ def repo_history(request, repo_id):
 
     password_set = False
     if repo.props.encrypted and \
-            (repo.enc_version == 1 or (repo.enc_version == 2 and KEEP_ENC_REPO_PASSWD)):
+            (repo.enc_version == 1 or (repo.enc_version == 2 and SERVER_CRYPTO)):
         try:
             ret = seafserv_rpc.is_passwd_set(repo_id, request.user.username)
             if ret == 1:
@@ -667,7 +667,7 @@ def repo_view_snapshot(request, repo_id):
 
     password_set = False
     if repo.props.encrypted and \
-            (repo.enc_version == 1 or (repo.enc_version == 2 and KEEP_ENC_REPO_PASSWD)):
+            (repo.enc_version == 1 or (repo.enc_version == 2 and SERVER_CRYPTO)):
         try:
             ret = seafserv_rpc.is_passwd_set(repo_id, request.user.username)
             if ret == 1:
@@ -721,7 +721,7 @@ def repo_history_revert(request, repo_id):
 
     password_set = False
     if repo.props.encrypted and \
-            (repo.enc_version == 1 or (repo.enc_version == 2 and KEEP_ENC_REPO_PASSWD)):
+            (repo.enc_version == 1 or (repo.enc_version == 2 and SERVER_CRYPTO)):
         try:
             ret = seafserv_rpc.is_passwd_set(repo_id, request.user.username)
             if ret == 1:
@@ -801,7 +801,7 @@ def repo_history_changes(request, repo_id):
         return HttpResponse(json.dumps(changes), content_type=content_type)
 
     if repo.encrypted and \
-            (repo.enc_version == 1 or (repo.enc_version == 2 and KEEP_ENC_REPO_PASSWD)) \
+            (repo.enc_version == 1 or (repo.enc_version == 2 and SERVER_CRYPTO)) \
             and not is_passwd_set(repo_id, request.user.username):
         return HttpResponse(json.dumps(changes), content_type=content_type)
 
@@ -1114,17 +1114,17 @@ def public_repo_create(request):
     passwd = form.cleaned_data['passwd']
     uuid = form.cleaned_data['uuid']
     magic_str = form.cleaned_data['magic_str']
-    random_key = form.cleaned_data['random_key']
+    encrypted_file_key = form.cleaned_data['encrypted_file_key']
     user = request.user.username
 
     try:
         if not encryption:
             repo_id = seafile_api.create_repo(repo_name, repo_desc, user, None)
         else:
-            if KEEP_ENC_REPO_PASSWD:
+            if SERVER_CRYPTO:
                 repo_id = seafile_api.create_repo(repo_name, repo_desc, user, passwd)
             else:
-                repo_id = seafile_api.create_enc_repo(uuid, repo_name, repo_desc, user, magic_str, random_key, enc_version=2)
+                repo_id = seafile_api.create_enc_repo(uuid, repo_name, repo_desc, user, magic_str, encrypted_file_key, enc_version=2)
 
         # set this repo as inner pub
         seafile_api.add_inner_pub_repo(repo_id, permission)
@@ -1391,16 +1391,16 @@ def repo_create(request):
     passwd = form.cleaned_data['passwd']
     uuid = form.cleaned_data['uuid']
     magic_str = form.cleaned_data['magic_str']
-    random_key = form.cleaned_data['random_key']
+    encrypted_file_key = form.cleaned_data['encrypted_file_key']
     user = request.user.username
     try:
         if not encryption:
             repo_id = seafile_api.create_repo(repo_name, repo_desc, user, None)
         else:
-            if KEEP_ENC_REPO_PASSWD:
+            if SERVER_CRYPTO:
                 repo_id = seafile_api.create_repo(repo_name, repo_desc, user, passwd)
             else:
-                repo_id = seafile_api.create_enc_repo(uuid, repo_name, repo_desc, user, magic_str, random_key, enc_version=2)
+                repo_id = seafile_api.create_enc_repo(uuid, repo_name, repo_desc, user, magic_str, encrypted_file_key, enc_version=2)
     except SearpcError, e:
         repo_id = None
 
diff --git a/seahub/views/ajax.py b/seahub/views/ajax.py
index 30a125c1e6..5d799b9179 100644
--- a/seahub/views/ajax.py
+++ b/seahub/views/ajax.py
@@ -25,7 +25,7 @@ from seahub.signals import repo_created
 from seahub.utils import check_filename_with_rename
 from seahub.utils import check_filename_with_rename, EMPTY_SHA1, gen_block_get_url
 from seahub.utils.star import star_file, unstar_file
-from seahub.settings import KEEP_ENC_REPO_PASSWD
+from seahub.settings import SERVER_CRYPTO
 
 # Get an instance of a logger
 logger = logging.getLogger(__name__)
@@ -184,7 +184,7 @@ def list_dir(request, repo_id):
                             status=403, content_type=content_type)
 
     if repo.encrypted and \
-            (repo.enc_version == 1 or (repo.enc_version == 2 and KEEP_ENC_REPO_PASSWD)) \
+            (repo.enc_version == 1 or (repo.enc_version == 2 and SERVER_CRYPTO)) \
             and not seafile_api.is_password_set(repo.id, username):
         err_msg = _(u'Library is encrypted.')
         return HttpResponse(json.dumps({'error': err_msg}),
@@ -250,7 +250,7 @@ def list_dir_more(request, repo_id):
                             status=403, content_type=content_type)
 
     if repo.encrypted and \
-            (repo.enc_version == 1 or (repo.enc_version == 2 and KEEP_ENC_REPO_PASSWD)) \
+            (repo.enc_version == 1 or (repo.enc_version == 2 and SERVER_CRYPTO)) \
            and not seafile_api.is_password_set(repo.id, username):
         err_msg = _(u'Library is encrypted.')
         return HttpResponse(json.dumps({'error': err_msg}),
@@ -865,7 +865,7 @@ def get_current_commit(request, repo_id):
                             status=403, content_type=content_type)
 
     if repo.encrypted and \
-            (repo.enc_version == 1 or (repo.enc_version == 2 and KEEP_ENC_REPO_PASSWD)) \
+            (repo.enc_version == 1 or (repo.enc_version == 2 and SERVER_CRYPTO)) \
             and not seafile_api.is_password_set(repo.id, username):
         err_msg = _(u'Library is encrypted.')
         return HttpResponse(json.dumps({'error': err_msg}),
diff --git a/seahub/views/repo.py b/seahub/views/repo.py
index 600535cb2d..4ad926617a 100644
--- a/seahub/views/repo.py
+++ b/seahub/views/repo.py
@@ -20,7 +20,7 @@ from seahub.views import gen_path_link, get_user_permission, get_repo_dirents, \
 
 from seahub.utils import get_ccnetapplet_root, gen_file_upload_url, \
     get_httpserver_root, gen_dir_share_link
-from seahub.settings import ENABLE_SUB_LIBRARY, KEEP_ENC_REPO_PASSWD
+from seahub.settings import ENABLE_SUB_LIBRARY, SERVER_CRYPTO
 
 # Get an instance of a logger
 logger = logging.getLogger(__name__)
@@ -189,7 +189,7 @@ def render_repo(request, repo):
                 }, context_instance=RequestContext(request))
 
     if repo.encrypted and \
-        (repo.enc_version == 1 or (repo.enc_version == 2 and KEEP_ENC_REPO_PASSWD)) \
+        (repo.enc_version == 1 or (repo.enc_version == 2 and SERVER_CRYPTO)) \
         and not is_password_set(repo.id, username):
         return render_to_response('decrypt_repo_form.html', {
                 'repo': repo,
@@ -230,7 +230,7 @@ def render_repo(request, repo):
         repo_group_str = ''
     upload_url = get_upload_url(request, repo.id)
 
-    if repo.encrypted and repo.enc_version == 2 and not KEEP_ENC_REPO_PASSWD:
+    if repo.encrypted and repo.enc_version == 2 and not SERVER_CRYPTO:
         ajax_upload_url = get_blks_upload_url(request, repo.id)
         ajax_update_url = get_blks_update_url(request, repo.id)
     else:
@@ -316,7 +316,7 @@ def repo_history_view(request, repo_id):
                 }, context_instance=RequestContext(request))
 
     if repo.encrypted and \
-        (repo.enc_version == 1 or (repo.enc_version == 2 and KEEP_ENC_REPO_PASSWD)) \
+        (repo.enc_version == 1 or (repo.enc_version == 2 and SERVER_CRYPTO)) \
         and not is_password_set(repo.id, username):
         return render_to_response('decrypt_repo_form.html', {
                 'repo': repo,