diff --git a/src/matrix/e2ee/ssss/SecretStorage.js b/src/matrix/e2ee/ssss/SecretStorage.js
index 067ba310..572b06e9 100644
--- a/src/matrix/e2ee/ssss/SecretStorage.js
+++ b/src/matrix/e2ee/ssss/SecretStorage.js
@@ -17,7 +17,7 @@ limitations under the License.
 import {base64} from "../../../utils/base-encoding.js";
 
 export class SecretStorage {
-    constructor(key, storage, cryptoDriver) {
+    constructor({key, storage, cryptoDriver}) {
         this._key = key;
         this._storage = storage;
         this._cryptoDriver = cryptoDriver;
@@ -36,13 +36,11 @@ export class SecretStorage {
             throw new Error(`Secret ${accountData.type} is not encrypted for key ${this._key.id}`);
         }
 
-        let json;
         if (this._key.algorithm === "m.secret_storage.v1.aes-hmac-sha2") {
-            json = await this._decryptAESSecret(accountData.type, encryptedData);
+            return await this._decryptAESSecret(accountData.type, encryptedData);
         } else {
             throw new Error(`Unsupported algorithm for key ${this._key.id}: ${this._key.algorithm}`);
         }
-        return JSON.parse(json);
     }
 
     async _decryptAESSecret(type, encryptedData) {
diff --git a/src/matrix/e2ee/ssss/common.js b/src/matrix/e2ee/ssss/common.js
index 6aab70d2..6c708fed 100644
--- a/src/matrix/e2ee/ssss/common.js
+++ b/src/matrix/e2ee/ssss/common.js
@@ -62,6 +62,9 @@ export async function readDefaultKeyDescription(storage) {
         return;
     }
     const keyAccountData = await txn.accountData.get(`m.secret_storage.key.${id}`);
+    if (!keyAccountData) {
+        return;
+    }
     return new KeyDescription(id, keyAccountData);
 }
 
diff --git a/src/matrix/e2ee/ssss/passphrase.js b/src/matrix/e2ee/ssss/passphrase.js
index 1577c167..1e3935a4 100644
--- a/src/matrix/e2ee/ssss/passphrase.js
+++ b/src/matrix/e2ee/ssss/passphrase.js
@@ -19,15 +19,26 @@ import {Key} from "./common.js";
 const DEFAULT_ITERATIONS = 500000;
 const DEFAULT_BITSIZE = 256;
 
+/**
+ * @param  {KeyDescription} keyDescription
+ * @param  {string} passphrase
+ * @param  {CryptoDriver} cryptoDriver
+ * @return {Key}
+ */
 export async function keyFromPassphrase(keyDescription, passphrase, cryptoDriver) {
     const {passphraseParams} = keyDescription;
     if (!passphraseParams) {
         throw new Error("not a passphrase key");
     }
+    if (passphraseParams.algorithm !== "m.pbkdf2") {
+        throw new Error(`Unsupported passphrase algorithm: ${passphraseParams.algorithm}`);
+    }
+    // TODO: we should we move this to platform specific code
     const textEncoder = new TextEncoder();
     const keyBits = await cryptoDriver.derive.pbkdf2(
         textEncoder.encode(passphrase),
         passphraseParams.iterations || DEFAULT_ITERATIONS,
+        // salt is just a random string, not encoded in any way
         textEncoder.encode(passphraseParams.salt),
         "SHA-512",
         passphraseParams.bits || DEFAULT_BITSIZE);
diff --git a/src/matrix/e2ee/ssss/recoveryKey.js b/src/matrix/e2ee/ssss/recoveryKey.js
index 4cbe0f4b..002e294f 100644
--- a/src/matrix/e2ee/ssss/recoveryKey.js
+++ b/src/matrix/e2ee/ssss/recoveryKey.js
@@ -18,6 +18,12 @@ import {Key} from "./common.js";
 
 const OLM_RECOVERY_KEY_PREFIX = [0x8B, 0x01];
 
+/**
+ * @param  {Olm} olm
+ * @param  {KeyDescription} keyDescription
+ * @param  {string} recoveryKey
+ * @return {Key}
+ */
 export function keyFromRecoveryKey(olm, keyDescription, recoveryKey) {
     const result = base58.decode(recoveryKey.replace(/ /g, ''));