The following needs to be done:

• Move the PB masked password format to a proper password type
• Introduce protection parameters for credential stores and entries
• Drop the admin_key concept in favor of credential store protection parameters
• Introduce a proper vault-compatible credential store
• Introduce a mechanism to pull protection parameters for stores from the client configuration
• Use a credential store which can store (nearly) any credential type
• Update XML accordingly
• Remove dangerous command execution patterns from credential store, make them safe and make them CredentialSources instead
• Clean up exception hierarchy of credential stores
• Introduce simple map-backed credential store
  Additionally, the above implies:
• Introduce AlgorithmParameterSpi for password parameter types
• Introduce hashing ability for parameters
• Add missing parameter types for PBE
• Introduce serialization trickery to support picketbox class names for vault files
• Atomic file output stream
• Update tests as needed