diff --git a/src/main/java/ch/eitchnet/privilege/handler/DefaultPrivilegeHandler.java b/src/main/java/ch/eitchnet/privilege/handler/DefaultPrivilegeHandler.java
index db9d7ce96..dcd77042e 100644
--- a/src/main/java/ch/eitchnet/privilege/handler/DefaultPrivilegeHandler.java
+++ b/src/main/java/ch/eitchnet/privilege/handler/DefaultPrivilegeHandler.java
@@ -72,8 +72,6 @@ import ch.eitchnet.utils.helper.StringHelper;
  */
 public class DefaultPrivilegeHandler implements PrivilegeHandler {
 
-	///
-
 	/**
 	 * slf4j logger
 	 */
@@ -111,6 +109,11 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 
 	private PrivilegeConflictResolution privilegeConflictResolution;
 
+	@Override
+	public EncryptionHandler getEncryptionHandler() throws PrivilegeException {
+		return this.encryptionHandler;
+	}
+
 	@Override
 	public RoleRep getRole(Certificate certificate, String roleName) {
 
@@ -487,8 +490,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 	}
 
 	@Override
-	public UserRep updateUser(Certificate certificate, UserRep userRep) throws AccessDeniedException,
-			PrivilegeException {
+	public UserRep updateUser(Certificate certificate, UserRep userRep)
+			throws AccessDeniedException, PrivilegeException {
 
 		// validate user actually has this type of privilege
 		PrivilegeContext prvCtx = getPrivilegeContext(certificate);
@@ -504,8 +507,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 		if (StringHelper.isEmpty(userRep.getFirstname()) && StringHelper.isEmpty(userRep.getLastname())
 				&& userRep.getLocale() == null
 				&& (userRep.getProperties() == null || userRep.getProperties().isEmpty())) {
-			throw new PrivilegeException(MessageFormat.format(
-					"All updateable fields are empty for update of user {0}", userRep.getUsername())); //$NON-NLS-1$
+			throw new PrivilegeException(MessageFormat.format("All updateable fields are empty for update of user {0}", //$NON-NLS-1$
+					userRep.getUsername()));
 		}
 
 		String userId = existingUser.getUserId();
@@ -626,7 +629,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 		}
 
 		// validate that this user may remove this role from this user
-		prvCtx.validateAction(new SimpleRestrictable(PRIVILEGE_REMOVE_ROLE_FROM_USER, new Tuple(existingUser, roleName)));
+		prvCtx.validateAction(
+				new SimpleRestrictable(PRIVILEGE_REMOVE_ROLE_FROM_USER, new Tuple(existingUser, roleName)));
 
 		// ignore if user does not have role
 		Set<String> currentRoles = existingUser.getRoles();
@@ -713,8 +717,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 
 			// if the user is not setting their own password, then make sure this user may set this user's password
 			if (!certificate.getUsername().equals(username)) {
-				prvCtx.validateAction(new SimpleRestrictable(PRIVILEGE_SET_USER_PASSWORD, new Tuple(existingUser,
-						newUser)));
+				prvCtx.validateAction(
+						new SimpleRestrictable(PRIVILEGE_SET_USER_PASSWORD, new Tuple(existingUser, newUser)));
 			}
 
 			// delegate user replacement to persistence handler
@@ -987,8 +991,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 			this.privilegeContextMap.put(sessionId, privilegeContext);
 
 			// log
-			DefaultPrivilegeHandler.logger.info(MessageFormat.format(
-					"User {0} authenticated: {1}", username, certificate)); //$NON-NLS-1$
+			DefaultPrivilegeHandler.logger
+					.info(MessageFormat.format("User {0} authenticated: {1}", username, certificate)); //$NON-NLS-1$
 
 		} catch (RuntimeException e) {
 			String msg = "User {0} Failed to authenticate: {1}"; //$NON-NLS-1$
@@ -1042,8 +1046,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 		// validate password
 		String pwHash = user.getPassword();
 		if (pwHash == null)
-			throw new AccessDeniedException(MessageFormat.format(
-					"User {0} has no password and may not login!", username)); //$NON-NLS-1$
+			throw new AccessDeniedException(
+					MessageFormat.format("User {0} has no password and may not login!", username)); //$NON-NLS-1$
 		if (!pwHash.equals(passwordHash))
 			throw new AccessDeniedException(MessageFormat.format("Password is incorrect for {0}", username)); //$NON-NLS-1$
 
@@ -1418,7 +1422,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 	}
 
 	@Override
-	public void runAsSystem(String systemUsername, SystemUserAction action) throws PrivilegeException {
+	public <T extends SystemUserAction> T runAsSystem(String systemUsername, T action) throws PrivilegeException {
 
 		if (systemUsername == null)
 			throw new PrivilegeException("systemUsername may not be null!"); //$NON-NLS-1$
@@ -1448,6 +1452,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 		} finally {
 			this.privilegeContextMap.remove(sessionId);
 		}
+
+		return action;
 	}
 
 	/**
diff --git a/src/main/java/ch/eitchnet/privilege/handler/PrivilegeHandler.java b/src/main/java/ch/eitchnet/privilege/handler/PrivilegeHandler.java
index 4e6b848d9..b6e0f8856 100644
--- a/src/main/java/ch/eitchnet/privilege/handler/PrivilegeHandler.java
+++ b/src/main/java/ch/eitchnet/privilege/handler/PrivilegeHandler.java
@@ -223,8 +223,8 @@ public interface PrivilegeHandler {
 	 * @throws PrivilegeException
 	 *             if there is anything wrong with this certificate
 	 */
-	public UserRep removeUser(Certificate certificate, String username) throws AccessDeniedException,
-			PrivilegeException;
+	public UserRep removeUser(Certificate certificate, String username)
+			throws AccessDeniedException, PrivilegeException;
 
 	/**
 	 * Removes the role with the given roleName from the user with the given username
@@ -259,8 +259,8 @@ public interface PrivilegeHandler {
 	 * @throws PrivilegeException
 	 *             if there is anything wrong with this certificate or the role is still in use by a user
 	 */
-	public RoleRep removeRole(Certificate certificate, String roleName) throws AccessDeniedException,
-			PrivilegeException;
+	public RoleRep removeRole(Certificate certificate, String roleName)
+			throws AccessDeniedException, PrivilegeException;
 
 	/**
 	 * Removes the privilege with the given privilegeName from the role with the given roleName
@@ -304,8 +304,8 @@ public interface PrivilegeHandler {
 	 * @throws PrivilegeException
 	 *             if there is anything wrong with this certificate or the user already exists
 	 */
-	public UserRep addUser(Certificate certificate, UserRep userRep, byte[] password) throws AccessDeniedException,
-			PrivilegeException;
+	public UserRep addUser(Certificate certificate, UserRep userRep, byte[] password)
+			throws AccessDeniedException, PrivilegeException;
 
 	/**
 	 * <p>
@@ -336,8 +336,8 @@ public interface PrivilegeHandler {
 	 * @throws PrivilegeException
 	 *             if there is anything wrong with this certificate or if the user does not exist
 	 */
-	public UserRep updateUser(Certificate certificate, UserRep userRep) throws AccessDeniedException,
-			PrivilegeException;
+	public UserRep updateUser(Certificate certificate, UserRep userRep)
+			throws AccessDeniedException, PrivilegeException;
 
 	/**
 	 * <p>
@@ -363,8 +363,8 @@ public interface PrivilegeHandler {
 	 * @throws PrivilegeException
 	 *             if there is anything wrong with this certificate or if the user does not exist
 	 */
-	public UserRep replaceUser(Certificate certificate, UserRep userRep, byte[] password) throws AccessDeniedException,
-			PrivilegeException;
+	public UserRep replaceUser(Certificate certificate, UserRep userRep, byte[] password)
+			throws AccessDeniedException, PrivilegeException;
 
 	/**
 	 * Adds a new role with the information from this {@link RoleRep}
@@ -394,8 +394,8 @@ public interface PrivilegeHandler {
 	 * @throws PrivilegeException
 	 *             if there is anything wrong with this certificate or if the role does not exist
 	 */
-	public RoleRep replaceRole(Certificate certificate, RoleRep roleRep) throws AccessDeniedException,
-			PrivilegeException;
+	public RoleRep replaceRole(Certificate certificate, RoleRep roleRep)
+			throws AccessDeniedException, PrivilegeException;
 
 	/**
 	 * Adds the role with the given roleName to the {@link User} with the given username
@@ -494,8 +494,8 @@ public interface PrivilegeHandler {
 	 * @throws PrivilegeException
 	 *             if there is anything wrong with this certificate
 	 */
-	public UserRep setUserLocale(Certificate certificate, String username, Locale locale) throws AccessDeniedException,
-			PrivilegeException;
+	public UserRep setUserLocale(Certificate certificate, String username, Locale locale)
+			throws AccessDeniedException, PrivilegeException;
 
 	/**
 	 * Authenticates a user by validating that a {@link User} for the given username and password exist and then returns
@@ -612,10 +612,22 @@ public interface PrivilegeHandler {
 	 * has the state {@link UserState#SYSTEM} and this user must have privilege to perform the concrete implementation
 	 * of the given {@link SystemUserAction} instance
 	 * 
+	 * 
 	 * @param systemUsername
 	 *            the username of the system user to perform the action as
 	 * @param action
 	 *            the action to be performed as the system user
+	 * 
+	 * @return the action
+	 * 
+	 * @throws PrivilegeException
 	 */
-	public void runAsSystem(String systemUsername, SystemUserAction action) throws PrivilegeException;
+	public <T extends SystemUserAction> T runAsSystem(String systemUsername, T action) throws PrivilegeException;
+
+	/**
+	 * Returns the {@link EncryptionHandler} instance
+	 * 
+	 * @return the {@link EncryptionHandler} instance
+	 */
+	public EncryptionHandler getEncryptionHandler() throws PrivilegeException;
 }