diff --git a/Ext4Crypt.cpp b/Ext4Crypt.cpp
index 1daf4ba..48957c8 100644
--- a/Ext4Crypt.cpp
+++ b/Ext4Crypt.cpp
@@ -91,8 +91,8 @@ static bool e4crypt_is_emulated() {
     return property_get_bool("persist.sys.emulate_fbe", false);
 }
 
-static const char* escape_null(const char* value) {
-    return (value == nullptr) ? "null" : value;
+static const char* escape_empty(const std::string& value) {
+    return value.empty() ? "null" : value.c_str();
 }
 
 static std::string get_de_key_path(userid_t user_id) {
@@ -379,7 +379,7 @@ bool e4crypt_init_user0() {
     // We can only safely prepare DE storage here, since CE keys are probably
     // entangled with user credentials.  The framework will always prepare CE
     // storage once CE keys are installed.
-    if (!e4crypt_prepare_user_storage(nullptr, 0, 0, FLAG_STORAGE_DE)) {
+    if (!e4crypt_prepare_user_storage("", 0, 0, FLAG_STORAGE_DE)) {
         LOG(ERROR) << "Failed to prepare user 0 storage";
         return false;
     }
@@ -491,8 +491,8 @@ static bool emulated_unlock(const std::string& path, mode_t mode) {
     return true;
 }
 
-static bool parse_hex(const char* hex, std::string* result) {
-    if (strcmp("!", hex) == 0) {
+static bool parse_hex(const std::string& hex, std::string* result) {
+    if (hex == "!") {
         *result = "";
         return true;
     }
@@ -503,10 +503,10 @@ static bool parse_hex(const char* hex, std::string* result) {
     return true;
 }
 
-bool e4crypt_add_user_key_auth(userid_t user_id, int serial, const char* token_hex,
-                          const char* secret_hex) {
+bool e4crypt_add_user_key_auth(userid_t user_id, int serial, const std::string& token_hex,
+                               const std::string& secret_hex) {
     LOG(DEBUG) << "e4crypt_add_user_key_auth " << user_id << " serial=" << serial
-               << " token_present=" << (strcmp(token_hex, "!") != 0);
+               << " token_present=" << (token_hex != "!");
     if (!e4crypt_is_native()) return true;
     if (s_ephemeral_users.count(user_id) != 0) return true;
     std::string token, secret;
@@ -543,10 +543,10 @@ bool e4crypt_fixate_newest_user_key_auth(userid_t user_id) {
 }
 
 // TODO: rename to 'install' for consistency, and take flags to know which keys to install
-bool e4crypt_unlock_user_key(userid_t user_id, int serial, const char* token_hex,
-                             const char* secret_hex) {
+bool e4crypt_unlock_user_key(userid_t user_id, int serial, const std::string& token_hex,
+                             const std::string& secret_hex) {
     LOG(DEBUG) << "e4crypt_unlock_user_key " << user_id << " serial=" << serial
-               << " token_present=" << (strcmp(token_hex, "!") != 0);
+               << " token_present=" << (token_hex != "!");
     if (e4crypt_is_native()) {
         if (s_ce_key_raw_refs.count(user_id) != 0) {
             LOG(WARNING) << "Tried to unlock already-unlocked key for user " << user_id;
@@ -566,8 +566,8 @@ bool e4crypt_unlock_user_key(userid_t user_id, int serial, const char* token_hex
         // back into a known-good state.
         if (!emulated_unlock(android::vold::BuildDataSystemCePath(user_id), 0771) ||
             !emulated_unlock(android::vold::BuildDataMiscCePath(user_id), 01771) ||
-            !emulated_unlock(android::vold::BuildDataMediaCePath(nullptr, user_id), 0770) ||
-            !emulated_unlock(android::vold::BuildDataUserCePath(nullptr, user_id), 0771)) {
+            !emulated_unlock(android::vold::BuildDataMediaCePath("", user_id), 0770) ||
+            !emulated_unlock(android::vold::BuildDataUserCePath("", user_id), 0771)) {
             LOG(ERROR) << "Failed to unlock user " << user_id;
             return false;
         }
@@ -584,8 +584,8 @@ bool e4crypt_lock_user_key(userid_t user_id) {
         // When in emulation mode, we just use chmod
         if (!emulated_lock(android::vold::BuildDataSystemCePath(user_id)) ||
             !emulated_lock(android::vold::BuildDataMiscCePath(user_id)) ||
-            !emulated_lock(android::vold::BuildDataMediaCePath(nullptr, user_id)) ||
-            !emulated_lock(android::vold::BuildDataUserCePath(nullptr, user_id))) {
+            !emulated_lock(android::vold::BuildDataMediaCePath("", user_id)) ||
+            !emulated_lock(android::vold::BuildDataUserCePath("", user_id))) {
             LOG(ERROR) << "Failed to lock user " << user_id;
             return false;
         }
@@ -594,9 +594,9 @@ bool e4crypt_lock_user_key(userid_t user_id) {
     return true;
 }
 
-bool e4crypt_prepare_user_storage(const char* volume_uuid, userid_t user_id, int serial,
-        int flags) {
-    LOG(DEBUG) << "e4crypt_prepare_user_storage for volume " << escape_null(volume_uuid)
+bool e4crypt_prepare_user_storage(const std::string& volume_uuid, userid_t user_id, int serial,
+                                  int flags) {
+    LOG(DEBUG) << "e4crypt_prepare_user_storage for volume " << escape_empty(volume_uuid)
                << ", user " << user_id << ", serial " << serial << ", flags " << flags;
 
     if (flags & FLAG_STORAGE_DE) {
@@ -610,7 +610,7 @@ bool e4crypt_prepare_user_storage(const char* volume_uuid, userid_t user_id, int
         auto misc_de_path = android::vold::BuildDataMiscDePath(user_id);
         auto user_de_path = android::vold::BuildDataUserDePath(volume_uuid, user_id);
 
-        if (volume_uuid == nullptr) {
+        if (volume_uuid.empty()) {
             if (!prepare_dir(system_legacy_path, 0700, AID_SYSTEM, AID_SYSTEM)) return false;
 #if MANAGE_MISC_DIRS
             if (!prepare_dir(misc_legacy_path, 0750, multiuser_get_uid(user_id, AID_SYSTEM),
@@ -626,7 +626,7 @@ bool e4crypt_prepare_user_storage(const char* volume_uuid, userid_t user_id, int
         if (e4crypt_is_native()) {
             std::string de_raw_ref;
             if (!lookup_key_ref(s_de_key_raw_refs, user_id, &de_raw_ref)) return false;
-            if (volume_uuid == nullptr) {
+            if (volume_uuid.empty()) {
                 if (!ensure_policy(de_raw_ref, system_de_path)) return false;
                 if (!ensure_policy(de_raw_ref, misc_de_path)) return false;
             }
@@ -641,7 +641,7 @@ bool e4crypt_prepare_user_storage(const char* volume_uuid, userid_t user_id, int
         auto media_ce_path = android::vold::BuildDataMediaCePath(volume_uuid, user_id);
         auto user_ce_path = android::vold::BuildDataUserCePath(volume_uuid, user_id);
 
-        if (volume_uuid == nullptr) {
+        if (volume_uuid.empty()) {
             if (!prepare_dir(system_ce_path, 0770, AID_SYSTEM, AID_SYSTEM)) return false;
             if (!prepare_dir(misc_ce_path, 01771, AID_SYSTEM, AID_MISC)) return false;
         }
@@ -651,7 +651,7 @@ bool e4crypt_prepare_user_storage(const char* volume_uuid, userid_t user_id, int
         if (e4crypt_is_native()) {
             std::string ce_raw_ref;
             if (!lookup_key_ref(s_ce_key_raw_refs, user_id, &ce_raw_ref)) return false;
-            if (volume_uuid == nullptr) {
+            if (volume_uuid.empty()) {
                 if (!ensure_policy(ce_raw_ref, system_ce_path)) return false;
                 if (!ensure_policy(ce_raw_ref, misc_ce_path)) return false;
 
@@ -669,8 +669,8 @@ bool e4crypt_prepare_user_storage(const char* volume_uuid, userid_t user_id, int
     return true;
 }
 
-bool e4crypt_destroy_user_storage(const char* volume_uuid, userid_t user_id, int flags) {
-    LOG(DEBUG) << "e4crypt_destroy_user_storage for volume " << escape_null(volume_uuid)
+bool e4crypt_destroy_user_storage(const std::string& volume_uuid, userid_t user_id, int flags) {
+    LOG(DEBUG) << "e4crypt_destroy_user_storage for volume " << escape_empty(volume_uuid)
                << ", user " << user_id << ", flags " << flags;
     bool res = true;
 
@@ -685,7 +685,7 @@ bool e4crypt_destroy_user_storage(const char* volume_uuid, userid_t user_id, int
         auto misc_de_path = android::vold::BuildDataMiscDePath(user_id);
         auto user_de_path = android::vold::BuildDataUserDePath(volume_uuid, user_id);
 
-        if (volume_uuid == nullptr) {
+        if (volume_uuid.empty()) {
             res &= destroy_dir(system_legacy_path);
 #if MANAGE_MISC_DIRS
             res &= destroy_dir(misc_legacy_path);
@@ -704,7 +704,7 @@ bool e4crypt_destroy_user_storage(const char* volume_uuid, userid_t user_id, int
         auto media_ce_path = android::vold::BuildDataMediaCePath(volume_uuid, user_id);
         auto user_ce_path = android::vold::BuildDataUserCePath(volume_uuid, user_id);
 
-        if (volume_uuid == nullptr) {
+        if (volume_uuid.empty()) {
             res &= destroy_dir(system_ce_path);
             res &= destroy_dir(misc_ce_path);
         }
@@ -715,6 +715,6 @@ bool e4crypt_destroy_user_storage(const char* volume_uuid, userid_t user_id, int
     return res;
 }
 
-bool e4crypt_secdiscard(const char* path) {
-    return android::vold::runSecdiscardSingle(std::string(path));
+bool e4crypt_secdiscard(const std::string& path) {
+    return android::vold::runSecdiscardSingle(path);
 }
diff --git a/Ext4Crypt.h b/Ext4Crypt.h
index e90167b..d0afd85 100644
--- a/Ext4Crypt.h
+++ b/Ext4Crypt.h
@@ -14,29 +14,29 @@
  * limitations under the License.
  */
 
+#include <string>
+
 #include <stdbool.h>
 #include <sys/cdefs.h>
 
 #include <cutils/multiuser.h>
 
-__BEGIN_DECLS
-
 // General functions
-bool e4crypt_is_native();
 bool e4crypt_initialize_global_de();
 
 bool e4crypt_init_user0();
 bool e4crypt_vold_create_user_key(userid_t user_id, int serial, bool ephemeral);
 bool e4crypt_destroy_user_key(userid_t user_id);
-bool e4crypt_add_user_key_auth(userid_t user_id, int serial, const char* token,
-                               const char* secret);
+bool e4crypt_add_user_key_auth(userid_t user_id, int serial, const std::string& token,
+                               const std::string& secret);
 bool e4crypt_fixate_newest_user_key_auth(userid_t user_id);
 
-bool e4crypt_unlock_user_key(userid_t user_id, int serial, const char* token, const char* secret);
+bool e4crypt_unlock_user_key(userid_t user_id, int serial, const std::string& token,
+                             const std::string& secret);
 bool e4crypt_lock_user_key(userid_t user_id);
 
-bool e4crypt_prepare_user_storage(const char* volume_uuid, userid_t user_id, int serial, int flags);
-bool e4crypt_destroy_user_storage(const char* volume_uuid, userid_t user_id, int flags);
+bool e4crypt_prepare_user_storage(const std::string& volume_uuid, userid_t user_id, int serial,
+                                  int flags);
+bool e4crypt_destroy_user_storage(const std::string& volume_uuid, userid_t user_id, int flags);
 
-bool e4crypt_secdiscard(const char* path);
-__END_DECLS
+bool e4crypt_secdiscard(const std::string& path);
diff --git a/Keymaster.h b/Keymaster.h
index dc6f1bc..f24a0c0 100644
--- a/Keymaster.h
+++ b/Keymaster.h
@@ -17,8 +17,6 @@
 #ifndef ANDROID_VOLD_KEYMASTER_H
 #define ANDROID_VOLD_KEYMASTER_H
 
-#ifdef __cplusplus
-
 #include "KeyBuffer.h"
 
 #include <memory>
@@ -127,8 +125,7 @@ class Keymaster {
 }  // namespace vold
 }  // namespace android
 
-#endif // __cplusplus
-
+// FIXME no longer needed now cryptfs is in C++.
 
 /*
  * The following functions provide C bindings to keymaster services
@@ -138,7 +135,6 @@ class Keymaster {
  * The sign_object function signes an object with the given keymaster
  * key.
  */
-__BEGIN_DECLS
 
 int keymaster_compatibility_cryptfs_scrypt();
 int keymaster_create_key_for_cryptfs_scrypt(uint32_t rsa_key_size,
@@ -156,6 +152,5 @@ int keymaster_sign_object_for_cryptfs_scrypt(const uint8_t* key_blob,
                                              uint8_t** signature_buffer,
                                              size_t* signature_buffer_size);
 
-__END_DECLS
 
 #endif
diff --git a/ScryptParameters.h b/ScryptParameters.h
index 1b43ea5..190842b 100644
--- a/ScryptParameters.h
+++ b/ScryptParameters.h
@@ -23,10 +23,6 @@
 #define SCRYPT_PROP "ro.crypto.scrypt_params"
 #define SCRYPT_DEFAULTS "15:3:1"
 
-__BEGIN_DECLS
-
 bool parse_scrypt_parameters(const char* paramstr, int *Nf, int *rf, int *pf);
 
-__END_DECLS
-
 #endif
diff --git a/Utils.cpp b/Utils.cpp
index b6c7bf8..a9350e8 100644
--- a/Utils.cpp
+++ b/Utils.cpp
@@ -585,54 +585,54 @@ std::string BuildKeyPath(const std::string& partGuid) {
 }
 
 std::string BuildDataSystemLegacyPath(userid_t userId) {
-    return StringPrintf("%s/system/users/%u", BuildDataPath(nullptr).c_str(), userId);
+    return StringPrintf("%s/system/users/%u", BuildDataPath("").c_str(), userId);
 }
 
 std::string BuildDataSystemCePath(userid_t userId) {
-    return StringPrintf("%s/system_ce/%u", BuildDataPath(nullptr).c_str(), userId);
+    return StringPrintf("%s/system_ce/%u", BuildDataPath("").c_str(), userId);
 }
 
 std::string BuildDataSystemDePath(userid_t userId) {
-    return StringPrintf("%s/system_de/%u", BuildDataPath(nullptr).c_str(), userId);
+    return StringPrintf("%s/system_de/%u", BuildDataPath("").c_str(), userId);
 }
 
 std::string BuildDataMiscLegacyPath(userid_t userId) {
-    return StringPrintf("%s/misc/user/%u", BuildDataPath(nullptr).c_str(), userId);
+    return StringPrintf("%s/misc/user/%u", BuildDataPath("").c_str(), userId);
 }
 
 std::string BuildDataMiscCePath(userid_t userId) {
-    return StringPrintf("%s/misc_ce/%u", BuildDataPath(nullptr).c_str(), userId);
+    return StringPrintf("%s/misc_ce/%u", BuildDataPath("").c_str(), userId);
 }
 
 std::string BuildDataMiscDePath(userid_t userId) {
-    return StringPrintf("%s/misc_de/%u", BuildDataPath(nullptr).c_str(), userId);
+    return StringPrintf("%s/misc_de/%u", BuildDataPath("").c_str(), userId);
 }
 
 // Keep in sync with installd (frameworks/native/cmds/installd/utils.h)
 std::string BuildDataProfilesDePath(userid_t userId) {
-    return StringPrintf("%s/misc/profiles/cur/%u", BuildDataPath(nullptr).c_str(), userId);
+    return StringPrintf("%s/misc/profiles/cur/%u", BuildDataPath("").c_str(), userId);
 }
 
-std::string BuildDataPath(const char* volumeUuid) {
+std::string BuildDataPath(const std::string& volumeUuid) {
     // TODO: unify with installd path generation logic
-    if (volumeUuid == nullptr) {
+    if (volumeUuid.empty()) {
         return "/data";
     } else {
         CHECK(isValidFilename(volumeUuid));
-        return StringPrintf("/mnt/expand/%s", volumeUuid);
+        return StringPrintf("/mnt/expand/%s", volumeUuid.c_str());
     }
 }
 
-std::string BuildDataMediaCePath(const char* volumeUuid, userid_t userId) {
+std::string BuildDataMediaCePath(const std::string& volumeUuid, userid_t userId) {
     // TODO: unify with installd path generation logic
     std::string data(BuildDataPath(volumeUuid));
     return StringPrintf("%s/media/%u", data.c_str(), userId);
 }
 
-std::string BuildDataUserCePath(const char* volumeUuid, userid_t userId) {
+std::string BuildDataUserCePath(const std::string& volumeUuid, userid_t userId) {
     // TODO: unify with installd path generation logic
     std::string data(BuildDataPath(volumeUuid));
-    if (volumeUuid == nullptr && userId == 0) {
+    if (volumeUuid.empty() && userId == 0) {
         std::string legacy = StringPrintf("%s/data", data.c_str());
         struct stat sb;
         if (lstat(legacy.c_str(), &sb) == 0 && S_ISDIR(sb.st_mode)) {
@@ -643,7 +643,7 @@ std::string BuildDataUserCePath(const char* volumeUuid, userid_t userId) {
     return StringPrintf("%s/user/%u", data.c_str(), userId);
 }
 
-std::string BuildDataUserDePath(const char* volumeUuid, userid_t userId) {
+std::string BuildDataUserDePath(const std::string& volumeUuid, userid_t userId) {
     // TODO: unify with installd path generation logic
     std::string data(BuildDataPath(volumeUuid));
     return StringPrintf("%s/user_de/%u", data.c_str(), userId);
diff --git a/Utils.h b/Utils.h
index 4e2be96..8d09ddf 100644
--- a/Utils.h
+++ b/Utils.h
@@ -103,10 +103,10 @@ std::string BuildDataMiscCePath(userid_t userid);
 std::string BuildDataMiscDePath(userid_t userid);
 std::string BuildDataProfilesDePath(userid_t userid);
 
-std::string BuildDataPath(const char* volumeUuid);
-std::string BuildDataMediaCePath(const char* volumeUuid, userid_t userid);
-std::string BuildDataUserCePath(const char* volumeUuid, userid_t userid);
-std::string BuildDataUserDePath(const char* volumeUuid, userid_t userid);
+std::string BuildDataPath(const std::string& volumeUuid);
+std::string BuildDataMediaCePath(const std::string& volumeUuid, userid_t userid);
+std::string BuildDataUserCePath(const std::string& volumeUuid, userid_t userid);
+std::string BuildDataUserDePath(const std::string& volumeUuid, userid_t userid);
 
 dev_t GetDevice(const std::string& path);
 
diff --git a/VoldNativeService.cpp b/VoldNativeService.cpp
index 049f5ba..6fb1731 100644
--- a/VoldNativeService.cpp
+++ b/VoldNativeService.cpp
@@ -32,6 +32,7 @@
 #include <android-base/logging.h>
 #include <android-base/stringprintf.h>
 #include <android-base/strings.h>
+#include <ext4_utils/ext4_crypt.h>
 #include <fs_mgr.h>
 #include <private/android_filesystem_config.h>
 #include <utils/Trace.h>
@@ -666,7 +667,7 @@ binder::Status VoldNativeService::addUserKeyAuth(int32_t userId, int32_t userSer
     ENFORCE_UID(AID_SYSTEM);
     ACQUIRE_CRYPT_LOCK;
 
-    return translateBool(e4crypt_add_user_key_auth(userId, userSerial, token.c_str(), secret.c_str()));
+    return translateBool(e4crypt_add_user_key_auth(userId, userSerial, token, secret));
 }
 
 binder::Status VoldNativeService::fixateNewestUserKeyAuth(int32_t userId) {
@@ -681,7 +682,7 @@ binder::Status VoldNativeService::unlockUserKey(int32_t userId, int32_t userSeri
     ENFORCE_UID(AID_SYSTEM);
     ACQUIRE_CRYPT_LOCK;
 
-    return translateBool(e4crypt_unlock_user_key(userId, userSerial, token.c_str(), secret.c_str()));
+    return translateBool(e4crypt_unlock_user_key(userId, userSerial, token, secret));
 }
 
 binder::Status VoldNativeService::lockUserKey(int32_t userId) {
@@ -696,7 +697,8 @@ binder::Status VoldNativeService::prepareUserStorage(const std::unique_ptr<std::
     ENFORCE_UID(AID_SYSTEM);
     ACQUIRE_CRYPT_LOCK;
 
-    const char* uuid_ = uuid ? uuid->c_str() : nullptr;
+    std::string empty_string = "";
+    auto uuid_ = uuid ? *uuid : empty_string;
     return translateBool(e4crypt_prepare_user_storage(uuid_, userId, userSerial, flags));
 }
 
@@ -705,7 +707,8 @@ binder::Status VoldNativeService::destroyUserStorage(const std::unique_ptr<std::
     ENFORCE_UID(AID_SYSTEM);
     ACQUIRE_CRYPT_LOCK;
 
-    const char* uuid_ = uuid ? uuid->c_str() : nullptr;
+    std::string empty_string = "";
+    auto uuid_ = uuid ? *uuid : empty_string;
     return translateBool(e4crypt_destroy_user_storage(uuid_, userId, flags));
 }
 
@@ -713,7 +716,7 @@ binder::Status VoldNativeService::secdiscard(const std::string& path) {
     ENFORCE_UID(AID_SYSTEM);
     ACQUIRE_CRYPT_LOCK;
 
-    return translateBool(e4crypt_secdiscard(path.c_str()));
+    return translateBool(e4crypt_secdiscard(path));
 }
 
 }  // namespace vold
diff --git a/cryptfs.cpp b/cryptfs.cpp
index 2574e39..08a3d16 100644
--- a/cryptfs.cpp
+++ b/cryptfs.cpp
@@ -38,6 +38,7 @@
 #include <openssl/evp.h>
 #include <openssl/sha.h>
 #include <errno.h>
+#include <ext4_utils/ext4_crypt.h>
 #include <ext4_utils/ext4_utils.h>
 #include <linux/kdev_t.h>
 #include <fs_mgr.h>
diff --git a/fs/Ext4.cpp b/fs/Ext4.cpp
index 0cf4f9e..1898155 100644
--- a/fs/Ext4.cpp
+++ b/fs/Ext4.cpp
@@ -42,6 +42,7 @@
 #include <android-base/stringprintf.h>
 #include <cutils/log.h>
 #include <cutils/properties.h>
+#include <ext4_utils/ext4_crypt.h>
 #include <logwrap/logwrap.h>
 #include <selinux/selinux.h>
 
diff --git a/model/Disk.cpp b/model/Disk.cpp
index c889a35..5b0c981 100644
--- a/model/Disk.cpp
+++ b/model/Disk.cpp
@@ -23,10 +23,11 @@
 #include "Ext4Crypt.h"
 
 #include <android-base/file.h>
+#include <android-base/logging.h>
 #include <android-base/properties.h>
 #include <android-base/stringprintf.h>
-#include <android-base/logging.h>
 #include <diskconfig/diskconfig.h>
+#include <ext4_utils/ext4_crypt.h>
 
 #include <vector>
 #include <fcntl.h>
diff --git a/secontext.h b/secontext.h
index 08ad48e..f5339c8 100644
--- a/secontext.h
+++ b/secontext.h
@@ -18,8 +18,6 @@
 
 #include <selinux/selinux.h>
 
-__BEGIN_DECLS
 security_context_t secontextFsck();
-__END_DECLS
 
 #endif