diff --git a/app/src/Download.vue b/app/src/Download.vue
index ca4ff87..7378eb9 100644
--- a/app/src/Download.vue
+++ b/app/src/Download.vue
@@ -14,10 +14,10 @@
       p.text-danger(v-show='passwordWrong')
         strong {{ $root.lang.accessDenied }}
       |
-      button.decrypt.btn.btn-primary(:disabled='password.length<1', @click='decrypt()')
+      button.decrypt.btn.btn-primary(:disabled='password.length<1', @click='fetchBucket()')
         icon.fa-fw(name="key")
         |  {{ $root.lang.decrypt }}
-    .panel.panel-primary(v-if='!needsPassword')
+    .panel.panel-primary(v-if='!needsPassword && !loading')
       .panel-heading
         strong {{ $root.lang.files }}
         div.pull-right.btn-group.btn-download-archive(v-if="downloadsAvailable")
@@ -53,8 +53,6 @@
 
 <script>
   "use strict";
-  import AES from 'crypto-js/aes';
-  import encUtf8 from 'crypto-js/enc-utf8';
   import MD5 from 'crypto-js/md5';
 
   import FileIcon from './common/FileIcon.vue';
@@ -93,6 +91,7 @@
         baseURI: this.$root.baseURI,
         passwordWrong: false,
         needsPassword: false,
+        loading: true,
         password: '',
         content: '',
         error: '',
@@ -145,28 +144,6 @@
         file.downloaded = $event === 'copied';
       },
 
-      decrypt() {
-        this.passwordWrong = false;
-        this.files = this.files.map(item => {
-          if(typeof item === 'object') return item;
-          let f = AES.decrypt(item, this.password);
-          try {
-            f = JSON.parse(f.toString(encUtf8));
-            return Object.assign(f, {
-              downloaded: false,
-              previewType: getPreviewType(f, this.config.maxPreviewSize)
-            });
-          } catch(e) {
-            this.passwordWrong = true;
-            return item;
-          }
-        });
-        if(!this.passwordWrong) {
-          this.needsPassword = false;
-          this.password = '';
-        }
-      },
-
       humanFileSize(fileSizeInBytes) {
         let i = -1;
         const byteUnits = [' kB', ' MB', ' GB', ' TB', 'PB', 'EB', 'ZB', 'YB'];
@@ -185,35 +162,44 @@
       isFinite(value) {
         if(typeof value !== 'number') return false;
         return !(value !== value || value === Infinity || value === -Infinity);
-      }
-    },
+      },
 
-    beforeMount() {
-      const xhr = new XMLHttpRequest();
-      xhr.open('GET', this.sid + '.json');
-      xhr.onload = () => {
-        if(xhr.status === 200) {
-          try {
-            let data = JSON.parse(xhr.responseText);
-            this.config = data.config;
-            this.files = data.items.map(f => {
-              if(typeof f !== 'object') {
-                this.needsPassword = true;
-                return f;
-              }
-              return Object.assign(f, {
-                downloaded: false,
-                previewType: getPreviewType(f, this.config.maxPreviewSize)
+      fetchBucket() {
+        const xhr = new XMLHttpRequest();
+        xhr.open('GET', this.sid + '.json');
+        if(this.password) {
+          xhr.setRequestHeader('x-download-pass', this.password);
+        }
+        xhr.onload = () => {
+          if (xhr.status === 200) {
+            try {
+              let data = JSON.parse(xhr.responseText);
+              this.config = data.config;
+              this.files = data.items.map(f => {
+                return Object.assign(f, {
+                  downloaded: false,
+                  previewType: getPreviewType(f, this.config.maxPreviewSize)
+                });
               });
-            });
-          } catch(e) {
-            this.error = e.toString();
+              this.loading = false;
+              this.needsPassword = false;
+            }
+            catch (e) {
+              this.error = e.toString();
+            }
+          } else if (xhr.status === 401) {
+            this.needsPassword = true;
+            this.loading = false;
+          } else {
+            this.error = `${ xhr.status } ${ xhr.statusText }: ${ xhr.responseText }`;
           }
-        } else {
-          this.error = `${xhr.status} ${xhr.statusText}: ${xhr.responseText}`;
-        }
-      };
-      xhr.send();
+        };
+        xhr.send();
+      },
+    },
+
+    beforeMount() {
+      this.fetchBucket();
     }
   }
 </script>
diff --git a/lib/endpoints.js b/lib/endpoints.js
index 6d8e2d8..52f310c 100644
--- a/lib/endpoints.js
+++ b/lib/endpoints.js
@@ -158,16 +158,22 @@ app.get(`${ config.baseUrl }:sid`, (req, res, next) => {
     const sid = req.params.sid.substr(0, req.params.sid.length - 5);
     if (!db.get(sid)) return res.status(404).end();
 
+    const downloadPassword = req.get('x-download-pass');
+    const items = db.get(sid).map(item => ({
+      ...item,
+      url: `${ config.baseUrl }files/${ sid }++${ item.key }`
+    }));
+
     res.header('Cache-control', 'private, max-age=0, no-cache, no-store, must-revalidate');
+
+    // Currently, every item in a bucket must have the same password
+    if(items.some(item => item.metadata.password && item.metadata.password !== downloadPassword)) {
+      setTimeout(() => res.status(401).send('Unauthorized'), 500);
+      return;
+    }
+
     res.json({
-      items: db.get(sid).map(data => {
-        const item = Object.assign(data, { url: `${ config.baseUrl }files/${ sid }++${ data.key }` });
-        if (item.metadata.password) {
-          return AES.encrypt(JSON.stringify(data), item.metadata.password).toString();
-        } else {
-          return item;
-        }
-      }),
+      items,
       config: {
         maxPreviewSize: config.maxPreviewSize
       }