diff --git a/cmd/keystored/main.go b/cmd/keystored/main.go
index bc430473643f09b43e6b54a552ea534fc3de53f7..ad0bd1f986af34a09b77f9ba39536a75b27e227f 100644
--- a/cmd/keystored/main.go
+++ b/cmd/keystored/main.go
@@ -4,14 +4,11 @@ import (
 	"flag"
 	"io/ioutil"
 	"log"
-	"os"
-	"strings"
 
 	"gopkg.in/yaml.v2"
 
 	"git.autistici.org/ai3/go-common/serverutil"
 
-	"git.autistici.org/id/keystore"
 	"git.autistici.org/id/keystore/server"
 )
 
@@ -26,10 +23,10 @@ var (
 	configFile = flag.String("config", "/etc/keystore/config.yml", "path of config file")
 )
 
-// Wrap the keystore.Config together with the server setup in a single
-// configuration object.
+// Config wraps the keystore.Config together with the server setup in
+// a single configuration object.
 type Config struct {
-	KeyStoreConfig *keystore.Config         `yaml:"keystore"`
+	KeyStoreConfig *server.Config           `yaml:"keystore"`
 	ServerConfig   *serverutil.ServerConfig `yaml:"http_server"`
 }
 
@@ -46,19 +43,8 @@ func loadConfig() (*Config, error) {
 	return &config, nil
 }
 
-// Set defaults for command-line flags using variables from the environment.
-func setFlagDefaultsFromEnv() {
-	flag.VisitAll(func(f *flag.Flag) {
-		envVar := "KEYSTORE_" + strings.ToUpper(strings.Replace(f.Name, "-", "_", -1))
-		if value := os.Getenv(envVar); value != "" {
-			f.DefValue = value
-			f.Value.Set(value)
-		}
-	})
-}
-
 func main() {
-	setFlagDefaultsFromEnv()
+	log.SetFlags(0)
 	flag.Parse()
 
 	config, err := loadConfig()
@@ -66,12 +52,12 @@ func main() {
 		log.Fatal(err)
 	}
 
-	ks, err := keystore.New(config.KeyStoreConfig)
+	ks, err := server.NewKeyStore(config.KeyStoreConfig)
 	if err != nil {
 		log.Fatal(err)
 	}
 
-	srv := server.New(ks)
+	srv := server.NewServer(ks)
 
 	if err := serverutil.Serve(srv, config.ServerConfig, *addr); err != nil {
 		log.Fatal(err)
diff --git a/decrypt.go b/server/decrypt.go
similarity index 96%
rename from decrypt.go
rename to server/decrypt.go
index 2252f6443315e3b02a26396c82e12b9a1106eb42..3ff37e3738bfa7bfa6c7401e29c73017eec37b54 100644
--- a/decrypt.go
+++ b/server/decrypt.go
@@ -1,4 +1,4 @@
-package keystore
+package server
 
 import (
 	"github.com/miscreant/miscreant/go"
diff --git a/keystore.go b/server/keystore.go
similarity index 96%
rename from keystore.go
rename to server/keystore.go
index 9a5d5e7b5501c5d4ea361f24dc5403d38686d899..8daf03124c7bdf43e14b0e9a62a80a635b9bdbc8 100644
--- a/keystore.go
+++ b/server/keystore.go
@@ -1,4 +1,4 @@
-package keystore
+package server
 
 import (
 	"context"
@@ -79,8 +79,8 @@ type KeyStore struct {
 	validator sso.Validator
 }
 
-// New creates a new KeyStore with the given config and returns it.
-func New(config *Config) (*KeyStore, error) {
+// NewKeyStore creates a new KeyStore with the given config and returns it.
+func NewKeyStore(config *Config) (*KeyStore, error) {
 	if err := config.check(); err != nil {
 		return nil, err
 	}
diff --git a/server/server.go b/server/server.go
index dd127507b84c271f74cd9028b4693a1f73cebc18..fc97436f09e8db5f0f1a5066b3e9b3344d061643 100644
--- a/server/server.go
+++ b/server/server.go
@@ -12,7 +12,7 @@ import (
 var emptyResponse struct{}
 
 type keyStoreServer struct {
-	*keystore.KeyStore
+	*KeyStore
 }
 
 func (s *keyStoreServer) handleOpen(w http.ResponseWriter, r *http.Request) {
@@ -71,6 +71,7 @@ func (s *keyStoreServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
-func New(ks *keystore.KeyStore) http.Handler {
+// NewServer wraps the HTTP API around a KeyStore.
+func NewServer(ks *KeyStore) http.Handler {
 	return &keyStoreServer{ks}
 }