diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config_test.go b/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config_test.go
index 8233bb7eefd..ac0b3d75151 100644
--- a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config_test.go
@@ -226,18 +226,18 @@ type testEnvelopeService struct {
 	disabled bool
 }
 
-func (t *testEnvelopeService) Decrypt(data string) ([]byte, error) {
+func (t *testEnvelopeService) Decrypt(data []byte) ([]byte, error) {
 	if t.disabled {
 		return nil, fmt.Errorf("Envelope service was disabled")
 	}
-	return base64.StdEncoding.DecodeString(data)
+	return base64.StdEncoding.DecodeString(string(data))
 }
 
-func (t *testEnvelopeService) Encrypt(data []byte) (string, error) {
+func (t *testEnvelopeService) Encrypt(data []byte) ([]byte, error) {
 	if t.disabled {
-		return "", fmt.Errorf("Envelope service was disabled")
+		return nil, fmt.Errorf("Envelope service was disabled")
 	}
-	return base64.StdEncoding.EncodeToString(data), nil
+	return []byte(base64.StdEncoding.EncodeToString(data)), nil
 }
 
 func (t *testEnvelopeService) SetDisabledStatus(status bool) {
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/envelope.go b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/envelope.go
index 9782e44b66d..90f1dca42b2 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/envelope.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/envelope.go
@@ -21,6 +21,7 @@ import (
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/rand"
+	"encoding/base64"
 	"encoding/binary"
 	"fmt"
 
@@ -34,10 +35,10 @@ const defaultCacheSize = 1000
 
 // Service allows encrypting and decrypting data using an external Key Management Service.
 type Service interface {
-	// Decrypt a given data string to obtain the original byte data.
-	Decrypt(data string) ([]byte, error)
-	// Encrypt bytes to a string ciphertext.
-	Encrypt(data []byte) (string, error)
+	// Decrypt a given bytearray to obtain the original data as bytes.
+	Decrypt(data []byte) ([]byte, error)
+	// Encrypt bytes to a ciphertext.
+	Encrypt(data []byte) ([]byte, error)
 }
 
 type envelopeTransformer struct {
@@ -78,15 +79,12 @@ func (t *envelopeTransformer) TransformFromStorage(data []byte, context value.Co
 	if keyLen+2 > len(data) {
 		return nil, false, fmt.Errorf("invalid data encountered by genvelope transformer, length longer than available bytes: %q", data)
 	}
-	encKey := string(data[2 : keyLen+2])
+	encKey := data[2 : keyLen+2]
 	encData := data[2+keyLen:]
 
-	var transformer value.Transformer
 	// Look up the decrypted DEK from cache or Envelope.
-	_transformer, found := t.transformers.Get(encKey)
-	if found {
-		transformer = _transformer.(value.Transformer)
-	} else {
+	transformer := t.getTransformer(encKey)
+	if transformer == nil {
 		key, err := t.envelopeService.Decrypt(encKey)
 		if err != nil {
 			return nil, false, fmt.Errorf("error while decrypting key: %q", err)
@@ -136,16 +134,27 @@ func (t *envelopeTransformer) TransformToStorage(data []byte, context value.Cont
 var _ value.Transformer = &envelopeTransformer{}
 
 // addTransformer inserts a new transformer to the Envelope cache of DEKs for future reads.
-func (t *envelopeTransformer) addTransformer(encKey string, key []byte) (value.Transformer, error) {
+func (t *envelopeTransformer) addTransformer(encKey []byte, key []byte) (value.Transformer, error) {
 	block, err := aes.NewCipher(key)
 	if err != nil {
 		return nil, err
 	}
 	transformer := t.baseTransformerFunc(block)
-	t.transformers.Add(encKey, transformer)
+	// Use base64 of encKey as the key into the cache because hashicorp/golang-lru
+	// cannot hash []uint8.
+	t.transformers.Add(base64.StdEncoding.EncodeToString(encKey), transformer)
 	return transformer, nil
 }
 
+// getTransformer fetches the transformer corresponding to encKey from cache, if it exists.
+func (t *envelopeTransformer) getTransformer(encKey []byte) value.Transformer {
+	_transformer, found := t.transformers.Get(base64.StdEncoding.EncodeToString(encKey))
+	if found {
+		return _transformer.(value.Transformer)
+	}
+	return nil
+}
+
 // generateKey generates a random key using system randomness.
 func generateKey(length int) ([]byte, error) {
 	key := make([]byte, length)
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/envelope_test.go b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/envelope_test.go
index 0ba68afc63d..3215a22f331 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/envelope_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/envelope_test.go
@@ -42,22 +42,22 @@ type testEnvelopeService struct {
 	keyVersion string
 }
 
-func (t *testEnvelopeService) Decrypt(data string) ([]byte, error) {
+func (t *testEnvelopeService) Decrypt(data []byte) ([]byte, error) {
 	if t.disabled {
 		return nil, fmt.Errorf("Envelope service was disabled")
 	}
-	dataChunks := strings.SplitN(data, ":", 2)
+	dataChunks := strings.SplitN(string(data), ":", 2)
 	if len(dataChunks) != 2 {
 		return nil, fmt.Errorf("invalid data encountered for decryption: %s. Missing key version", data)
 	}
 	return base64.StdEncoding.DecodeString(dataChunks[1])
 }
 
-func (t *testEnvelopeService) Encrypt(data []byte) (string, error) {
+func (t *testEnvelopeService) Encrypt(data []byte) ([]byte, error) {
 	if t.disabled {
-		return "", fmt.Errorf("Envelope service was disabled")
+		return nil, fmt.Errorf("Envelope service was disabled")
 	}
-	return t.keyVersion + ":" + base64.StdEncoding.EncodeToString(data), nil
+	return []byte(t.keyVersion + ":" + base64.StdEncoding.EncodeToString(data)), nil
 }
 
 func (t *testEnvelopeService) SetDisabledStatus(status bool) {