diff --git a/api/v1alpha1/sealedvolume_types.go b/api/v1alpha1/sealedvolume_types.go
index b077ac1..d95d754 100644
--- a/api/v1alpha1/sealedvolume_types.go
+++ b/api/v1alpha1/sealedvolume_types.go
@@ -25,9 +25,19 @@ import (
 
 // SealedVolumeSpec defines the desired state of SealedVolume
 type SealedVolumeSpec struct {
-	TPMHash     string                 `json:"TPMHash,omitempty"`
-	Passphrase  map[string]*SecretSpec `json:"partitionSecrets,omitempty"`
-	Quarantined bool                   `json:"quarantined,omitempty"`
+	TPMHash     string          `json:"TPMHash,omitempty"`
+	Partitions  []PartitionSpec `json:"partitions,omitempty"`
+	Quarantined bool            `json:"quarantined,omitempty"`
+}
+
+// PartitionSpec defines a Partition. A partition can be identified using
+// any of the fields: Label, DeviceName, UUID. The Secret defines the secret
+// which decrypts the partition.
+type PartitionSpec struct {
+	Label      string      `json:"label"`
+	DeviceName string      `json:"deviceName"`
+	UUID       string      `json:"uuid"`
+	Secret     *SecretSpec `json:"secret"`
 }
 
 type SecretSpec struct {
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index fec9629..f1d2f6b 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -25,6 +25,22 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PartitionSpec) DeepCopyInto(out *PartitionSpec) {
+	*out = *in
+	out.Secret = in.Secret
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PartitionSpec.
+func (in *PartitionSpec) DeepCopy() *PartitionSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(PartitionSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SealedVolume) DeepCopyInto(out *SealedVolume) {
 	*out = *in
@@ -87,20 +103,10 @@ func (in *SealedVolumeList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SealedVolumeSpec) DeepCopyInto(out *SealedVolumeSpec) {
 	*out = *in
-	if in.Passphrase != nil {
-		in, out := &in.Passphrase, &out.Passphrase
-		*out = make(map[string]*SecretSpec, len(*in))
-		for key, val := range *in {
-			var outVal *SecretSpec
-			if val == nil {
-				(*out)[key] = nil
-			} else {
-				in, out := &val, &outVal
-				*out = new(SecretSpec)
-				**out = **in
-			}
-			(*out)[key] = outVal
-		}
+	if in.Partitions != nil {
+		in, out := &in.Partitions, &out.Partitions
+		*out = make([]PartitionSpec, len(*in))
+		copy(*out, *in)
 	}
 }
 
diff --git a/config/crd/bases/keyserver.kairos.io_sealedvolumes.yaml b/config/crd/bases/keyserver.kairos.io_sealedvolumes.yaml
index 6f91639..0506445 100644
--- a/config/crd/bases/keyserver.kairos.io_sealedvolumes.yaml
+++ b/config/crd/bases/keyserver.kairos.io_sealedvolumes.yaml
@@ -37,15 +37,32 @@ spec:
             properties:
               TPMHash:
                 type: string
-              partitionSecrets:
-                additionalProperties:
+              partitions:
+                items:
+                  description: 'PartitionSpec defines a Partition. A partition can
+                    be identified using any of the fields: Label, DeviceName, UUID.
+                    The Secret defines the secret which decrypts the partition.'
                   properties:
-                    name:
+                    deviceName:
                       type: string
-                    path:
+                    label:
                       type: string
+                    secret:
+                      properties:
+                        name:
+                          type: string
+                        path:
+                          type: string
+                      type: object
+                    uuid:
+                      type: string
+                  required:
+                  - deviceName
+                  - label
+                  - secret
+                  - uuid
                   type: object
-                type: object
+                type: array
               quarantined:
                 type: boolean
             type: object
diff --git a/pkg/challenger/challenger.go b/pkg/challenger/challenger.go
index c3f6a7e..81a467b 100644
--- a/pkg/challenger/challenger.go
+++ b/pkg/challenger/challenger.go
@@ -92,12 +92,11 @@ func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *contr
 			var passsecret *keyserverv1alpha1.SecretSpec
 			for _, v := range volumeList.Items {
 				if hashEncoded == v.Spec.TPMHash {
-					for l, secretRef := range v.Spec.Passphrase {
-						// TODO: Try the rest of the data (name, mountpoint) if label is not found
-						if l == label {
+					for _, p := range v.Spec.Partitions {
+						if p.Label == label || p.DeviceName == name || p.UUID == uuid {
 							found = true
 							volume = v
-							passsecret = secretRef
+							passsecret = p.Secret
 						}
 					}
 				}