diff --git a/cmd/discovery/client/client.go b/cmd/discovery/client/client.go
index 7382315..a3b3f50 100644
--- a/cmd/discovery/client/client.go
+++ b/cmd/discovery/client/client.go
@@ -69,7 +69,7 @@ func (c *Client) waitPass(p *block.Partition, attempts int) (pass string, err er
 	// IF server doesn't have a pass for us, then we generate one and we set it
 	if _, _, err := getPass(challengeEndpoint, p); err == errPartNotFound {
 		rand := utils.RandomString(32)
-		pass, err := tpm.EncodeBlob([]byte(rand))
+		pass, err := tpm.EncryptBlob([]byte(rand))
 		if err != nil {
 			return "", err
 		}
@@ -123,7 +123,7 @@ func (c *Client) decryptPassphrase(pass string) (string, error) {
 	if c.Config.Kcrypt.Challenger.TPMDevice != "" {
 		opts = append(opts, tpm.WithDevice(c.Config.Kcrypt.Challenger.TPMDevice))
 	}
-	passBytes, err := tpm.DecodeBlob(blob, opts...)
+	passBytes, err := tpm.DecryptBlob(blob, opts...)
 
 	return string(passBytes), err
 }
diff --git a/cmd/discovery/client/config.go b/cmd/discovery/client/config.go
index 7428143..388fed4 100644
--- a/cmd/discovery/client/config.go
+++ b/cmd/discovery/client/config.go
@@ -12,8 +12,10 @@ type Client struct {
 type Config struct {
 	Kcrypt struct {
 		Challenger struct {
-			Server    string `yaml:"challenger_server,omitempty"`
-			NVIndex   string `yaml:"nv_index,omitempty"`
+			Server string `yaml:"challenger_server,omitempty"`
+			// Non-volatile index memory: where we store the encrypted passphrase (offline mode)
+			NVIndex string `yaml:"nv_index,omitempty"`
+			// Certificate index: this is where the rsa pair that decrypts the passphrase lives
 			CIndex    string `yaml:"c_index,omitempty"`
 			TPMDevice string `yaml:"tpm_device,omitempty"`
 		}
diff --git a/cmd/discovery/client/enc.go b/cmd/discovery/client/enc.go
index 74d1e3b..75517f7 100644
--- a/cmd/discovery/client/enc.go
+++ b/cmd/discovery/client/enc.go
@@ -25,10 +25,10 @@ func getPass(server string, partition *block.Partition) (string, bool, error) {
 	if err != nil {
 		return "", false, errors.Wrap(err, string(msg))
 	}
-	gen, generated := result["generated"]
+	generatedBy, generated := result[constants.GeneratedByKey]
 	p, ok := result["passphrase"]
 	if ok {
-		return fmt.Sprint(p), generated && gen == constants.TPMSecret, nil
+		return fmt.Sprint(p), generated && generatedBy == constants.TPMSecret, nil
 	}
 	return "", false, errPartNotFound
 }
@@ -44,7 +44,7 @@ func genAndStore(k Config) (string, error) {
 
 	// Generate a new one, and return it to luks
 	rand := utils.RandomString(32)
-	blob, err := tpm.EncodeBlob([]byte(rand))
+	blob, err := tpm.EncryptBlob([]byte(rand))
 	if err != nil {
 		return "", err
 	}
@@ -79,6 +79,6 @@ func localPass(k Config) (string, error) {
 	if k.Kcrypt.Challenger.TPMDevice != "" {
 		opts = append(opts, tpm.WithDevice(k.Kcrypt.Challenger.TPMDevice))
 	}
-	pass, err := tpm.DecodeBlob(encodedPass, opts...)
+	pass, err := tpm.DecryptBlob(encodedPass, opts...)
 	return string(pass), err
 }
diff --git a/go.mod b/go.mod
index d2d5ae4..878e678 100644
--- a/go.mod
+++ b/go.mod
@@ -7,13 +7,14 @@ require (
 	github.com/jaypipes/ghw v0.9.0
 	github.com/kairos-io/kairos v1.24.3-56.0.20230118103822-e3dbd41dddd1
 	github.com/kairos-io/kcrypt v0.4.5-0.20230118125949-27183fbce7ea
-	github.com/kairos-io/tpm-helpers v0.0.0-20230118150816-18d63f3a8c83
+	github.com/kairos-io/tpm-helpers v0.0.0-20230119140150-3fa97128ef6b
 	github.com/mudler/go-pluggable v0.0.0-20220716112424-189d463e3ff3
 	github.com/mudler/yip v0.11.4
 	github.com/onsi/ginkgo v1.16.5
 	github.com/onsi/ginkgo/v2 v2.7.0
 	github.com/onsi/gomega v1.25.0
 	github.com/pkg/errors v0.9.1
+	k8s.io/api v0.24.2
 	k8s.io/apimachinery v0.24.2
 	k8s.io/client-go v0.24.2
 	sigs.k8s.io/controller-runtime v0.12.2
@@ -63,8 +64,8 @@ require (
 	github.com/google/go-attestation v0.4.4-0.20220404204839-8820d49b18d9 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/go-tpm v0.3.3 // indirect
-	github.com/google/go-tpm-tools v0.3.7 // indirect
-	github.com/google/go-tspi v0.2.1-0.20190423175329-115dea689aad // indirect
+	github.com/google/go-tpm-tools v0.3.10 // indirect
+	github.com/google/go-tspi v0.3.0 // indirect
 	github.com/google/gofuzz v1.1.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.3.0 // indirect
@@ -122,7 +123,6 @@ require (
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	howett.net/plist v1.0.0 // indirect
-	k8s.io/api v0.24.2 // indirect
 	k8s.io/apiextensions-apiserver v0.24.2 // indirect
 	k8s.io/component-base v0.24.2 // indirect
 	k8s.io/klog/v2 v2.80.1 // indirect
diff --git a/go.sum b/go.sum
index a02cd16..2520cd2 100644
--- a/go.sum
+++ b/go.sum
@@ -358,6 +358,7 @@ github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-sev-guest v0.4.1 h1:IjxtGAvzR+zSyAqMc1FWfYKCg1cwPkBly9+Xog3YMZc=
 github.com/google/go-tpm v0.1.2-0.20190725015402-ae6dd98980d4/go.mod h1:H9HbmUG2YgV/PHITkO7p6wxEEj/v5nlsVWIwumwH2NI=
 github.com/google/go-tpm v0.3.0/go.mod h1:iVLWvrPp/bHeEkxTFi9WG6K9w0iy2yIszHwZGHPbzAw=
 github.com/google/go-tpm v0.3.2/go.mod h1:j71sMBTfp3X5jPHz852ZOfQMUOf65Gb/Th8pRmp7fvg=
@@ -367,13 +368,15 @@ github.com/google/go-tpm-tools v0.0.0-20190906225433-1614c142f845/go.mod h1:AVfH
 github.com/google/go-tpm-tools v0.2.0/go.mod h1:npUd03rQ60lxN7tzeBJreG38RvWwme2N1reF/eeiBk4=
 github.com/google/go-tpm-tools v0.2.1/go.mod h1:npUd03rQ60lxN7tzeBJreG38RvWwme2N1reF/eeiBk4=
 github.com/google/go-tpm-tools v0.3.1/go.mod h1:PSg+r5hSZI5tP3X7LBQx2sW1VSZUqZHBSrKyDqrB21U=
-github.com/google/go-tpm-tools v0.3.7 h1:YoR3hS6m8QpL7pz1VXVgWkUrb8ERsC0SCuKP7dPW62I=
-github.com/google/go-tpm-tools v0.3.7/go.mod h1:rp+rDmmDCnWiMmxOTF3ypWxpChEQ4vwA6wtAIq09Qtc=
-github.com/google/go-tspi v0.2.1-0.20190423175329-115dea689aad h1:LnpS22S8V1HqbxjveESGAazHhi6BX9SwI2Rij7qZcXQ=
+github.com/google/go-tpm-tools v0.3.10 h1:hz9EoyG4Ewa0leT3OvxlWprq14Lw0RBmfFcH9H9+Yas=
+github.com/google/go-tpm-tools v0.3.10/go.mod h1:HQfQboO+M8pRtBfO5U3KMhwzfC/XC3TaMCgRfTpII8Q=
 github.com/google/go-tspi v0.2.1-0.20190423175329-115dea689aad/go.mod h1:xfMGI3G0PhxCdNVcYr1C4C+EizojDg/TXuX5by8CiHI=
+github.com/google/go-tspi v0.3.0 h1:ADtq8RKfP+jrTyIWIZDIYcKOMecRqNJFOew2IT0Inus=
+github.com/google/go-tspi v0.3.0/go.mod h1:xfMGI3G0PhxCdNVcYr1C4C+EizojDg/TXuX5by8CiHI=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g=
 github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/logger v1.1.1 h1:+6Z2geNxc9G+4D4oDO9njjjn2d0wN5d7uOo0vOIW1NQ=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
 github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
@@ -509,8 +512,8 @@ github.com/kairos-io/kairos v1.24.3-56.0.20230118103822-e3dbd41dddd1 h1:CRLvgZ5/
 github.com/kairos-io/kairos v1.24.3-56.0.20230118103822-e3dbd41dddd1/go.mod h1:YAqNNHoJyWknQQtWFmYDgvchClhhuMCrsdZdSVhIegc=
 github.com/kairos-io/kcrypt v0.4.5-0.20230118125949-27183fbce7ea h1:1gnZW0HJt1YeU7Vul/xQpC8msBPUR43iqJNwc+Z+D48=
 github.com/kairos-io/kcrypt v0.4.5-0.20230118125949-27183fbce7ea/go.mod h1:w8k7pDYjFVvt/qsEDNN/nt9qw4URg70cEKLPHGhnNgU=
-github.com/kairos-io/tpm-helpers v0.0.0-20230118150816-18d63f3a8c83 h1:iMkcVgFwK943ssSyuHK2/iPzOqNnz496TMbdPx/WP6A=
-github.com/kairos-io/tpm-helpers v0.0.0-20230118150816-18d63f3a8c83/go.mod h1:6YGebKVrPoJGBd9QE+x4zyuo3vPw1y33iQkNChjlBo8=
+github.com/kairos-io/tpm-helpers v0.0.0-20230119140150-3fa97128ef6b h1:pwe1AlcpEAFA937Yl81mmQwE80wtxUEvBaMLrvrAb9Y=
+github.com/kairos-io/tpm-helpers v0.0.0-20230119140150-3fa97128ef6b/go.mod h1:6YGebKVrPoJGBd9QE+x4zyuo3vPw1y33iQkNChjlBo8=
 github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
 github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
 github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
@@ -655,6 +658,7 @@ github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFSt
 github.com/packethost/packngo v0.1.0/go.mod h1:otzZQXgoO96RTzDB/Hycg0qZcXZsWJGJRSXbmEIJ+4M=
 github.com/packethost/packngo v0.25.0/go.mod h1:/UHguFdPs6Lf6FOkkSEPnRY5tgS0fsVM+Zv/bvBrmt0=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
+github.com/pborman/uuid v1.2.0 h1:J7Q5mO4ysT1dv8hyrUGHb9+ooztCXu1D8MY8DZYsu3g=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/phayes/permbits v0.0.0-20190612203442-39d7c581d2ee/go.mod h1:3uODdxMgOaPYeWU7RzZLxVtJHZ/x1f/iHkBZuKJDzuY=