diff --git a/internal/util/crypto.go b/internal/util/crypto.go
index 452cb1494..83adc354d 100644
--- a/internal/util/crypto.go
+++ b/internal/util/crypto.go
@@ -185,13 +185,9 @@ func (i integratedDEK) DecryptDEK(volumeID, encyptedDEK string) (string, error)
 	return encyptedDEK, nil
 }
 
-// StoreNewCryptoPassphrase generates a new passphrase and saves it in the KMS.
-func (ve *VolumeEncryption) StoreNewCryptoPassphrase(volumeID string) error {
-	passphrase, err := generateNewEncryptionPassphrase()
-	if err != nil {
-		return fmt.Errorf("failed to generate passphrase for %s: %w", volumeID, err)
-	}
-
+// StoreCryptoPassphrase takes an unencrypted passphrase, encrypts it and saves
+// it in the DEKStore.
+func (ve *VolumeEncryption) StoreCryptoPassphrase(volumeID, passphrase string) error {
 	encryptedPassphrase, err := ve.KMS.EncryptDEK(volumeID, passphrase)
 	if err != nil {
 		return fmt.Errorf("failed encrypt the passphrase for %s: %w", volumeID, err)
@@ -204,6 +200,16 @@ func (ve *VolumeEncryption) StoreNewCryptoPassphrase(volumeID string) error {
 	return nil
 }
 
+// StoreNewCryptoPassphrase generates a new passphrase and saves it in the KMS.
+func (ve *VolumeEncryption) StoreNewCryptoPassphrase(volumeID string) error {
+	passphrase, err := generateNewEncryptionPassphrase()
+	if err != nil {
+		return fmt.Errorf("failed to generate passphrase for %s: %w", volumeID, err)
+	}
+
+	return ve.StoreCryptoPassphrase(volumeID, passphrase)
+}
+
 // GetCryptoPassphrase Retrieves passphrase to encrypt volume.
 func (ve *VolumeEncryption) GetCryptoPassphrase(volumeID string) (string, error) {
 	passphrase, err := ve.dekStore.FetchDEK(volumeID)