diff --git a/internal/util/crypto.go b/internal/util/crypto.go
index ff8f5637c..82e1feee4 100644
--- a/internal/util/crypto.go
+++ b/internal/util/crypto.go
@@ -20,7 +20,6 @@ import (
 	"context"
 	"encoding/base64"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"io/ioutil"
 	"os"
@@ -34,12 +33,7 @@ const (
 	mapperFilePrefix     = "luks-rbd-"
 	mapperFilePathPrefix = "/dev/mapper"
 
-	// Encryption passphrase location in K8s secrets
-	encryptionPassphraseKey = "encryptionPassphrase"
-	kmsTypeKey              = "encryptionKMSType"
-
-	// Default KMS type
-	defaultKMSType = "default"
+	kmsTypeKey = "encryptionKMSType"
 
 	// kmsConfigPath is the location of the vault config file
 	kmsConfigPath = "/etc/ceph-csi-encryption-kms-config/config.json"
@@ -67,46 +61,6 @@ type EncryptionKMS interface {
 	GetID() string
 }
 
-// SecretsKMS is default KMS implementation that means no KMS is in use.
-type SecretsKMS struct {
-	passphrase string
-}
-
-func initSecretsKMS(secrets map[string]string) (EncryptionKMS, error) {
-	passphraseValue, ok := secrets[encryptionPassphraseKey]
-	if !ok {
-		return nil, errors.New("missing encryption passphrase in secrets")
-	}
-	return SecretsKMS{passphrase: passphraseValue}, nil
-}
-
-// Destroy frees all used resources.
-func (kms SecretsKMS) Destroy() {
-	// nothing to do
-}
-
-// GetPassphrase returns passphrase from Kubernetes secrets.
-func (kms SecretsKMS) GetPassphrase(key string) (string, error) {
-	return kms.passphrase, nil
-}
-
-// SavePassphrase does nothing, as there is no passphrase per key (volume), so
-// no need to store is anywhere.
-func (kms SecretsKMS) SavePassphrase(key, value string) error {
-	return nil
-}
-
-// DeletePassphrase is doing nothing as no new passphrases are saved with
-// SecretsKMS.
-func (kms SecretsKMS) DeletePassphrase(key string) error {
-	return nil
-}
-
-// GetID is returning ID representing default KMS `default`.
-func (kms SecretsKMS) GetID() string {
-	return defaultKMSType
-}
-
 // GetKMS returns an instance of Key Management System.
 //
 // - tenant is the owner of the Volume, used to fetch the Vault Token from the
diff --git a/internal/util/secretskms.go b/internal/util/secretskms.go
new file mode 100644
index 000000000..9d853c0f4
--- /dev/null
+++ b/internal/util/secretskms.go
@@ -0,0 +1,77 @@
+/*
+Copyright 2019 The Ceph-CSI Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package util
+
+import (
+	"errors"
+	"fmt"
+)
+
+const (
+	// Encryption passphrase location in K8s secrets
+	encryptionPassphraseKey = "encryptionPassphrase"
+
+	// Default KMS type
+	defaultKMSType = "default"
+
+	// kmsTypeSecretsMetadata is the SecretsKMS with per-volume encryption,
+	// where the DEK is stored in the metadata of the volume itself.
+	kmsTypeSecretsMetadata = "metadata"
+)
+
+// SecretsKMS is default KMS implementation that means no KMS is in use.
+type SecretsKMS struct {
+	passphrase string
+}
+
+// initSecretsKMS initializes a SecretsKMS that uses the passphrase from the
+// secret that is configured for the StorageClass. This KMS provider uses a
+// single (LUKS) passhprase for all volumes.
+func initSecretsKMS(secrets map[string]string) (EncryptionKMS, error) {
+	passphraseValue, ok := secrets[encryptionPassphraseKey]
+	if !ok {
+		return nil, errors.New("missing encryption passphrase in secrets")
+	}
+	return SecretsKMS{passphrase: passphraseValue}, nil
+}
+
+// GetID is returning ID representing default KMS `default`.
+func (kms SecretsKMS) GetID() string {
+	return defaultKMSType
+}
+
+// Destroy frees all used resources.
+func (kms SecretsKMS) Destroy() {
+	// nothing to do
+}
+
+// FetchDEK returns passphrase from Kubernetes secrets.
+func (kms SecretsKMS) FetchDEK(key string) (string, error) {
+	return kms.passphrase, nil
+}
+
+// StoreDEK does nothing, as there is no passphrase per key (volume), so
+// no need to store is anywhere.
+func (kms SecretsKMS) StoreDEK(key, value string) error {
+	return nil
+}
+
+// RemoveDEK is doing nothing as no new passphrases are saved with
+// SecretsKMS.
+func (kms SecretsKMS) RemoveDEK(key string) error {
+	return nil
+}