diff --git a/internal/rbd/encryption.go b/internal/rbd/encryption.go
index 1be6f2bbc..bc393ce09 100644
--- a/internal/rbd/encryption.go
+++ b/internal/rbd/encryption.go
@@ -101,6 +101,29 @@ func (rv *rbdVolume) setupEncryption(ctx context.Context) error {
 	return nil
 }
 
+func (rv *rbdVolume) encryptDevice(ctx context.Context, devicePath string) error {
+	passphrase, err := util.GetCryptoPassphrase(rv.VolID, rv.KMS)
+	if err != nil {
+		util.ErrorLog(ctx, "failed to get crypto passphrase for %s: %v",
+			rv.String(), err)
+		return err
+	}
+
+	if err = util.EncryptVolume(ctx, devicePath, passphrase); err != nil {
+		err = fmt.Errorf("failed to encrypt volume %s: %w", rv.String(), err)
+		util.ErrorLog(ctx, err.Error())
+		return err
+	}
+
+	err = rv.ensureEncryptionMetadataSet(rbdImageEncrypted)
+	if err != nil {
+		util.ErrorLog(ctx, err.Error())
+		return err
+	}
+
+	return nil
+}
+
 func (rv *rbdVolume) openEncryptedDevice(ctx context.Context, devicePath string) (string, error) {
 	passphrase, err := util.GetCryptoPassphrase(rv.VolID, rv.KMS)
 	if err != nil {
diff --git a/internal/rbd/nodeserver.go b/internal/rbd/nodeserver.go
index cd303dd06..3e6c30a0d 100644
--- a/internal/rbd/nodeserver.go
+++ b/internal/rbd/nodeserver.go
@@ -818,7 +818,7 @@ func (ns *NodeServer) processEncryptedDevice(ctx context.Context, volOptions *rb
 
 		switch existingFormat {
 		case "":
-			err = encryptDevice(ctx, volOptions, devicePath)
+			err = volOptions.encryptDevice(ctx, devicePath)
 			if err != nil {
 				return "", fmt.Errorf("failed to encrypt rbd image %s: %w", imageSpec, err)
 			}
@@ -846,29 +846,6 @@ func (ns *NodeServer) processEncryptedDevice(ctx context.Context, volOptions *rb
 	return devicePath, nil
 }
 
-func encryptDevice(ctx context.Context, rbdVol *rbdVolume, devicePath string) error {
-	passphrase, err := util.GetCryptoPassphrase(rbdVol.VolID, rbdVol.KMS)
-	if err != nil {
-		util.ErrorLog(ctx, "failed to get crypto passphrase for %s: %v",
-			rbdVol, err)
-		return err
-	}
-
-	if err = util.EncryptVolume(ctx, devicePath, passphrase); err != nil {
-		err = fmt.Errorf("failed to encrypt volume %s: %w", rbdVol, err)
-		util.ErrorLog(ctx, err.Error())
-		return err
-	}
-
-	err = rbdVol.ensureEncryptionMetadataSet(rbdImageEncrypted)
-	if err != nil {
-		util.ErrorLog(ctx, err.Error())
-		return err
-	}
-
-	return nil
-}
-
 // xfsSupportsReflink checks if mkfs.xfs supports the "-m reflink=0|1"
 // argument. In case it is supported, return true.
 func (ns *NodeServer) xfsSupportsReflink() bool {