diff --git a/e2e/rbd_helper.go b/e2e/rbd_helper.go
index 097ed127f..11b1a6c3c 100644
--- a/e2e/rbd_helper.go
+++ b/e2e/rbd_helper.go
@@ -494,7 +494,7 @@ func validateThickImageMetadata(f *framework.Framework, pvc *v1.PersistentVolume
 // - Metadata of the image should be set with the encryption state;
 // - The pvc should be mounted by a pod, so the filesystem type can be fetched.
 func validateEncryptedImage(f *framework.Framework, rbdImageSpec string, app *v1.Pod) error {
-	encryptedState, err := getImageMeta(rbdImageSpec, ".rbd.csi.ceph.com/encrypted", f)
+	encryptedState, err := getImageMeta(rbdImageSpec, "rbd.csi.ceph.com/encrypted", f)
 	if err != nil {
 		return err
 	}
diff --git a/internal/rbd/encryption.go b/internal/rbd/encryption.go
index 47ebbd342..d13656ded 100644
--- a/internal/rbd/encryption.go
+++ b/internal/rbd/encryption.go
@@ -53,16 +53,18 @@ const (
 	rbdImageRequiresEncryption = rbdEncryptionState("requiresEncryption")
 
 	// image metadata key for encryption.
-	encryptionMetaKey = ".rbd.csi.ceph.com/encrypted"
+	encryptionMetaKey    = "rbd.csi.ceph.com/encrypted"
+	oldEncryptionMetaKey = ".rbd.csi.ceph.com/encrypted"
 
 	// metadataDEK is the key in the image metadata where the (encrypted)
 	// DEK is stored.
-	metadataDEK = ".rbd.csi.ceph.com/dek"
+	metadataDEK    = "rbd.csi.ceph.com/dek"
+	oldMetadataDEK = ".rbd.csi.ceph.com/dek"
 )
 
 // checkRbdImageEncrypted verifies if rbd image was encrypted when created.
 func (ri *rbdImage) checkRbdImageEncrypted(ctx context.Context) (rbdEncryptionState, error) {
-	value, err := ri.GetMetadata(encryptionMetaKey)
+	value, err := ri.MigrateMetadata(oldEncryptionMetaKey, encryptionMetaKey, string(rbdImageEncryptionUnknown))
 	if errors.Is(err, librbd.ErrNotFound) {
 		util.DebugLog(ctx, "image %s encrypted state not set", ri)
 
@@ -317,7 +319,7 @@ func (ri *rbdImage) FetchDEK(volumeID string) (string, error) {
 		return "", fmt.Errorf("volume %q can not fetch DEK for %q", ri, volumeID)
 	}
 
-	return ri.GetMetadata(metadataDEK)
+	return ri.MigrateMetadata(oldMetadataDEK, metadataDEK, "")
 }
 
 // RemoveDEK does not need to remove the DEK from the metadata, the image is