diff --git a/internal/rbd/encryption.go b/internal/rbd/encryption.go
index 0b632aa99..4afd8b4f7 100644
--- a/internal/rbd/encryption.go
+++ b/internal/rbd/encryption.go
@@ -61,6 +61,8 @@ const (
 	// DEK is stored.
 	metadataDEK    = "rbd.csi.ceph.com/dek"
 	oldMetadataDEK = ".rbd.csi.ceph.com/dek"
+
+	encryptionPassphraseSize = 20
 )
 
 // checkRbdImageEncrypted verifies if rbd image was encrypted when created.
@@ -100,7 +102,7 @@ func (ri *rbdImage) isEncrypted() bool {
 // - the Data-Encryption-Key (DEK) will be generated stored for use by the KMS;
 // - the RBD image will be marked to support encryption in its metadata.
 func (ri *rbdImage) setupEncryption(ctx context.Context) error {
-	err := ri.encryption.StoreNewCryptoPassphrase(ri.VolID)
+	err := ri.encryption.StoreNewCryptoPassphrase(ri.VolID, encryptionPassphraseSize)
 	if err != nil {
 		log.ErrorLog(ctx, "failed to save encryption passphrase for "+
 			"image %s: %s", ri, err)
diff --git a/internal/util/crypto.go b/internal/util/crypto.go
index bec6b18a8..c7aaf0605 100644
--- a/internal/util/crypto.go
+++ b/internal/util/crypto.go
@@ -36,7 +36,7 @@ const (
 
 	// Passphrase size - 20 bytes is 160 bits to satisfy:
 	// https://tools.ietf.org/html/rfc6749#section-10.10
-	encryptionPassphraseSize = 20
+	defaultEncryptionPassphraseSize = 20
 )
 
 var (
@@ -156,8 +156,8 @@ func (ve *VolumeEncryption) StoreCryptoPassphrase(volumeID, passphrase string) e
 }
 
 // StoreNewCryptoPassphrase generates a new passphrase and saves it in the KMS.
-func (ve *VolumeEncryption) StoreNewCryptoPassphrase(volumeID string) error {
-	passphrase, err := generateNewEncryptionPassphrase()
+func (ve *VolumeEncryption) StoreNewCryptoPassphrase(volumeID string, length int) error {
+	passphrase, err := generateNewEncryptionPassphrase(length)
 	if err != nil {
 		return fmt.Errorf("failed to generate passphrase for %s: %w", volumeID, err)
 	}
@@ -176,8 +176,8 @@ func (ve *VolumeEncryption) GetCryptoPassphrase(volumeID string) (string, error)
 }
 
 // generateNewEncryptionPassphrase generates a random passphrase for encryption.
-func generateNewEncryptionPassphrase() (string, error) {
-	bytesPassphrase := make([]byte, encryptionPassphraseSize)
+func generateNewEncryptionPassphrase(length int) (string, error) {
+	bytesPassphrase := make([]byte, length)
 	_, err := rand.Read(bytesPassphrase)
 	if err != nil {
 		return "", err
diff --git a/internal/util/crypto_test.go b/internal/util/crypto_test.go
index 28b8fefea..a5bb49da6 100644
--- a/internal/util/crypto_test.go
+++ b/internal/util/crypto_test.go
@@ -28,14 +28,14 @@ import (
 
 func TestGenerateNewEncryptionPassphrase(t *testing.T) {
 	t.Parallel()
-	b64Passphrase, err := generateNewEncryptionPassphrase()
+	b64Passphrase, err := generateNewEncryptionPassphrase(defaultEncryptionPassphraseSize)
 	require.NoError(t, err)
 
 	// b64Passphrase is URL-encoded, decode to verify the length of the
 	// passphrase
 	passphrase, err := base64.URLEncoding.DecodeString(b64Passphrase)
 	assert.NoError(t, err)
-	assert.Equal(t, encryptionPassphraseSize, len(passphrase))
+	assert.Equal(t, defaultEncryptionPassphraseSize, len(passphrase))
 }
 
 func TestKMSWorkflow(t *testing.T) {
@@ -56,7 +56,7 @@ func TestKMSWorkflow(t *testing.T) {
 
 	volumeID := "volume-id"
 
-	err = ve.StoreNewCryptoPassphrase(volumeID)
+	err = ve.StoreNewCryptoPassphrase(volumeID, defaultEncryptionPassphraseSize)
 	assert.NoError(t, err)
 
 	passphrase, err := ve.GetCryptoPassphrase(volumeID)