diff --git a/internal/kms/keyprotect.go b/internal/kms/keyprotect.go
index 387666db9..ac4d58a35 100644
--- a/internal/kms/keyprotect.go
+++ b/internal/kms/keyprotect.go
@@ -251,7 +251,8 @@ func (kms *KeyProtectKMS) DecryptDEK(volumeID, encryptedDEK string) (string, err
 			err)
 	}
 
-	result, err := kms.client.Unwrap(context.TODO(), kms.customerRootKey, ciphertextBlob, nil)
+	aadVolID := []string{volumeID}
+	result, err := kms.client.Unwrap(context.TODO(), kms.customerRootKey, ciphertextBlob, &aadVolID)
 	if err != nil {
 		return "", fmt.Errorf("failed to unwrap the DEK: %w", err)
 	}