diff --git a/internal/rbd/encryption.go b/internal/rbd/encryption.go
index 9f2b4dbfe..183781ee8 100644
--- a/internal/rbd/encryption.go
+++ b/internal/rbd/encryption.go
@@ -192,7 +192,7 @@ func (rv *rbdVolume) initKMS(ctx context.Context, volOptions, credentials map[st
 		return nil
 	}
 
-	err = rv.setKMS(volOptions["encryptionKMSID"], credentials)
+	err = rv.configureEncryption(volOptions["encryptionKMSID"], credentials)
 	if err != nil {
 		return fmt.Errorf("invalid encryption kms configuration: %w", err)
 	}
@@ -200,13 +200,21 @@ func (rv *rbdVolume) initKMS(ctx context.Context, volOptions, credentials map[st
 	return nil
 }
 
-func (rv *rbdVolume) setKMS(kmsID string, credentials map[string]string) error {
+// configureEncryption sets up the VolumeEncryption for this rbdVolume. Once
+// configured, use isEncrypted() to see if the volume supports encryption.
+func (rv *rbdVolume) configureEncryption(kmsID string, credentials map[string]string) error {
 	kms, err := util.GetKMS(rv.Owner, kmsID, credentials)
 	if err != nil {
 		return err
 	}
 
-	rv.encryption = &util.VolumeEncryption{KMS: kms}
+	rv.encryption, err = util.NewVolumeEncryption(kms)
+
+	// if the KMS can not store the DEK itself, we'll store it in the
+	// metadata of the RBD image itself
+	if errors.Is(err, util.ErrDEKStoreNeeded) {
+		rv.encryption.SetDEKStore(rv)
+	}
 
 	return nil
 }
diff --git a/internal/rbd/rbd_util.go b/internal/rbd/rbd_util.go
index 88149e5b0..4cef4ccea 100644
--- a/internal/rbd/rbd_util.go
+++ b/internal/rbd/rbd_util.go
@@ -833,7 +833,7 @@ func genVolFromVolID(ctx context.Context, volumeID string, cr *util.Credentials,
 	rbdVol.Owner = imageAttributes.Owner
 
 	if imageAttributes.KmsID != "" {
-		err = rbdVol.setKMS(imageAttributes.KmsID, secrets)
+		err = rbdVol.configureEncryption(imageAttributes.KmsID, secrets)
 		if err != nil {
 			return rbdVol, err
 		}