3 files changed, 16 insertions, 2 deletions

diff --git a/actions/config.go b/actions/config.go
index 7fdaf5b..6b019df 100644
--- a/actions/config.go
+++ b/actions/config.go
@@ -133,6 +133,10 @@ func getConfig() (*metadata.Config, error) {
 		config.Options.Filenames = metadata.DefaultOptions.Filenames
 		log.Printf("Falling back to filenames mode of %q", config.Options.Filenames)
 	}
+	if config.Options.PolicyVersion == 0 {
+		config.Options.PolicyVersion = metadata.DefaultOptions.PolicyVersion
+		log.Printf("Falling back to policy version of %d", config.Options.PolicyVersion)
+	}
 
 	if err := config.CheckValidity(); err != nil {
 		return nil, errors.Wrap(ErrBadConfigFile, err.Error())
diff --git a/actions/policy.go b/actions/policy.go
index b9cd88c..f6d3ea9 100644
--- a/actions/policy.go
+++ b/actions/policy.go
@@ -95,11 +95,17 @@ func CreatePolicy(ctx *Context, protector *Protector) (*Policy, error) {
 		return nil, err
 	}
 
+	keyDescriptor, err := crypto.ComputeKeyDescriptor(key, ctx.Config.Options.PolicyVersion)
+	if err != nil {
+		key.Wipe()
+		return nil, err
+	}
+
 	policy := &Policy{
 		Context: ctx,
 		data: &metadata.PolicyData{
 			Options:       ctx.Config.Options,
-			KeyDescriptor: crypto.ComputeDescriptor(key),
+			KeyDescriptor: keyDescriptor,
 		},
 		key:     key,
 		created: true,
diff --git a/actions/protector.go b/actions/protector.go
index fe5d694..4bd7c15 100644
--- a/actions/protector.go
+++ b/actions/protector.go
@@ -140,7 +140,11 @@ func CreateProtector(ctx *Context, name string, keyFn KeyFunc) (*Protector, erro
 	if protector.key, err = crypto.NewRandomKey(metadata.InternalKeyLen); err != nil {
 		return nil, err
 	}
-	protector.data.ProtectorDescriptor = crypto.ComputeDescriptor(protector.key)
+	protector.data.ProtectorDescriptor, err = crypto.ComputeKeyDescriptor(protector.key, 1)
+	if err != nil {
+		protector.Lock()
+		return nil, err
+	}
 
 	if err = protector.Rewrap(keyFn); err != nil {
 		protector.Lock()