diff --git a/pkg/encryption/config/config.go b/pkg/encryption/config/config.go
index 937ba2513..487ea8e5b 100644
--- a/pkg/encryption/config/config.go
+++ b/pkg/encryption/config/config.go
@@ -61,3 +61,45 @@ func InitEncryption(parameters, dcparameters map[string][][]byte) *CryptoConfig
 		},
 	}
 }
+
+// CombineCryptoConfigs takes a CryptoConfig list and creates a single CryptoConfig
+// containing the crypto configuration of all the key bundles
+func CombineCryptoConfigs(ccs []CryptoConfig) CryptoConfig {
+	ecparam := map[string][][]byte{}
+	ecdcparam := map[string][][]byte{}
+	dcparam := map[string][][]byte{}
+
+	for _, cc := range ccs {
+		if ec := cc.EncryptConfig; ec != nil {
+			addToMap(ecparam, ec.Parameters)
+			addToMap(ecdcparam, ec.DecryptConfig.Parameters)
+		}
+
+		if dc := cc.DecryptConfig; dc != nil {
+			addToMap(dcparam, dc.Parameters)
+		}
+	}
+
+	return CryptoConfig{
+		EncryptConfig: &EncryptConfig{
+			Parameters: ecparam,
+			DecryptConfig: DecryptConfig{
+				Parameters: ecdcparam,
+			},
+		},
+		DecryptConfig: &DecryptConfig{
+			Parameters: dcparam,
+		},
+	}
+
+}
+
+func addToMap(orig map[string][][]byte, add map[string][][]byte) {
+	for k, v := range add {
+		if ov, ok := orig[k]; ok {
+			orig[k] = append(ov, v...)
+		} else {
+			orig[k] = v
+		}
+	}
+}
diff --git a/pkg/encryption/config/constructors.go b/pkg/encryption/config/constructors.go
new file mode 100644
index 000000000..0d36d11da
--- /dev/null
+++ b/pkg/encryption/config/constructors.go
@@ -0,0 +1,91 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package config
+
+// NewJweCryptoConfig returns a CryptoConfig that contains the required configuration for using
+// the jwe keyunwrap interface
+func NewJweCryptoConfig(pubKey *[]byte, privKey *[]byte, privKeyPassword *string) CryptoConfig {
+	pubKeys := [][]byte{}
+	privKeys := [][]byte{}
+	privKeysPasswords := [][]byte{}
+
+	if pubKey != nil {
+		pubKeys = append(pubKeys, *pubKey)
+	}
+	if privKey != nil {
+		privKeys = append(privKeys, *privKey)
+	}
+	if privKeyPassword != nil {
+		privKeysPasswords = append(privKeysPasswords, []byte(*privKeyPassword))
+	}
+
+	dc := DecryptConfig{
+		Parameters: map[string][][]byte{
+			"privkeys":           privKeys,
+			"privkeys-passwords": privKeysPasswords,
+		},
+	}
+
+	ep := map[string][][]byte{
+		"pubkeys": pubKeys,
+	}
+
+	return CryptoConfig{
+		EncryptConfig: &EncryptConfig{
+			Parameters:    ep,
+			DecryptConfig: dc,
+		},
+		DecryptConfig: &dc,
+	}
+}
+
+// NewPkcs7CryptoConfig returns a CryptoConfig that contains the required configuration for using
+// the pkcs7 keyunwrap interface
+func NewPkcs7CryptoConfig(x509 *[]byte, privKey *[]byte, privKeyPassword *string) CryptoConfig {
+	x509s := [][]byte{}
+	privKeys := [][]byte{}
+	privKeysPasswords := [][]byte{}
+
+	if x509 != nil {
+		x509s = append(x509s, *x509)
+	}
+	if privKey != nil {
+		privKeys = append(privKeys, *privKey)
+	}
+	if privKeyPassword != nil {
+		privKeysPasswords = append(privKeysPasswords, []byte(*privKeyPassword))
+	}
+
+	dc := DecryptConfig{
+		Parameters: map[string][][]byte{
+			"privkeys":           privKeys,
+			"privkeys-passwords": privKeysPasswords,
+		},
+	}
+
+	ep := map[string][][]byte{
+		"x509s": x509s,
+	}
+
+	return CryptoConfig{
+		EncryptConfig: &EncryptConfig{
+			Parameters:    ep,
+			DecryptConfig: dc,
+		},
+		DecryptConfig: &dc,
+	}
+}