diff --git a/cmd/ctr/commands/images/decrypt.go b/cmd/ctr/commands/images/decrypt.go
index c3f3caca5..f0c2b203b 100644
--- a/cmd/ctr/commands/images/decrypt.go
+++ b/cmd/ctr/commands/images/decrypt.go
@@ -88,11 +88,8 @@ var decryptCommand = cli.Command{
 			return err
 		}
 
-		cc := &encconfig.CryptoConfig{
-			DecryptConfig: &encconfig.DecryptConfig{
-				Parameters: dcparameters,
-			},
-		}
+		cc := encconfig.InitDecryption(dcparameters)
+
 		_, err = decryptImage(client, ctx, local, newName, cc, layers32, context.StringSlice("platform"))
 
 		return err
diff --git a/cmd/ctr/commands/images/encrypt.go b/cmd/ctr/commands/images/encrypt.go
index 09a5356e6..ac6b7abb2 100644
--- a/cmd/ctr/commands/images/encrypt.go
+++ b/cmd/ctr/commands/images/encrypt.go
@@ -133,14 +133,8 @@ var encryptCommand = cli.Command{
 		dcparameters["privkeys-passwords"] = privKeysPasswords
 		dcparameters["x509s"] = decX509s
 
-		cc := &encconfig.CryptoConfig{
-			EncryptConfig: &encconfig.EncryptConfig{
-				Parameters: parameters,
-				DecryptConfig: encconfig.DecryptConfig{
-					Parameters: dcparameters,
-				},
-			},
-		}
+		cc := encconfig.InitEncryption(parameters, dcparameters)
+
 		_, err = encryptImage(client, ctx, local, newName, cc, layers32, context.StringSlice("platform"))
 
 		return err
diff --git a/image_enc_test.go b/image_enc_test.go
index 73837f6f9..d0cad1b96 100644
--- a/image_enc_test.go
+++ b/image_enc_test.go
@@ -129,14 +129,7 @@ func TestImageEncryption(t *testing.T) {
 	dcparameters["privkeys"] = [][]byte{privateKey}
 	dcparameters["privkeys-passwords"] = [][]byte{{}}
 
-	cc := &encconfig.CryptoConfig{
-		EncryptConfig: &encconfig.EncryptConfig{
-			Parameters: parameters,
-			DecryptConfig: encconfig.DecryptConfig{
-				Parameters: dcparameters,
-			},
-		},
-	}
+	cc := encconfig.InitEncryption(parameters, dcparameters)
 
 	// Perform encryption of image
 	encSpec, modified, err := imgenc.EncryptImage(ctx, client.ContentStore(), image.Target, cc, lf)
@@ -156,11 +149,8 @@ func TestImageEncryption(t *testing.T) {
 		t.Fatalf("Unable to create image: %v", err)
 	}
 
-	cc = &encconfig.CryptoConfig{
-		DecryptConfig: &encconfig.DecryptConfig{
-			Parameters: dcparameters,
-		},
-	}
+	cc = encconfig.InitDecryption(dcparameters)
+
 	// Clean up function cancels lease before deleting the image so the images are
 	// properly deleted
 	defer func() {
diff --git a/images/encryption/encryption.go b/images/encryption/encryption.go
index 687fa5983..69fbf4941 100644
--- a/images/encryption/encryption.go
+++ b/images/encryption/encryption.go
@@ -415,15 +415,13 @@ func DecryptImage(ctx context.Context, cs content.Store, desc ocispec.Descriptor
 // It takes decrypting of the layers only as far as decrypting the asymmetrically encrypted data
 // The decryption is only done for the current platform
 func CheckAuthorization(ctx context.Context, cs content.Store, desc ocispec.Descriptor, dc *encconfig.DecryptConfig) error {
-	cc := encconfig.CryptoConfig{
-		DecryptConfig: dc,
-	}
+	cc := encconfig.InitDecryption(dc.Parameters)
 
 	lf := func(desc ocispec.Descriptor) bool {
 		return true
 	}
 
-	_, _, err := cryptImage(ctx, cs, desc, &cc, lf, cryptoOpUnwrapOnly)
+	_, _, err := cryptImage(ctx, cs, desc, cc, lf, cryptoOpUnwrapOnly)
 	if err != nil {
 		return errors.Wrapf(err, "you are not authorized to use this image")
 	}
diff --git a/pkg/encryption/config/config.go b/pkg/encryption/config/config.go
index 8d44fa0e8..937ba2513 100644
--- a/pkg/encryption/config/config.go
+++ b/pkg/encryption/config/config.go
@@ -38,3 +38,26 @@ type CryptoConfig struct {
 	EncryptConfig *EncryptConfig
 	DecryptConfig *DecryptConfig
 }
+
+// InitDecryption initialized a CryptoConfig object with parameters used for decryption
+func InitDecryption(dcparameters map[string][][]byte) *CryptoConfig {
+	return &CryptoConfig{
+		DecryptConfig: &DecryptConfig{
+			Parameters: dcparameters,
+		},
+	}
+}
+
+// InitEncryption initializes a CryptoConfig object with parameters used for encryption
+// It also takes dcparameters that may be needed for decryption when adding a recipient
+// to an already encrypted image
+func InitEncryption(parameters, dcparameters map[string][][]byte) *CryptoConfig {
+	return &CryptoConfig{
+		EncryptConfig: &EncryptConfig{
+			Parameters: parameters,
+			DecryptConfig: DecryptConfig{
+				Parameters: dcparameters,
+			},
+		},
+	}
+}