diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/JWEHelper.java b/src/main/java/org/cryptomator/ui/keyloading/hub/JWEHelper.java
index 313ec48c9..41bb6902a 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/JWEHelper.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/JWEHelper.java
@@ -18,6 +18,7 @@ import org.cryptomator.cryptolib.api.MasterkeyLoadingFailedException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.security.Key;
 import java.security.KeyFactory;
 import java.security.NoSuchAlgorithmException;
 import java.security.interfaces.ECPrivateKey;
@@ -39,18 +40,7 @@ class JWEHelper {
 	private JWEHelper() {}
 
 	public static JWEObject encryptUserKey(ECPrivateKey userKey, ECPublicKey deviceKey) {
-		try {
-			var encodedUserKey = Base64.getEncoder().encodeToString(userKey.getEncoded());
-			var keyGen = new ECKeyGenerator(Curve.P_384);
-			var ephemeralKeyPair = keyGen.generate();
-			var header = new JWEHeader.Builder(JWEAlgorithm.ECDH_ES, EncryptionMethod.A256GCM).ephemeralPublicKey(ephemeralKeyPair.toPublicJWK()).build();
-			var payload = new Payload(Map.of(JWE_PAYLOAD_KEY_FIELD, encodedUserKey));
-			var jwe = new JWEObject(header, payload);
-			jwe.encrypt(new ECDHEncrypter(deviceKey));
-			return jwe;
-		} catch (JOSEException e) {
-			throw new RuntimeException(e);
-		}
+		return encryptKey(userKey, deviceKey);
 	}
 
 	public static ECPrivateKey decryptUserKey(JWEObject jwe, String setupCode) throws InvalidJweKeyException {
@@ -118,8 +108,12 @@ class JWEHelper {
 	}
 
 	public static JWEObject encryptVaultKey(Masterkey vaultKey, ECPublicKey userKey) {
+		return encryptKey(vaultKey, userKey);
+	}
+
+	private static JWEObject encryptKey(Key key, ECPublicKey userKey) {
 		try {
-			var encodedVaultKey = Base64.getEncoder().encodeToString(vaultKey.getEncoded());
+			var encodedVaultKey = Base64.getEncoder().encodeToString(key.getEncoded());
 			var keyGen = new ECKeyGenerator(Curve.P_384);
 			var ephemeralKeyPair = keyGen.generate();
 			var header = new JWEHeader.Builder(JWEAlgorithm.ECDH_ES, EncryptionMethod.A256GCM).ephemeralPublicKey(ephemeralKeyPair.toPublicJWK()).build();