diff --git a/Cargo.lock b/Cargo.lock
index a9c3ca1..0210e59 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -508,7 +508,7 @@ dependencies = [
 
 [[package]]
 name = "card-cli"
-version = "1.13.0"
+version = "1.13.1"
 dependencies = [
  "aes-gcm-stream",
  "authenticator 0.3.1",
diff --git a/Cargo.toml b/Cargo.toml
index 197f673..f8647e6 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "card-cli"
-version = "1.13.0"
+version = "1.13.1"
 authors = ["Hatter Jiang <jht5945@gmail.com>"]
 edition = "2018"
 
diff --git a/src/cmd_external_public_key.rs b/src/cmd_external_public_key.rs
index 93e0109..2da3dcd 100644
--- a/src/cmd_external_public_key.rs
+++ b/src/cmd_external_public_key.rs
@@ -55,8 +55,9 @@ fn fetch_public_key(parameter: &str, serial_opt: &Option<&str>) -> XResult<Vec<u
             if key.usage != KeyUsage::Singing {
                 simple_error!("Not singing key")
             } else {
+                let private_key = cmd_hmac_decrypt::try_decrypt(&key.private_key)?;
                 let (_, public_key_der, _) =
-                    seutil::recover_secure_enclave_p256_public_key(&key.private_key, true)?;
+                    seutil::recover_secure_enclave_p256_public_key(&private_key, true)?;
                 Ok(public_key_der)
             }
         }
diff --git a/src/cmd_external_sign.rs b/src/cmd_external_sign.rs
index 644e1c1..043164b 100644
--- a/src/cmd_external_sign.rs
+++ b/src/cmd_external_sign.rs
@@ -65,7 +65,8 @@ pub fn sign(alg: &str, message: &[u8], key_uri: KeyUri, sub_arg_matches: &ArgMat
             if key.usage != KeyUsage::Singing {
                 return simple_error!("Not singing key");
             }
-            seutil::secure_enclave_p256_sign(&key.private_key, message)
+            let private_key = cmd_hmac_decrypt::try_decrypt(&key.private_key)?;
+            seutil::secure_enclave_p256_sign(&private_key, message)
         }
         KeyUri::YubikeyPivKey(key) => {
             let mut yk = yubikeyutil::open_yubikey_with_args(sub_arg_matches)?;
diff --git a/src/cmd_se_ecdh.rs b/src/cmd_se_ecdh.rs
index 15e60ee..dfca8d1 100644
--- a/src/cmd_se_ecdh.rs
+++ b/src/cmd_se_ecdh.rs
@@ -35,7 +35,6 @@ impl Command for CommandImpl {
         let key = sub_arg_matches.value_of("key").unwrap();
         let epk = sub_arg_matches.value_of("epk").unwrap();
 
-        let key = cmd_hmac_decrypt::try_decrypt(key)?;
         let key_uri = parse_key_uri(&key)?;
         let se_key_uri = key_uri.as_secure_enclave_key()?;
         debugging!("Secure enclave key URI: {:?}", se_key_uri);
@@ -59,8 +58,9 @@ impl Command for CommandImpl {
             opt_result!(hex::decode(epk), "Decode public key from hex failed: {}")
         };
 
+        let private_key = cmd_hmac_decrypt::try_decrypt(&se_key_uri.private_key)?;
         let dh = seutil::secure_enclave_p256_dh(
-            &se_key_uri.private_key,
+            &private_key,
             &ephemeral_public_key_der_bytes,
         )?;
         let dh_hex = hex::encode(&dh);
diff --git a/src/cmd_se_ecsign.rs b/src/cmd_se_ecsign.rs
index 106e564..d3630ad 100644
--- a/src/cmd_se_ecsign.rs
+++ b/src/cmd_se_ecsign.rs
@@ -45,12 +45,12 @@ impl Command for CommandImpl {
             Some(input) => input.as_bytes().to_vec(),
         };
 
-        let key = cmd_hmac_decrypt::try_decrypt(key)?;
         let key_uri = parse_key_uri(&key)?;
         let se_key_uri = key_uri.as_secure_enclave_key()?;
         debugging!("Secure enclave key URI: {:?}", se_key_uri);
 
-        let signature = seutil::secure_enclave_p256_sign(&se_key_uri.private_key, &input_bytes)?;
+        let private_key = cmd_hmac_decrypt::try_decrypt(&se_key_uri.private_key)?;
+        let signature = seutil::secure_enclave_p256_sign(&private_key, &input_bytes)?;
 
         if json_output {
             let mut json = BTreeMap::<&'_ str, String>::new();
diff --git a/src/cmd_se_generate.rs b/src/cmd_se_generate.rs
index fabd1cb..96f34f1 100644
--- a/src/cmd_se_generate.rs
+++ b/src/cmd_se_generate.rs
@@ -60,6 +60,8 @@ impl Command for CommandImpl {
 
         let (public_key_point, public_key_der, private_key) =
             seutil::generate_secure_enclave_p256_keypair(sign, require_bio)?;
+
+        let private_key = cmd_hmac_encrypt::do_encrypt(&private_key, &mut None, sub_arg_matches)?;
         let key_uri = format!(
             "key://{}:se/p256:{}:{}",
             host,
@@ -67,8 +69,6 @@ impl Command for CommandImpl {
             private_key,
         );
 
-        let key_uri = cmd_hmac_encrypt::do_encrypt(&key_uri, &mut None, sub_arg_matches)?;
-
         print_se_key(json_output, &public_key_point, &public_key_der, &key_uri);
         Ok(None)
     }