diff --git a/backend/composite_values.go b/backend/composite_values.go
index e6287f54d3bca02e9309a0165221210ddaa151c0..c6c57006c0bd5714e8a7f1da6f09c9c331fbe7f5 100644
--- a/backend/composite_values.go
+++ b/backend/composite_values.go
@@ -2,11 +2,14 @@ package backend
 
 import (
 	"errors"
+	"fmt"
 	"strings"
 
 	"git.autistici.org/ai3/accountserver"
 )
 
+// Extend the AppSpecificPasswordInfo type, which only contains public
+// information, with the encrypted password.
 type appSpecificPassword struct {
 	accountserver.AppSpecificPasswordInfo
 	Password string
@@ -63,3 +66,26 @@ func getASPInfo(asps []*appSpecificPassword) []*accountserver.AppSpecificPasswor
 	}
 	return out
 }
+
+func decodeUserEncryptionKeys(values []string) []*accountserver.UserEncryptionKey {
+	var out []*accountserver.UserEncryptionKey
+	for _, value := range values {
+		idx := strings.IndexByte(value, ':')
+		if idx < 0 {
+			continue
+		}
+		out = append(out, &accountserver.UserEncryptionKey{
+			ID:  value[:idx],
+			Key: []byte(value[idx+1:]),
+		})
+	}
+	return out
+}
+
+func encodeUserEncryptionKeys(keys []*accountserver.UserEncryptionKey) []string {
+	var out []string
+	for _, key := range keys {
+		out = append(out, fmt.Sprintf("%s:%s", key.ID, string(key.Key)))
+	}
+	return out
+}
diff --git a/backend/model.go b/backend/model.go
index 32f4b1884c39141d4c14f6a05416402e368d4d66..1c53ba583a9e086746077383649cfd0b755e4681 100644
--- a/backend/model.go
+++ b/backend/model.go
@@ -272,11 +272,11 @@ func (tx *backendTX) SetUserPassword(ctx context.Context, user *accountserver.Us
 
 func (tx *backendTX) GetUserEncryptionKeys(ctx context.Context, user *accountserver.User) ([]*accountserver.UserEncryptionKey, error) {
 	rawKeys := tx.readAttributeValues(ctx, getUserDN(user), "storageEncryptionKey")
-	return accountserver.DecodeUserEncryptionKeys(rawKeys), nil
+	return decodeUserEncryptionKeys(rawKeys), nil
 }
 
 func (tx *backendTX) SetUserEncryptionKeys(ctx context.Context, user *accountserver.User, keys []*accountserver.UserEncryptionKey) error {
-	encKeys := accountserver.EncodeUserEncryptionKeys(keys)
+	encKeys := encodeUserEncryptionKeys(keys)
 	tx.setAttr(getUserDN(user), "storageEncryptionKey", encKeys...)
 	return nil
 }
diff --git a/types.go b/types.go
index 88faacb83e29af6c4583a68496827171a6a81c9d..a544ed9dceda9a70485afa4f9f847d3af497eba4 100644
--- a/types.go
+++ b/types.go
@@ -3,7 +3,6 @@ package accountserver
 import (
 	"encoding/json"
 	"errors"
-	"fmt"
 	"net/url"
 	"path/filepath"
 	"strings"
@@ -84,29 +83,6 @@ type UserEncryptionKey struct {
 	Key []byte `json:"key"`
 }
 
-func DecodeUserEncryptionKeys(values []string) []*UserEncryptionKey {
-	var out []*UserEncryptionKey
-	for _, value := range values {
-		idx := strings.IndexByte(value, ':')
-		if idx < 0 {
-			continue
-		}
-		out = append(out, &UserEncryptionKey{
-			ID:  value[:idx],
-			Key: []byte(value[idx+1:]),
-		})
-	}
-	return out
-}
-
-func EncodeUserEncryptionKeys(keys []*UserEncryptionKey) []string {
-	var out []string
-	for _, key := range keys {
-		out = append(out, fmt.Sprintf("%s:%s", key.ID, string(key.Key)))
-	}
-	return out
-}
-
 const (
 	ResourceTypeEmail       = "email"
 	ResourceTypeMailingList = "list"