diff --git a/src/config/crypto/ConcreteInnerEncryptor.h b/src/config/crypto/ConcreteInnerEncryptor.h
index c2777b7c..31864c62 100644
--- a/src/config/crypto/ConcreteInnerEncryptor.h
+++ b/src/config/crypto/ConcreteInnerEncryptor.h
@@ -54,12 +54,13 @@ namespace cryfs {
     boost::optional<cpputils::Data> ConcreteInnerEncryptor<Cipher>::_deserialize(const cpputils::Data &ciphertext) const {
         cpputils::Deserializer deserializer(&ciphertext);
         try {
+            _checkHeader(&deserializer);
             std::string readCipherName = deserializer.readString();
             if (readCipherName != _cipherName) {
                 cpputils::logging::LOG(cpputils::logging::ERROR) << "Wrong inner cipher used";
                 return boost::none;
             }
-            auto result = deserializer.readData();
+            auto result = deserializer.readTailData();
             deserializer.finished();
             return result;
         } catch (const std::exception &e) {
@@ -78,10 +79,12 @@ namespace cryfs {
     template<class Cipher>
     cpputils::Data ConcreteInnerEncryptor<Cipher>::_serialize(const cpputils::Data &ciphertext) const {
         try {
-            cpputils::Serializer serializer(cpputils::Serializer::StringSize(_cipherName)
-                                            + cpputils::Serializer::DataSize(ciphertext));
+            cpputils::Serializer serializer(cpputils::Serializer::StringSize(HEADER)
+                                            + cpputils::Serializer::StringSize(_cipherName)
+                                            + ciphertext.size());
+            serializer.writeString(HEADER);
             serializer.writeString(_cipherName);
-            serializer.writeData(ciphertext);
+            serializer.writeTailData(ciphertext);
             return serializer.finished();
         } catch (const std::exception &e) {
             cpputils::logging::LOG(cpputils::logging::ERROR) << "Error serializing inner configuration: " << e.what();
diff --git a/src/config/crypto/CryConfigEncryptor.cpp b/src/config/crypto/CryConfigEncryptor.cpp
index 1fa1334e..58517103 100644
--- a/src/config/crypto/CryConfigEncryptor.cpp
+++ b/src/config/crypto/CryConfigEncryptor.cpp
@@ -11,7 +11,7 @@ using boost::none;
 using namespace cpputils::logging;
 
 namespace cryfs {
-    const string CryConfigEncryptor::HEADER = "cryfs.config;0.8.1;scrypt";
+    const string CryConfigEncryptor::HEADER = "cryfs.config;0;scrypt";
 
     CryConfigEncryptor::CryConfigEncryptor(unique_ref<InnerEncryptor> innerEncryptor, OuterCipher::EncryptionKey outerKey, DerivedKeyConfig keyConfig)
             : _innerEncryptor(std::move(innerEncryptor)), _outerKey(std::move(outerKey)), _keyConfig(std::move(keyConfig)) {
@@ -39,10 +39,10 @@ namespace cryfs {
         try {
             Serializer serializer(Serializer::StringSize(HEADER)
                                   + _keyConfig.serializedSize()
-                                  + Serializer::DataSize(ciphertext));
+                                  + ciphertext.size());
             writeHeader(&serializer);
             _keyConfig.serialize(&serializer);
-            serializer.writeData(ciphertext);
+            serializer.writeTailData(ciphertext);
             return serializer.finished();
         } catch (const std::exception &e) {
             cpputils::logging::LOG(cpputils::logging::ERROR) << "Error serializing CryConfigEncryptor: " << e.what();
@@ -69,7 +69,7 @@ namespace cryfs {
     }
 
     optional<Data> CryConfigEncryptor::_loadAndDecryptConfigData(Deserializer *deserializer) {
-        auto ciphertext = deserializer->readData();
+        auto ciphertext = deserializer->readTailData();
         auto inner = OuterCipher::decrypt(static_cast<const uint8_t*>(ciphertext.data()), ciphertext.size(), _outerKey);
         if(inner == none) {
             return none;
diff --git a/src/config/crypto/InnerEncryptor.cpp b/src/config/crypto/InnerEncryptor.cpp
index b9a12c2c..ec8f3b75 100644
--- a/src/config/crypto/InnerEncryptor.cpp
+++ b/src/config/crypto/InnerEncryptor.cpp
@@ -1 +1,21 @@
-#include "InnerEncryptor.h"
\ No newline at end of file
+#include "InnerEncryptor.h"
+
+using std::string;
+using cpputils::Deserializer;
+using cpputils::Serializer;
+
+namespace cryfs {
+    const string InnerEncryptor::HEADER = "cryfs.config.inner;0";
+
+    void InnerEncryptor::_checkHeader(Deserializer *deserializer) {
+        string header = deserializer->readString();
+        if (header != HEADER) {
+            throw std::runtime_error("Invalid header");
+        }
+    }
+
+    void InnerEncryptor::_writeHeader(Serializer *serializer) {
+        serializer->writeString(HEADER);
+    }
+
+}
\ No newline at end of file
diff --git a/src/config/crypto/InnerEncryptor.h b/src/config/crypto/InnerEncryptor.h
index 38935328..3e63a3bf 100644
--- a/src/config/crypto/InnerEncryptor.h
+++ b/src/config/crypto/InnerEncryptor.h
@@ -5,12 +5,21 @@
 #include <messmer/cpp-utils/data/Data.h>
 #include <messmer/cpp-utils/pointer/unique_ref.h>
 #include <boost/optional.hpp>
+#include <messmer/cpp-utils/data/Deserializer.h>
+#include <messmer/cpp-utils/data/Serializer.h>
 
 namespace cryfs {
     class InnerEncryptor {
     public:
         virtual cpputils::Data encrypt(const cpputils::Data &plaintext) const = 0;
         virtual boost::optional <cpputils::Data> decrypt(const cpputils::Data &plaintext) const = 0;
+
+    protected:
+        static void _checkHeader(cpputils::Deserializer *deserializer);
+        static void _writeHeader(cpputils::Serializer *serializer);
+
+    private:
+        static const std::string HEADER;
     };
 }