diff --git a/internal/cryptocore/cryptocore.go b/internal/cryptocore/cryptocore.go
index a355342..43cfdbc 100644
--- a/internal/cryptocore/cryptocore.go
+++ b/internal/cryptocore/cryptocore.go
@@ -86,13 +86,7 @@ func New(key []byte, aeadType AEADTypeEnum, IVBitLen int, useHKDF bool, forceDec
 			if IVLen != 16 {
 				log.Panic("stupidgcm only supports 128-bit IVs")
 			}
-			// stupidgcm does not create a private copy of the key, so things
-			// break when initFuseFrontend() overwrites it with zeros. Create
-			// a copy here. This is unnecessary when useHKDF == true, but
-			// does no harm.
-			var stupidgcmKey []byte
-			stupidgcmKey = append(stupidgcmKey, gcmKey...)
-			aeadCipher = stupidgcm.New(stupidgcmKey, forceDecode)
+			aeadCipher = stupidgcm.New(gcmKey, forceDecode)
 		case BackendGoGCM:
 			goGcmBlockCipher, err := aes.NewCipher(gcmKey)
 			if err != nil {
diff --git a/internal/stupidgcm/stupidgcm.go b/internal/stupidgcm/stupidgcm.go
index 77d6770..c8aecca 100644
--- a/internal/stupidgcm/stupidgcm.go
+++ b/internal/stupidgcm/stupidgcm.go
@@ -33,10 +33,12 @@ type StupidGCM struct {
 var _ cipher.AEAD = &StupidGCM{}
 
 // New returns a new cipher.AEAD implementation..
-func New(key []byte, forceDecode bool) cipher.AEAD {
-	if len(key) != keyLen {
+func New(keyIn []byte, forceDecode bool) cipher.AEAD {
+	if len(keyIn) != keyLen {
 		log.Panicf("Only %d-byte keys are supported", keyLen)
 	}
+	// Create a private copy of the key
+	key := append([]byte{}, keyIn...)
 	return &StupidGCM{key: key, forceDecode: forceDecode}
 }