diff --git a/gocryptfs-xray/xray_main.go b/gocryptfs-xray/xray_main.go
index 81e4c10..8ebed8e 100644
--- a/gocryptfs-xray/xray_main.go
+++ b/gocryptfs-xray/xray_main.go
@@ -12,7 +12,7 @@ import (
 )
 
 const (
-	IVLen     = contentenc.IVBitLen / 8
+	IVLen     = contentenc.DefaultIVBits / 8
 	blockSize = contentenc.DefaultBS + IVLen + cryptocore.AuthTagLen
 )
 
diff --git a/internal/contentenc/content.go b/internal/contentenc/content.go
index 5a628c8..7561859 100644
--- a/internal/contentenc/content.go
+++ b/internal/contentenc/content.go
@@ -16,8 +16,9 @@ type NonceMode int
 const (
 	// Default plaintext block size
 	DefaultBS = 4096
-	// We always use 128-bit IVs for file content encryption
-	IVBitLen = 128
+	// We always use 128-bit IVs for file content, but the
+	// key in the config file is encrypted with a 96-bit IV.
+	DefaultIVBits = 128
 
 	_                                   = iota // skip zero
 	RandomNonce               NonceMode = iota
diff --git a/internal/contentenc/content_test.go b/internal/contentenc/content_test.go
index faa2780..70b71fe 100644
--- a/internal/contentenc/content_test.go
+++ b/internal/contentenc/content_test.go
@@ -23,7 +23,7 @@ func TestSplitRange(t *testing.T) {
 		testRange{6654, 8945})
 
 	key := make([]byte, cryptocore.KeyLen)
-	cc := cryptocore.New(key, cryptocore.BackendOpenSSL, IVBitLen)
+	cc := cryptocore.New(key, cryptocore.BackendOpenSSL, DefaultIVBits)
 	f := New(cc, DefaultBS)
 
 	for _, r := range ranges {
@@ -51,7 +51,7 @@ func TestCiphertextRange(t *testing.T) {
 		testRange{6654, 8945})
 
 	key := make([]byte, cryptocore.KeyLen)
-	cc := cryptocore.New(key, cryptocore.BackendOpenSSL, IVBitLen)
+	cc := cryptocore.New(key, cryptocore.BackendOpenSSL, DefaultIVBits)
 	f := New(cc, DefaultBS)
 
 	for _, r := range ranges {
@@ -74,7 +74,7 @@ func TestCiphertextRange(t *testing.T) {
 
 func TestBlockNo(t *testing.T) {
 	key := make([]byte, cryptocore.KeyLen)
-	cc := cryptocore.New(key, cryptocore.BackendOpenSSL, IVBitLen)
+	cc := cryptocore.New(key, cryptocore.BackendOpenSSL, DefaultIVBits)
 	f := New(cc, DefaultBS)
 
 	b := f.CipherOffToBlockNo(788)
diff --git a/internal/fusefrontend/fs.go b/internal/fusefrontend/fs.go
index c15cd44..295d011 100644
--- a/internal/fusefrontend/fs.go
+++ b/internal/fusefrontend/fs.go
@@ -37,7 +37,7 @@ type FS struct {
 
 // Encrypted FUSE overlay filesystem
 func NewFS(args Args) *FS {
-	cryptoCore := cryptocore.New(args.Masterkey, args.CryptoBackend, contentenc.IVBitLen)
+	cryptoCore := cryptocore.New(args.Masterkey, args.CryptoBackend, contentenc.DefaultIVBits)
 	contentEnc := contentenc.New(cryptoCore, contentenc.DefaultBS)
 	nameTransform := nametransform.New(cryptoCore, args.LongNames)
 
diff --git a/internal/fusefrontend_reverse/rfs.go b/internal/fusefrontend_reverse/rfs.go
index cfe23b6..06ca07e 100644
--- a/internal/fusefrontend_reverse/rfs.go
+++ b/internal/fusefrontend_reverse/rfs.go
@@ -44,7 +44,7 @@ type reverseFS struct {
 
 // Encrypted FUSE overlay filesystem
 func NewFS(args fusefrontend.Args) *reverseFS {
-	cryptoCore := cryptocore.New(args.Masterkey, args.CryptoBackend, contentenc.IVBitLen)
+	cryptoCore := cryptocore.New(args.Masterkey, args.CryptoBackend, contentenc.DefaultIVBits)
 	contentEnc := contentenc.New(cryptoCore, contentenc.DefaultBS)
 	nameTransform := nametransform.New(cryptoCore, args.LongNames)