diff --git a/docs/grpc/index.html b/docs/grpc/index.html
index 99bd9b661b..bffbf1f5d3 100644
--- a/docs/grpc/index.html
+++ b/docs/grpc/index.html
@@ -3559,9 +3559,10 @@ <h3 id="kas.KeyAccess">KeyAccess</h3>
               
                 <tr>
                   <td>ephemeral_public_key</td>
-                  <td><a href="#bytes">bytes</a></td>
+                  <td><a href="#string">string</a></td>
                   <td></td>
-                  <td><p>For wrapping with an ECDH derived key, when type=ec-wrapped </p></td>
+                  <td><p>For wrapping with an ECDH derived key, when type=ec-wrapped.
+Should be a PEM-encoded PKCS#8 (asn.1) value. </p></td>
                 </tr>
               
             </tbody>
diff --git a/protocol/go/kas/kas.pb.go b/protocol/go/kas/kas.pb.go
index c1052bf362..cd41a7c299 100644
--- a/protocol/go/kas/kas.pb.go
+++ b/protocol/go/kas/kas.pb.go
@@ -227,8 +227,9 @@ type KeyAccess struct {
 	WrappedKey        []byte         `protobuf:"bytes,8,opt,name=wrapped_key,json=wrappedKey,proto3" json:"wrapped_key,omitempty"`
 	// header is only used for NanoTDFs
 	Header []byte `protobuf:"bytes,9,opt,name=header,proto3" json:"header,omitempty"`
-	// For wrapping with an ECDH derived key, when type=ec-wrapped
-	EphemeralPublicKey []byte `protobuf:"bytes,10,opt,name=ephemeral_public_key,json=ephemeralPublicKey,proto3" json:"ephemeral_public_key,omitempty"`
+	// For wrapping with an ECDH derived key, when type=ec-wrapped.
+	// Should be a PEM-encoded PKCS#8 (asn.1) value.
+	EphemeralPublicKey string `protobuf:"bytes,10,opt,name=ephemeral_public_key,json=ephemeralPublicKey,proto3" json:"ephemeral_public_key,omitempty"`
 }
 
 func (x *KeyAccess) Reset() {
@@ -326,11 +327,11 @@ func (x *KeyAccess) GetHeader() []byte {
 	return nil
 }
 
-func (x *KeyAccess) GetEphemeralPublicKey() []byte {
+func (x *KeyAccess) GetEphemeralPublicKey() string {
 	if x != nil {
 		return x.EphemeralPublicKey
 	}
-	return nil
+	return ""
 }
 
 type UnsignedRewrapRequest struct {
@@ -1051,7 +1052,7 @@ var file_kas_kas_proto_rawDesc = []byte{
 	0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x12, 0x16, 0x0a, 0x06, 0x68, 0x65,
 	0x61, 0x64, 0x65, 0x72, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x06, 0x68, 0x65, 0x61, 0x64,
 	0x65, 0x72, 0x12, 0x30, 0x0a, 0x14, 0x65, 0x70, 0x68, 0x65, 0x6d, 0x65, 0x72, 0x61, 0x6c, 0x5f,
-	0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0c,
+	0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09,
 	0x52, 0x12, 0x65, 0x70, 0x68, 0x65, 0x6d, 0x65, 0x72, 0x61, 0x6c, 0x50, 0x75, 0x62, 0x6c, 0x69,
 	0x63, 0x4b, 0x65, 0x79, 0x22, 0x86, 0x05, 0x0a, 0x15, 0x55, 0x6e, 0x73, 0x69, 0x67, 0x6e, 0x65,
 	0x64, 0x52, 0x65, 0x77, 0x72, 0x61, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x2a,
diff --git a/sample.tdf b/sample.tdf
new file mode 100644
index 0000000000..556f6c0adc
Binary files /dev/null and b/sample.tdf differ
diff --git a/sdk/tdf.go b/sdk/tdf.go
index 08be44591e..87d853a46f 100644
--- a/sdk/tdf.go
+++ b/sdk/tdf.go
@@ -975,7 +975,7 @@ func createRewrapRequest(_ context.Context, r *Reader) (map[string]*kas.Unsigned
 				},
 				SplitId:            kao.SplitID,
 				WrappedKey:         key,
-				EphemeralPublicKey: []byte(kao.EphemeralPublicKey),
+				EphemeralPublicKey: kao.EphemeralPublicKey,
 			},
 		}
 		if req, ok := kasReqs[kao.KasURL]; ok {
diff --git a/service/kas/access/rewrap.go b/service/kas/access/rewrap.go
index 195872012b..7b7fd2e9d3 100644
--- a/service/kas/access/rewrap.go
+++ b/service/kas/access/rewrap.go
@@ -170,7 +170,7 @@ func extractAndConvertV1SRTBody(body []byte) (kaspb.UnsignedRewrapRequest, error
 						SplitId:            kao.SID,
 						WrappedKey:         kao.WrappedKey,
 						Header:             kao.Header,
-						EphemeralPublicKey: []byte(kao.EphemeralPublicKey),
+						EphemeralPublicKey: kao.EphemeralPublicKey,
 					},
 				},
 			},
@@ -467,7 +467,7 @@ func (p *Provider) verifyRewrapRequests(ctx context.Context, req *kaspb.Unsigned
 			ephemeralPubKeyPEM := kao.GetKeyAccessObject().GetEphemeralPublicKey()
 
 			// Get EC key size and convert to mode
-			keySize, err := ocrypto.GetECKeySize(ephemeralPubKeyPEM)
+			keySize, err := ocrypto.GetECKeySize([]byte(ephemeralPubKeyPEM))
 			if err != nil {
 				return nil, results, fmt.Errorf("failed to get EC key size: %w", err)
 			}
@@ -478,7 +478,7 @@ func (p *Provider) verifyRewrapRequests(ctx context.Context, req *kaspb.Unsigned
 			}
 
 			// Parse the PEM public key
-			block, _ := pem.Decode(ephemeralPubKeyPEM)
+			block, _ := pem.Decode([]byte(ephemeralPubKeyPEM))
 			if block == nil {
 				return nil, results, fmt.Errorf("failed to decode PEM block")
 			}
diff --git a/service/kas/kas.proto b/service/kas/kas.proto
index 79642387d7..72b8913e7f 100644
--- a/service/kas/kas.proto
+++ b/service/kas/kas.proto
@@ -48,8 +48,9 @@ message KeyAccess {
   // header is only used for NanoTDFs
   bytes header = 9;
 
-  // For wrapping with an ECDH derived key, when type=ec-wrapped
-  bytes ephemeral_public_key = 10;
+  // For wrapping with an ECDH derived key, when type=ec-wrapped.
+  // Should be a PEM-encoded PKCS#8 (asn.1) value.
+  string ephemeral_public_key = 10;
 }
 
 message UnsignedRewrapRequest {