diff --git a/src/credential.rs b/src/credential.rs
index cf17cda..5b7acfd 100644
--- a/src/credential.rs
+++ b/src/credential.rs
@@ -4,7 +4,11 @@ use core::cmp::Ordering;
 
 use serde::Serialize;
 use serde_bytes::ByteArray;
-use trussed::{client, syscall, try_syscall, types::KeyId};
+use serde_indexed::{DeserializeIndexed, SerializeIndexed};
+use trussed::{
+    client, syscall, try_syscall,
+    types::{KeyId, Message, ShortData},
+};
 
 pub(crate) use ctap_types::{
     // authenticator::{ctap1, ctap2, Error, Request, Response},
@@ -53,7 +57,7 @@ impl CredentialId {
             associated_data,
             Some(nonce)
         ));
-        EncryptedSerializedCredential(encrypted_serialized_credential)
+        EncryptedSerializedCredential::from(encrypted_serialized_credential)
             .try_into()
             .map_err(|_| Error::RequestTooLarge)
     }
@@ -64,15 +68,34 @@ impl CredentialId {
 // pub type SerializedCredential = Bytes<256>;
 pub(crate) type SerializedCredential = trussed::types::Message;
 
-#[derive(Clone, Debug)]
-struct EncryptedSerializedCredential(pub trussed::api::reply::Encrypt);
+#[derive(Clone, Debug, DeserializeIndexed, SerializeIndexed)]
+struct EncryptedSerializedCredential {
+    ciphertext: Message,
+    nonce: ShortData,
+    tag: ShortData,
+}
+
+impl From<trussed::api::reply::Encrypt> for EncryptedSerializedCredential {
+    fn from(reply: trussed::api::reply::Encrypt) -> Self {
+        let trussed::api::reply::Encrypt {
+            ciphertext,
+            nonce,
+            tag,
+        } = reply;
+        Self {
+            ciphertext,
+            nonce,
+            tag,
+        }
+    }
+}
 
 impl TryFrom<EncryptedSerializedCredential> for CredentialId {
     type Error = Error;
 
     fn try_from(esc: EncryptedSerializedCredential) -> Result<CredentialId> {
         Ok(CredentialId(
-            trussed::cbor_serialize_bytes(&esc.0).map_err(|_| Error::Other)?,
+            trussed::cbor_serialize_bytes(&esc).map_err(|_| Error::Other)?,
         ))
     }
 }
@@ -83,9 +106,8 @@ impl TryFrom<CredentialId> for EncryptedSerializedCredential {
     type Error = Error;
 
     fn try_from(cid: CredentialId) -> Result<EncryptedSerializedCredential> {
-        let encrypted_serialized_credential = EncryptedSerializedCredential(
-            ctap_types::serde::cbor_deserialize(&cid.0).map_err(|_| Error::InvalidCredential)?,
-        );
+        let encrypted_serialized_credential =
+            ctap_types::serde::cbor_deserialize(&cid.0).map_err(|_| Error::InvalidCredential)?;
         Ok(encrypted_serialized_credential)
     }
 }
@@ -144,10 +166,10 @@ impl Credential {
 
         let serialized = try_syscall!(authnr.trussed.decrypt_chacha8poly1305(
             kek,
-            &encrypted_serialized.0.ciphertext,
+            &encrypted_serialized.ciphertext,
             &rp_id_hash[..],
-            &encrypted_serialized.0.nonce,
-            &encrypted_serialized.0.tag,
+            &encrypted_serialized.nonce,
+            &encrypted_serialized.tag,
         ))
         .map_err(|_| Error::InvalidCredential)?
         .plaintext
@@ -990,10 +1012,10 @@ mod test {
                     EncryptedSerializedCredential::try_from(credential_id).unwrap();
                 let serialized = syscall!(client.decrypt_chacha8poly1305(
                     kek,
-                    &encrypted_serialized.0.ciphertext,
+                    &encrypted_serialized.ciphertext,
                     &rp_id_hash,
-                    &encrypted_serialized.0.nonce,
-                    &encrypted_serialized.0.tag,
+                    &encrypted_serialized.nonce,
+                    &encrypted_serialized.tag,
                 ))
                 .plaintext
                 .unwrap();