diff --git a/examples/keygen/keygen.c b/examples/keygen/keygen.c
index 34e85008..d012f7d3 100644
--- a/examples/keygen/keygen.c
+++ b/examples/keygen/keygen.c
@@ -221,13 +221,14 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
     }
 
     if (endorseKey) {
-        /* endorsement is always RSA */
+        /* endorsement key (EK) */
         rc = wolfTPM2_CreateEK(&dev, &endorse, srkAlg);
         endorse.handle.policyAuth = 1; /* EK requires Policy auth, not Password */
         pubFilename = ekPubFile;
         primary = &endorse;
     }
     else {
+        /* storage root key (SRK) */
         rc = getPrimaryStoragekey(&dev, &storage, srkAlg);
         pubFilename = srkPubFile;
         primary = &storage;
diff --git a/examples/keygen/keyload.c b/examples/keygen/keyload.c
index d026b7cc..835383ec 100644
--- a/examples/keygen/keyload.c
+++ b/examples/keygen/keyload.c
@@ -138,13 +138,14 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[])
     printf("Loading %s key\n", TPM2_GetAlgName(alg));
 
     if (endorseKey) {
-        /* endorsement is always RSA */
+        /* endorsement key (EK) */
         rc = wolfTPM2_CreateEK(&dev, &endorse, srkAlg);
         if (rc != 0) goto exit;
         endorse.handle.policyAuth = 1;
         primary = &endorse;
     }
     else {
+        /* storage root key (SRK) */
         rc = getPrimaryStoragekey(&dev, &storage, srkAlg);
         if (rc != 0) goto exit;
         primary = &storage;
diff --git a/src/tpm2_param_enc.c b/src/tpm2_param_enc.c
index 89cb8cd7..8690c1cc 100644
--- a/src/tpm2_param_enc.c
+++ b/src/tpm2_param_enc.c
@@ -299,7 +299,8 @@ static int TPM2_ParamEnc_AESCFB(TPM2_AUTH_SESSION *session, TPM2B_AUTH* keyIn,
     /* Perform AES CFB Encryption */
     rc = wc_AesInit(&enc, NULL, INVALID_DEVID);
     if (rc == 0) {
-        rc = wc_AesSetKey(&enc, symKey, symKeySz, &symKey[symKeySz], AES_ENCRYPTION);
+        rc = wc_AesSetKey(&enc, symKey, symKeySz, &symKey[symKeySz],
+            AES_ENCRYPTION);
         if (rc == 0) {
             rc = wc_AesCfbEncrypt(&enc, paramData, paramData, paramSz);
         }
@@ -315,7 +316,7 @@ static int TPM2_ParamDec_AESCFB(TPM2_AUTH_SESSION *session, TPM2B_AUTH* keyIn,
     UINT32 paramSz)
 {
     int rc = TPM_RC_FAILURE;
-    BYTE symKey[32 + 16];	/* AES key 128-bit + IV (block size) */
+    BYTE symKey[32 + 16];    /* AES key 128-bit + IV (block size) */
     int symKeySz = session->symmetric.keyBits.aes / 8;
     const int symKeyIvSz = 16;
     Aes dec;
@@ -344,7 +345,8 @@ static int TPM2_ParamDec_AESCFB(TPM2_AUTH_SESSION *session, TPM2B_AUTH* keyIn,
     /* Perform AES CFB Decryption */
     rc = wc_AesInit(&dec, NULL, INVALID_DEVID);
     if (rc == 0) {
-        rc = wc_AesSetKey(&dec, symKey, symKeySz, &symKey[symKeySz], AES_ENCRYPTION);
+        rc = wc_AesSetKey(&dec, symKey, symKeySz, &symKey[symKeySz],
+            AES_ENCRYPTION);
         if (rc == 0) {
             rc = wc_AesCfbDecrypt(&dec, paramData, paramData, paramSz);
         }
@@ -392,21 +394,21 @@ int TPM2_CalcCpHash(TPMI_ALG_HASH authHash, TPM_CC cmdCode,
         if (rc == 0 && name1 && name1->size > 0) {
         #ifdef WOLFTPM_DEBUG_VERBOSE
             printf("Name 0: %d\n", name1->size);
-    		TPM2_PrintBin(name1->name, name1->size);
+            TPM2_PrintBin(name1->name, name1->size);
         #endif
             rc = wc_HashUpdate(&hash_ctx, hashType, name1->name, name1->size);
         }
         if (rc == 0 && name2 && name2->size > 0) {
         #ifdef WOLFTPM_DEBUG_VERBOSE
             printf("Name 1: %d\n", name2->size);
-    		TPM2_PrintBin(name2->name, name2->size);
+            TPM2_PrintBin(name2->name, name2->size);
         #endif
             rc = wc_HashUpdate(&hash_ctx, hashType, name2->name, name2->size);
         }
         if (rc == 0 && name3 && name3->size > 0) {
         #ifdef WOLFTPM_DEBUG_VERBOSE
             printf("Name 2: %d\n", name3->size);
-    		TPM2_PrintBin(name3->name, name3->size);
+            TPM2_PrintBin(name3->name, name3->size);
         #endif
             rc = wc_HashUpdate(&hash_ctx, hashType, name3->name, name3->size);
         }
diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c
index 18e24871..969e1973 100644
--- a/src/tpm2_wrap.c
+++ b/src/tpm2_wrap.c
@@ -2127,11 +2127,11 @@ static int SensitiveToPrivate(TPM2B_SENSITIVE* sens, TPM2B_PRIVATE* priv,
     int integritySz = 0;
     int ivSz = 0;
     int sensSz = 0;
-    BYTE* sensitiveData = NULL;
-    TPM2B_SYM_KEY symKey;
     TPM2B_IV ivField;
     TPM2_Packet packet;
 #ifdef WOLFTPM2_PRIVATE_IMPORT
+    BYTE* sensitiveData = NULL;
+    TPM2B_SYM_KEY symKey;
     TPM2B_DIGEST hmacKey;
     Aes enc;
     Hmac hmac_ctx;
@@ -2144,12 +2144,7 @@ static int SensitiveToPrivate(TPM2B_SENSITIVE* sens, TPM2B_PRIVATE* priv,
     /* if using a parent then use it's integrity algorithm */
     if (parentKey != NULL) {
         nameAlg = parentKey->pub.publicArea.nameAlg;
-        symKey.size = parentKey->handle.symmetric.keyBits.sym;
     }
-    else {
-        symKey.size = sym->keyBits.sym;
-    }
-
     digestSz = TPM2_GetHashDigestSize(nameAlg);
     if (digestSz == 0) {
     #ifdef DEBUG_WOLFTPM
@@ -2188,9 +2183,23 @@ static int SensitiveToPrivate(TPM2B_SENSITIVE* sens, TPM2B_PRIVATE* priv,
     TPM2_Packet_AppendSensitive(&packet, sens);
     sensSz = packet.pos;
     priv->size = integritySz + ivSz + sensSz;
+    sensSz = ivSz + sensSz;
 
+#ifdef WOLFTPM2_PRIVATE_IMPORT
     sensitiveData = &priv->buffer[integritySz];
-    sensSz = ivSz + sensSz;
+    if (parentKey != NULL) {
+        symKey.size = parentKey->handle.symmetric.keyBits.sym;
+    }
+    else {
+        symKey.size = sym->keyBits.sym;
+    }
+    /* convert from bit to byte and round up */
+    symKey.size = (symKey.size + 7) / 8;
+    /* check for invalid value */
+    if (symKey.size > sizeof(symKey.buffer)) {
+        return BUFFER_E;
+    }
+#endif
 
     if (innerWrap) {
         /* TODO: Inner wrap support */
@@ -2199,7 +2208,6 @@ static int SensitiveToPrivate(TPM2B_SENSITIVE* sens, TPM2B_PRIVATE* priv,
     if (outerWrap) {
     #ifdef WOLFTPM2_PRIVATE_IMPORT
         /* Generate symmetric key for encryption of inner values */
-        symKey.size = (symKey.size + 7) / 8; /* convert to byte and round up */
         rc = TPM2_KDFa(nameAlg, symSeed, "STORAGE", (TPM2B_NONCE*)name,
             NULL, symKey.buffer, symKey.size);
         if (rc != symKey.size) {
@@ -2213,7 +2221,7 @@ static int SensitiveToPrivate(TPM2B_SENSITIVE* sens, TPM2B_PRIVATE* priv,
         rc = wc_AesInit(&enc, NULL, INVALID_DEVID);
         if (rc == 0) {
             rc = wc_AesSetKey(&enc, symKey.buffer, symKey.size,
-                ivField.size == 0 ? NULL : ivField.buffer, AES_ENCRYPTION);
+                ivField.buffer, AES_ENCRYPTION);
             if (rc == 0) {
                 /* use inline encryption for both IV and sensitive */
                 rc = wc_AesCfbEncrypt(&enc, sensitiveData, sensitiveData,
@@ -2270,9 +2278,7 @@ static int SensitiveToPrivate(TPM2B_SENSITIVE* sens, TPM2B_PRIVATE* priv,
         digestSz = TPM2_Packet_SwapU16(digestSz);
         XMEMCPY(&priv->buffer[0], &digestSz, sizeof(word16));
     #else
-        (void)sensitiveData;
         (void)name;
-        (void)symKey;
         (void)sensSz;
         rc = NOT_COMPILED_IN;
     #endif
@@ -5258,7 +5264,7 @@ int wolfTPM2_LoadSymmetricKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key, int alg,
         return BUFFER_E;
     }
 
-    hashAlg = (keySz == 32) ? TPM_ALG_SHA256 : TPM_ALG_SHA1;
+    hashAlg = WOLFTPM2_WRAP_DIGEST;
     hashAlgDigSz = TPM2_GetHashDigestSize(hashAlg);
 
     /* Setup load command */