diff --git a/lib/EAPBase/include/Module.h b/lib/EAPBase/include/Module.h
index 9ac6a92..43d45e2 100644
--- a/lib/EAPBase/include/Module.h
+++ b/lib/EAPBase/include/Module.h
@@ -530,15 +530,45 @@ namespace eap
         /// @{
 
         ///
-        /// Unencrypts and unpacks the BLOB
+        /// Decrypts a BLOB
+        ///
+        /// \note When EAP_ENCRYPT_BLOBS is defined non-zero, the BLOB is decrypted; otherwise, it is copied only.
         ///
-        /// \param[inout] record        Object to unpack to
         /// \param[in   ] pDataIn       Pointer to encrypted BLOB
         /// \param[in   ] dwDataInSize  Size of \p pDataIn
         ///
+        /// \returns Encrypted BLOB
+        ///
+        sanitizing_blob unpack(
+            _In_count_(dwDataInSize) const BYTE  *pDataIn,
+            _In_                           DWORD dwDataInSize)
+        {
+#if EAP_ENCRYPT_BLOBS
+            // Prepare cryptographics provider.
+            winstd::crypt_prov cp;
+            if (!cp.create(NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT))
+                throw winstd::win_runtime_error(__FUNCTION__ " CryptAcquireContext failed.");
+
+            // Decrypt data.
+            return std::move(decrypt_md5<unsigned char, winstd::sanitizing_allocator<unsigned char> >(cp, pDataIn, dwDataInSize));
+#else
+            return sanitizing_blob(pDataIn, pDataIn + dwDataInSize);
+#endif
+        }
+
+
+        ///
+        /// Decrypts and unpacks the BLOB
+        ///
+        /// \note When EAP_ENCRYPT_BLOBS is defined non-zero, the BLOB is decrypted and unpacked to the \p record; otherwise, it is unpacked to the \p record only.
+        ///
+        /// \param[out] record        Object to unpack to
+        /// \param[in ] pDataIn       Pointer to encrypted BLOB
+        /// \param[in ] dwDataInSize  Size of \p pDataIn
+        ///
         template<class T>
         void unpack(
-            _Inout_                        T     &record,
+            _Out_                          T     &record,
             _In_count_(dwDataInSize) const BYTE  *pDataIn,
             _In_                           DWORD dwDataInSize)
         {
@@ -560,9 +590,49 @@ namespace eap
         }
 
 
+        ///
+        /// Encrypts a BLOB
+        ///
+        /// \note When EAP_ENCRYPT_BLOBS is defined non-zero, the BLOB is encrypted; otherwise, it is copied only.
+        ///
+        /// \param[in ] data            BLOB to encrypt
+        /// \param[out] ppDataOut       Pointer to pointer to receive encrypted BLOB. Pointer must be freed using `module::free_memory()`.
+        /// \param[out] pdwDataOutSize  Pointer to \p ppDataOut size
+        ///
+        void pack(
+            _In_  const sanitizing_blob &data,
+            _Out_       BYTE            **ppDataOut,
+            _Out_       DWORD           *pdwDataOutSize)
+        {
+            assert(ppDataOut);
+            assert(pdwDataOutSize);
+
+#if EAP_ENCRYPT_BLOBS
+            // Prepare cryptographics provider.
+            winstd::crypt_prov cp;
+            if (!cp.create(NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT))
+                throw winstd::win_runtime_error(__FUNCTION__ " CryptAcquireContext failed.");
+
+            // Encrypt BLOB.
+            std::vector<unsigned char> data_enc(std::move(encrypt_md5(cp, data.data(), data.size())));
+
+            // Copy encrypted BLOB to output.
+            *pdwDataOutSize = (DWORD)data_enc.size();
+            *ppDataOut = alloc_memory(*pdwDataOutSize);
+            memcpy(*ppDataOut, data_enc.data(), *pdwDataOutSize);
+#else
+            // Allocate and copy BLOB.
+            *pdwDataOutSize = (DWORD)data.size();
+            memcpy(*ppDataOut = alloc_memory(*pdwDataOutSize), data.data(), *pdwDataOutSize);
+#endif
+        }
+
+
         ///
         /// Packs and encrypts to the BLOB
         ///
+        /// \note When EAP_ENCRYPT_BLOBS is defined non-zero, the \p record is packed and encrypted; otherwise, it is packed to an unencrypted BLOB only.
+        ///
         /// \param[in ] record          Object to pack
         /// \param[out] ppDataOut       Pointer to pointer to receive encrypted BLOB. Pointer must be freed using `module::free_memory()`.
         /// \param[out] pdwDataOutSize  Pointer to \p ppDataOut size
diff --git a/lib/TTLS/src/Method.cpp b/lib/TTLS/src/Method.cpp
index 99bd356..42bafb7 100644
--- a/lib/TTLS/src/Method.cpp
+++ b/lib/TTLS/src/Method.cpp
@@ -661,7 +661,7 @@ EapPeerMethodResponseAction eap::method_ttls::process_request_packet(
                     // No extra initial data for inner authentication avaliable.
                     action = method_tunnel::process_request_packet(NULL, 0);
                 } else {
-                    // Authenticator sent some data for inner authentication. Unencrypt it.
+                    // Authenticator sent some data for inner authentication. Decrypt it.
 
                     // Decrypt the message.
                     SecBuffer buf[] = {
@@ -722,7 +722,7 @@ EapPeerMethodResponseAction eap::method_ttls::process_request_packet(
             // No extra data for inner authentication.
             return method_tunnel::process_request_packet(NULL, 0);
         } else {
-            // Authenticator sent data for inner authentication. Unencrypt it.
+            // Authenticator sent data for inner authentication. Decrypt it.
 
             // Decrypt the message.
             SecBuffer buf[] = {