diff --git a/lib/krb5/mk_priv.c b/lib/krb5/mk_priv.c
index 1b1600312..5174f3cc1 100644
--- a/lib/krb5/mk_priv.c
+++ b/lib/krb5/mk_priv.c
@@ -66,7 +66,7 @@ krb5_mk_priv(krb5_context context,
   else if (auth_context->remote_subkey.keytype)
       key = &auth_context->remote_subkey;
   else
-      key = &auth_context->key;
+      key = auth_context->keyblock;
 
   if (auth_context->enctype)
       enctype = auth_context->enctype;
diff --git a/lib/krb5/mk_rep.c b/lib/krb5/mk_rep.c
index e8f17c6d9..091ed97b8 100644
--- a/lib/krb5/mk_rep.c
+++ b/lib/krb5/mk_rep.c
@@ -59,19 +59,19 @@ krb5_mk_rep(krb5_context context,
   body.subkey = NULL;
   if ((*auth_context)->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
     krb5_generate_seq_number (context,
-			      &(*auth_context)->key,
+			      (*auth_context)->keyblock,
 			      &(*auth_context)->local_seqnumber);
     body.seq_number = malloc (sizeof(*body.seq_number));
     *(body.seq_number) = (*auth_context)->local_seqnumber;
   } else
     body.seq_number = NULL;
 
-  ap.enc_part.etype = (*auth_context)->key.keytype;
+  ap.enc_part.etype = (*auth_context)->keyblock->keytype;
   ap.enc_part.kvno  = NULL;
   encode_EncAPRepPart (buf + sizeof(buf) - 1, sizeof(buf), &body, &len);
   ret = krb5_encrypt (context, buf + sizeof(buf) - len, len,
 		      ap.enc_part.etype,
-		      &(*auth_context)->key, &ap.enc_part.cipher);
+		      (*auth_context)->keyblock, &ap.enc_part.cipher);
   if (ret)
     return ret;
 
diff --git a/lib/krb5/mk_req_ext.c b/lib/krb5/mk_req_ext.c
index 8316f86bf..0d974615d 100644
--- a/lib/krb5/mk_req_ext.c
+++ b/lib/krb5/mk_req_ext.c
@@ -66,21 +66,20 @@ krb5_mk_req_extended(krb5_context context,
   if(r)
       return r;
       
-  free_EncryptionKey (&ac->key);
-  copy_EncryptionKey (&in_creds->session,
-		      &ac->key);
-
+  krb5_free_keyblock(context, ac->keyblock);
+  krb5_copy_keyblock(context, &in_creds->session, &ac->keyblock);
+  
   if (ac->cksumtype)
       cksumtype = ac->cksumtype;
   else
-      krb5_keytype_to_cksumtype (context, ac->key.keytype, &cksumtype);
+      krb5_keytype_to_cksumtype (context, ac->keyblock->keytype, &cksumtype);
 
   if (in_data) {
       r = krb5_create_checksum (context,
 				cksumtype,
 				in_data->data,
 				in_data->length,
-				&ac->key,
+				ac->keyblock,
 				&c);
       c_opt = &c;
   } else {
diff --git a/lib/krb5/mk_safe.c b/lib/krb5/mk_safe.c
index 24cc38a9c..45a186056 100644
--- a/lib/krb5/mk_safe.c
+++ b/lib/krb5/mk_safe.c
@@ -61,7 +61,7 @@ krb5_mk_safe(krb5_context context,
       cksumtype = auth_context->cksumtype;
   else {
       r = krb5_keytype_to_cksumtype (context,
-				     auth_context->key.keytype,
+				     auth_context->keyblock->keytype,
 				     &cksumtype);
       if (r)
 	  return r;
@@ -102,7 +102,7 @@ krb5_mk_safe(krb5_context context,
 			    cksumtype,
 			    buf + sizeof(buf) - len,
 			    len,
-			    &auth_context->key,
+			    auth_context->keyblock,
 			    &s.cksum);
   if (r)
     return r;
diff --git a/lib/krb5/rd_priv.c b/lib/krb5/rd_priv.c
index 54ae6724c..fb40c3185 100644
--- a/lib/krb5/rd_priv.c
+++ b/lib/krb5/rd_priv.c
@@ -73,7 +73,7 @@ krb5_rd_priv(krb5_context context,
   else if (auth_context->remote_subkey.keytype)
       key = &auth_context->remote_subkey;
   else
-      key = &auth_context->key;
+      key = auth_context->keyblock;
 
   r = krb5_decrypt (context,
 		    priv.enc_part.cipher.data,
diff --git a/lib/krb5/rd_rep.c b/lib/krb5/rd_rep.c
index 54cc9fda4..70a52f9e8 100644
--- a/lib/krb5/rd_rep.c
+++ b/lib/krb5/rd_rep.c
@@ -70,7 +70,7 @@ krb5_rd_rep(krb5_context context,
 		      ap_rep.enc_part.cipher.data,
 		      ap_rep.enc_part.cipher.length,
 		      ap_rep.enc_part.etype,
-		      &auth_context->key,
+		      auth_context->keyblock,
 		      &data);
   if (ret)
       goto out;
diff --git a/lib/krb5/rd_req.c b/lib/krb5/rd_req.c
index 2ba47bb6e..4941ec01a 100644
--- a/lib/krb5/rd_req.c
+++ b/lib/krb5/rd_req.c
@@ -169,12 +169,12 @@ krb5_verify_ap_req(krb5_context context,
     }else
 	krb5_auth_con_init(context, &ac);
 	
-    if (ap_req->ap_options.use_session_key && auth_context->keyblock){
+    if (ap_req->ap_options.use_session_key && ac->keyblock){
 	ret = krb5_decrypt_ticket(context, &ap_req->ticket, 
-				  auth_context->keyblock, 
+				  ac->keyblock, 
 				  &t.ticket);
-	krb5_free_keyblock(context, auth_context->keyblock);
-	auth_context->keyblock = NULL;
+	krb5_free_keyblock(context, ac->keyblock);
+	ac->keyblock = NULL;
     }else
 	ret = krb5_decrypt_ticket(context, &ap_req->ticket, 
 				  keyblock, 
@@ -192,7 +192,7 @@ krb5_verify_ap_req(krb5_context context,
 
     /* save key */
 
-    copy_EncryptionKey(&t.ticket.key, &ac->key);
+    krb5_copy_keyblock(context, &t.ticket.key, &ac->keyblock);
 
     ret = decrypt_authenticator (context,
 				 &t.ticket.key,
diff --git a/lib/krb5/rd_safe.c b/lib/krb5/rd_safe.c
index 693773cea..3515c4c89 100644
--- a/lib/krb5/rd_safe.c
+++ b/lib/krb5/rd_safe.c
@@ -133,7 +133,7 @@ krb5_rd_safe(krb5_context context,
       r = krb5_verify_checksum (context,
 				buf + sizeof(buf) - len,
 				len,
-				&auth_context->key,
+				auth_context->keyblock,
 				&c);
       free_Checksum (&c);
       if (r)