A symmetric key will be generated by the controller module. This symmetric key will be used for both encryption and decryption. The configuration blob will contain a symmetric key attribute field, to store this symmetric key.
While preparing the configuration blob, the controller will use this symmetric key will be used to encrypt the sensitive information. In turn,the controller will use, the EVE node device certificate to encrypt the symmetric key.
On EVE node, the agents will also pass the encrypted symmetric key along with the encrypted sensitive information, while calling decryption method API. The symmetric key will be decrypted first, using the device private key stored inside TPM module. In turn, the decrypted symmetric key will be used to decrypt the sensitive information.