A symmetric key will be generated by the EVE controller module. This symmetric key will be used for both encryption and decryption. The configuration blob will contain a symmetric key attribute field, to store this symmetric key.
While preparing the configuration blob, the EVE Controller will use this symmetric key, to encrypt the sensitive information. In turn, EVE controller will use, the EVE Node device certificate, to encrypt the symmetric key.
On EVE node, the agents will also pass the encrypted symmetric key along with the encrypted sensitive information, while calling decryption method API. The symmetric key will be decrypted first, using the device private key stored inside TPM module. In turn, the clear text symmetric key will be used to decrypt the sensitive information.