diff --git a/pkg/meta/meta.go b/pkg/meta/meta.go
index 9a48269..a08d97c 100644
--- a/pkg/meta/meta.go
+++ b/pkg/meta/meta.go
@@ -58,12 +58,12 @@ func (m *Meta) GetString(key string) (string, error) {
 
 // GetEncryptedString decorates GetString and decrypt its output with the given symmetric encryption key.
 func (m *Meta) GetEncryptedString(key string, encryptionKey []byte) (string, error) {
-	v, err := m.GetString(key)
+	v, err := m.GetBytes(key)
 	if err != nil {
 		return "", err
 	}
 
-	decrypted, err := crypto.DecryptStringWithAESKey([]byte(v), encryptionKey)
+	decrypted, err := crypto.DecryptStringWithAESKey(v, encryptionKey)
 	if err != nil {
 		return "", err
 	}
@@ -161,16 +161,16 @@ func (m *Meta) AddEncrypted(key string, val any, encryptionKey []byte) error {
 		if err != nil {
 			return err
 		}
-		return m.Add(key, string(encrypted))
 	case []byte:
 		encrypted, err = crypto.EncryptWithAESKey(val, encryptionKey)
 		if err != nil {
 			return err
 		}
-		return m.Add(key, encrypted)
 	default:
 		return ErrNotEncryptable
 	}
+
+	return m.Add(key, encrypted)
 }
 
 // Equals tells if two Meta hold the same key/values.
diff --git a/pkg/meta/meta_test.go b/pkg/meta/meta_test.go
index 6ae2aca..2fbb176 100644
--- a/pkg/meta/meta_test.go
+++ b/pkg/meta/meta_test.go
@@ -34,9 +34,8 @@ func TestMeta_Add(t *testing.T) {
 		err = m.AddEncrypted("secret", "hello world", key)
 		require.NoError(t, err)
 
-		encrypted, err := m.GetString("secret")
-		require.NoError(t, err)
-		require.NotEqual(t, "hello world", encrypted)
+		_, err = m.GetString("secret")
+		require.Error(t, err) // the ciphertext is saved as []byte instead of string
 
 		decrypted, err := m.GetEncryptedString("secret", key)
 		require.NoError(t, err)
diff --git a/token/delegation/delegation_test.go b/token/delegation/delegation_test.go
index 4059030..b49578c 100644
--- a/token/delegation/delegation_test.go
+++ b/token/delegation/delegation_test.go
@@ -183,10 +183,8 @@ func TestEncryptedMeta(t *testing.T) {
 			decodedTkn, _, err := delegation.FromSealed(data)
 			require.NoError(t, err)
 
-			encrypted, err := decodedTkn.Meta().GetString(tt.key)
-			require.NoError(t, err)
-			// Verify the encrypted value is different from original
-			require.NotEqual(t, tt.value, encrypted)
+			_, err = decodedTkn.Meta().GetString(tt.key)
+			require.Error(t, err)
 
 			decrypted, err := decodedTkn.Meta().GetEncryptedString(tt.key, encryptionKey)
 			require.NoError(t, err)