diff --git a/tpm2/platform_test.go b/tpm2/platform_test.go
index aa1493b7..0384e686 100644
--- a/tpm2/platform_test.go
+++ b/tpm2/platform_test.go
@@ -109,6 +109,27 @@ func (s *platformSuite) TestRecoverKeysWithPassphraseIntegrated(c *C) {
 	c.Check(primaryKeyUnsealed, DeepEquals, primaryKey)
 }
 
+func (s *platformSuite) TestRecoverKeysWithPassphraseIntegratedPBKDF2(c *C) {
+	params := &ProtectKeyParams{
+		PCRProfile:             tpm2test.NewPCRProfileFromCurrentValues(tpm2.HashAlgorithmSHA256, []int{7}),
+		PCRPolicyCounterHandle: s.NextAvailableHandle(c, 0x0181fff0),
+		Role:                   "",
+	}
+
+	passphraseParams := &PassphraseProtectKeyParams{
+		ProtectKeyParams: *params,
+		KDFOptions:       new(secboot.PBKDF2Options),
+	}
+
+	k, primaryKey, unlockKey, err := NewTPMPassphraseProtectedKey(s.TPM(), passphraseParams, "passphrase")
+	c.Assert(err, IsNil)
+
+	unlockKeyUnsealed, primaryKeyUnsealed, err := k.RecoverKeysWithPassphrase("passphrase")
+	c.Check(err, IsNil)
+	c.Check(unlockKeyUnsealed, DeepEquals, unlockKey)
+	c.Check(primaryKeyUnsealed, DeepEquals, primaryKey)
+}
+
 func (s *platformSuite) TestRecoverKeysWithBadPassphraseIntegrated(c *C) {
 	key := make(secboot.DiskUnlockKey, 32)
 	rand.Read(key)
diff --git a/tpm2/seal.go b/tpm2/seal.go
index 9419df7c..b107166d 100644
--- a/tpm2/seal.go
+++ b/tpm2/seal.go
@@ -64,7 +64,7 @@ type ProtectKeyParams struct {
 type PassphraseProtectKeyParams struct {
 	ProtectKeyParams
 
-	KDFOptions *secboot.Argon2Options
+	KDFOptions secboot.KDFOptions
 }
 
 type keyDataConstructor func(skd *SealedKeyData, role string, encryptedPayload []byte, kdfAlg crypto.Hash) (*secboot.KeyData, error)
@@ -79,7 +79,7 @@ func makeKeyDataNoAuth(skd *SealedKeyData, role string, encryptedPayload []byte,
 	})
 }
 
-func makeKeyDataWithPassphraseConstructor(kdfOptions *secboot.Argon2Options, passphrase string) keyDataConstructor {
+func makeKeyDataWithPassphraseConstructor(kdfOptions secboot.KDFOptions, passphrase string) keyDataConstructor {
 	return func(skd *SealedKeyData, role string, encryptedPayload []byte, kdfAlg crypto.Hash) (*secboot.KeyData, error) {
 		return secbootNewKeyDataWithPassphrase(&secboot.KeyWithPassphraseParams{
 			KeyParams: secboot.KeyParams{