diff --git a/src/api2/config/tape_encryption_keys.rs b/src/api2/config/tape_encryption_keys.rs
index c652cbc5..1341abd4 100644
--- a/src/api2/config/tape_encryption_keys.rs
+++ b/src/api2/config/tape_encryption_keys.rs
@@ -30,6 +30,7 @@ use crate::{
         TapeKeyMetadata,
     },
     backup::{
+        Kdf,
         Fingerprint,
     },
     tools::format::as_fingerprint,
@@ -71,6 +72,10 @@ pub fn list_keys(
     protected: true,
     input: {
         properties: {
+            kdf: {
+                type: Kdf,
+                optional: true,
+            },
             password: {
                 description: "A secret password.",
                 min_length: 5,
@@ -86,12 +91,19 @@ pub fn list_keys(
 )]
 /// Create a new encryption key
 pub fn create_key(
+    kdf: Option<Kdf>,
     password: String,
     hint: String,
     _rpcenv: &mut dyn RpcEnvironment
 ) -> Result<Fingerprint, Error> {
 
-    let (key, mut key_config) = generate_tape_encryption_key(password.as_bytes())?;
+    let kdf = kdf.unwrap_or_default();
+
+    if let Kdf::None = kdf {
+        bail!("Please specify a key derivation  funktion (none is not allowed here).");
+    }
+
+    let (key, mut key_config) = generate_tape_encryption_key(password.as_bytes(), kdf)?;
     key_config.hint = Some(hint);
 
     let fingerprint = key_config.fingerprint.clone().unwrap();
diff --git a/src/bin/proxmox_tape/encryption_key.rs b/src/bin/proxmox_tape/encryption_key.rs
index 9f913648..e54e565f 100644
--- a/src/bin/proxmox_tape/encryption_key.rs
+++ b/src/bin/proxmox_tape/encryption_key.rs
@@ -19,6 +19,7 @@ use proxmox_backup::{
             DRIVE_NAME_SCHEMA,
         },
     },
+    backup::Kdf,
     config::tape_encryption_keys::complete_key_fingerprint,
 };
 
@@ -83,6 +84,10 @@ async fn restore_key(
 #[api(
     input: {
         properties: {
+            kdf: {
+                type: Kdf,
+                optional: true,
+            },
             hint: {
                 description: "Password restore hint.",
                 type: String,
diff --git a/src/config/tape_encryption_keys.rs b/src/config/tape_encryption_keys.rs
index 42906fc2..7c1a8460 100644
--- a/src/config/tape_encryption_keys.rs
+++ b/src/config/tape_encryption_keys.rs
@@ -57,8 +57,8 @@ pub fn compute_tape_key_fingerprint(key: &[u8; 32]) -> Result<Fingerprint, Error
     Ok(crypt_config.fingerprint())
 }
 
-pub fn generate_tape_encryption_key(password: &[u8]) -> Result<([u8; 32], KeyConfig), Error> {
-    let (key, mut key_config) = KeyConfig::new(password, Kdf::Scrypt)?;
+pub fn generate_tape_encryption_key(password: &[u8], kdf: Kdf) -> Result<([u8; 32], KeyConfig), Error> {
+    let (key, mut key_config) = KeyConfig::new(password, kdf)?;
     key_config.fingerprint = Some(compute_tape_key_fingerprint(&key)?);
     Ok((key, key_config))
 }