diff --git a/app/controllers/idv/confirmations_controller.rb b/app/controllers/idv/confirmations_controller.rb
index dcf73294729..91e46090ae9 100644
--- a/app/controllers/idv/confirmations_controller.rb
+++ b/app/controllers/idv/confirmations_controller.rb
@@ -21,10 +21,16 @@ def update
     end
 
     def download
-      code = personal_key
+      personal_key = user_session[:personal_key]
 
-      analytics.track_event(Analytics::IDV_DOWNLOAD_PERSONAL_KEY, success: code.present?)
-      send_data "#{code}\r\n", filename: 'personal_key.txt'
+      analytics.track_event(Analytics::IDV_DOWNLOAD_PERSONAL_KEY, success: personal_key.present?)
+
+      if personal_key.present?
+        data = personal_key + "\r\n"
+        send_data data, filename: 'personal_key.txt'
+      else
+        head :bad_request
+      end
     end
 
     private
@@ -67,6 +73,8 @@ def add_proofing_component
 
     def finish_idv_session
       @code = personal_key
+      user_session[:personal_key] = @code
+      idv_session.personal_key = nil
 
       if idv_session.address_verification_mechanism == 'gpo'
         flash.now[:success] = t('idv.messages.mail_sent')
@@ -77,7 +85,7 @@ def finish_idv_session
     end
 
     def personal_key
-      user_session[:personal_key] ||= generate_personal_key
+      idv_session.personal_key || generate_personal_key
     end
 
     def generate_personal_key
diff --git a/app/services/idv/session.rb b/app/services/idv/session.rb
index 461607ad031..81e963e04bc 100644
--- a/app/services/idv/session.rb
+++ b/app/services/idv/session.rb
@@ -14,6 +14,7 @@ class Session
       profile_confirmation
       profile_id
       profile_step_params
+      personal_key
       resolution_successful
     ].freeze
 
@@ -50,6 +51,7 @@ def create_profile_from_applicant_with_password(user_password)
       profile = profile_maker.save_profile
       self.pii = profile_maker.pii_attributes
       self.profile_id = profile.id
+      self.personal_key = profile.personal_key
     end
 
     def cache_encrypted_pii(password)
diff --git a/spec/controllers/idv/confirmations_controller_spec.rb b/spec/controllers/idv/confirmations_controller_spec.rb
index 319bf2cbe90..0a55d19f993 100644
--- a/spec/controllers/idv/confirmations_controller_spec.rb
+++ b/spec/controllers/idv/confirmations_controller_spec.rb
@@ -2,6 +2,7 @@
 
 describe Idv::ConfirmationsController do
   include SamlAuthHelper
+  include PersonalKeyValidator
 
   def stub_idv_session
     stub_sign_in(user)
@@ -21,7 +22,7 @@ def stub_idv_session
     profile = profile_maker.save_profile
     idv_session.pii = profile_maker.pii_attributes
     idv_session.profile_id = profile.id
-    subject.user_session[:personal_key] = profile.personal_key
+    idv_session.personal_key = profile.personal_key
     allow(subject).to receive(:idv_session).and_return(idv_session)
   end
 
@@ -95,13 +96,21 @@ def index
 
     it 'sets code instance variable' do
       subject.idv_session.create_profile_from_applicant_with_password(password)
-      code = subject.user_session[:personal_key]
+      code = subject.idv_session.personal_key
 
       get :show
 
       expect(assigns(:code)).to eq(code)
     end
 
+    it 'can decrypt the profile with the code' do
+      get :show
+
+      code = assigns(:code)
+
+      expect(user.profiles.first.recover_pii(normalize_personal_key(code))).to be
+    end
+
     it 'sets flash[:allow_confirmations_continue] to true' do
       get :show
 
@@ -226,7 +235,7 @@ def index
 
     it 'allows download of code' do
       subject.idv_session.create_profile_from_applicant_with_password(password)
-      code = subject.user_session[:personal_key]
+      code = subject.idv_session.personal_key
 
       get :show
       get :download
@@ -236,25 +245,20 @@ def index
       expect(@analytics).to have_logged_event(Analytics::IDV_DOWNLOAD_PERSONAL_KEY, success: true)
     end
 
-    it 'can be called separately from #show' do
+    it 'recovers pii with the code' do
+      get :show
       get :download
 
-      expect(response).to be_ok
+      code = response.body.chomp
 
-      code = subject.user_session[:personal_key]
-      expect(response.body).to eq(code + "\r\n")
+      expect(user.profiles.first.recover_pii(normalize_personal_key(code))).to be
     end
 
-    it 'can be called out of order and have the same code as #show' do
-      subject.user_session[:personal_key] = nil
-
-      expect { get :download }.to change { subject.user_session[:personal_key] }.from(nil)
-
-      expect(response).to be_ok
-      code = response.body.chomp
+    it 'is a bad request when there is no personal_key in the session' do
+      get :download
 
-      get :show
-      expect(assigns(:code)).to eq(code)
+      expect(response).to be_bad_request
+      expect(@analytics).to have_logged_event(Analytics::IDV_DOWNLOAD_PERSONAL_KEY, success: false)
     end
   end
 end