diff --git a/pkg/cloudencrypt/cached.go b/pkg/cloudencrypt/cached.go
index 0c6275e..c096c6e 100644
--- a/pkg/cloudencrypt/cached.go
+++ b/pkg/cloudencrypt/cached.go
@@ -5,6 +5,7 @@ import (
 	"time"
 
 	"github.com/dgraph-io/ristretto/v2"
+	"github.com/keboola/go-cloud-encrypt/pkg/cloudencrypt/internal/encode"
 )
 
 // CachedEncryptor wraps another Encryptor and adds a caching mechanism.
@@ -23,7 +24,7 @@ func NewCachedEncryptor(ctx context.Context, encryptor Encryptor, ttl time.Durat
 }
 
 func (encryptor *CachedEncryptor) Encrypt(ctx context.Context, plaintext []byte, metadata Metadata) ([]byte, error) {
-	key, err := encode(metadata)
+	key, err := encode.Encode(metadata)
 	if err != nil {
 		return nil, err
 	}
@@ -41,7 +42,7 @@ func (encryptor *CachedEncryptor) Encrypt(ctx context.Context, plaintext []byte,
 }
 
 func (encryptor *CachedEncryptor) Decrypt(ctx context.Context, ciphertext []byte, metadata Metadata) ([]byte, error) {
-	key, err := encode(metadata)
+	key, err := encode.Encode(metadata)
 	if err != nil {
 		return nil, err
 	}
diff --git a/pkg/cloudencrypt/cached_test.go b/pkg/cloudencrypt/cached_test.go
index fb03968..cbb12b4 100644
--- a/pkg/cloudencrypt/cached_test.go
+++ b/pkg/cloudencrypt/cached_test.go
@@ -8,6 +8,7 @@ import (
 	"time"
 
 	"github.com/dgraph-io/ristretto/v2"
+	"github.com/keboola/go-cloud-encrypt/pkg/cloudencrypt/internal/random"
 	"github.com/keboola/go-utils/pkg/wildcards"
 	"github.com/stretchr/testify/assert"
 )
@@ -17,7 +18,7 @@ func TestCachedEncryptor(t *testing.T) {
 
 	ctx := context.Background()
 
-	secretKey, err := generateSecretKey()
+	secretKey, err := random.SecretKey()
 	assert.NoError(t, err)
 
 	nativeEncryptor, err := NewNativeEncryptor(secretKey)
diff --git a/pkg/cloudencrypt/dual.go b/pkg/cloudencrypt/dual.go
index ad80c7d..4eac7bb 100644
--- a/pkg/cloudencrypt/dual.go
+++ b/pkg/cloudencrypt/dual.go
@@ -2,6 +2,9 @@ package cloudencrypt
 
 import (
 	"context"
+
+	"github.com/keboola/go-cloud-encrypt/pkg/cloudencrypt/internal/encode"
+	"github.com/keboola/go-cloud-encrypt/pkg/cloudencrypt/internal/random"
 )
 
 const (
@@ -23,7 +26,7 @@ func NewDualEncryptor(ctx context.Context, encryptor Encryptor) (*DualEncryptor,
 
 func (encryptor *DualEncryptor) Encrypt(ctx context.Context, plaintext []byte, metadata Metadata) ([]byte, error) {
 	// Generate a random secret key
-	secretKey, err := generateSecretKey()
+	secretKey, err := random.SecretKey()
 	if err != nil {
 		return nil, err
 	}
@@ -43,7 +46,7 @@ func (encryptor *DualEncryptor) Encrypt(ctx context.Context, plaintext []byte, m
 	output[mapKeySecretKey] = encryptedSecretKey
 	output[mapKeyCipherText] = ciphertext
 
-	encoded, err := encode(output)
+	encoded, err := encode.Encode(output)
 	if err != nil {
 		return nil, err
 	}
@@ -52,7 +55,7 @@ func (encryptor *DualEncryptor) Encrypt(ctx context.Context, plaintext []byte, m
 }
 
 func (encryptor *DualEncryptor) Decrypt(ctx context.Context, ciphertext []byte, metadata Metadata) ([]byte, error) {
-	decoded, err := decode[map[string][]byte](ciphertext)
+	decoded, err := encode.Decode[map[string][]byte](ciphertext)
 	if err != nil {
 		return nil, err
 	}
@@ -108,7 +111,3 @@ func nativeDecrypt(ctx context.Context, secretKey []byte, ciphertext []byte, met
 
 	return plaintext, nil
 }
-
-func generateSecretKey() ([]byte, error) {
-	return randomBytes(32)
-}
diff --git a/pkg/cloudencrypt/dual_test.go b/pkg/cloudencrypt/dual_test.go
index d365dc8..e8b0ce6 100644
--- a/pkg/cloudencrypt/dual_test.go
+++ b/pkg/cloudencrypt/dual_test.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"testing"
 
+	"github.com/keboola/go-cloud-encrypt/pkg/cloudencrypt/internal/random"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -12,7 +13,7 @@ func TestDualEncryptor(t *testing.T) {
 
 	ctx := context.Background()
 
-	secretKey, err := generateSecretKey()
+	secretKey, err := random.SecretKey()
 	assert.NoError(t, err)
 
 	nativeEncryptor, err := NewNativeEncryptor(secretKey)
diff --git a/pkg/cloudencrypt/encryptor.go b/pkg/cloudencrypt/encryptor.go
index f6d7dce..c4f4f09 100644
--- a/pkg/cloudencrypt/encryptor.go
+++ b/pkg/cloudencrypt/encryptor.go
@@ -2,9 +2,6 @@ package cloudencrypt
 
 import (
 	"context"
-	"crypto/rand"
-
-	"github.com/pkg/errors"
 )
 
 type Metadata map[string]string
@@ -14,13 +11,3 @@ type Encryptor interface {
 	Decrypt(ctx context.Context, ciphertext []byte, metadata Metadata) ([]byte, error)
 	Close() error
 }
-
-func randomBytes(size int) ([]byte, error) {
-	bytes := make([]byte, size)
-	_, err := rand.Read(bytes)
-	if err != nil {
-		return nil, errors.Wrapf(err, "can't generate random bytes: %s", err.Error())
-	}
-
-	return bytes, err
-}
diff --git a/pkg/cloudencrypt/gcp.go b/pkg/cloudencrypt/gcp.go
index 9405e18..dae78aa 100644
--- a/pkg/cloudencrypt/gcp.go
+++ b/pkg/cloudencrypt/gcp.go
@@ -5,6 +5,7 @@ import (
 
 	kms "cloud.google.com/go/kms/apiv1"
 	"cloud.google.com/go/kms/apiv1/kmspb"
+	"github.com/keboola/go-cloud-encrypt/pkg/cloudencrypt/internal/encode"
 	"github.com/pkg/errors"
 )
 
@@ -27,7 +28,7 @@ func NewGCPEncryptor(ctx context.Context, keyID string) (*GCPEncryptor, error) {
 }
 
 func (encryptor *GCPEncryptor) Encrypt(ctx context.Context, plaintext []byte, metadata Metadata) ([]byte, error) {
-	additionalData, err := encode(metadata)
+	additionalData, err := encode.Encode(metadata)
 	if err != nil {
 		return nil, err
 	}
@@ -47,7 +48,7 @@ func (encryptor *GCPEncryptor) Encrypt(ctx context.Context, plaintext []byte, me
 }
 
 func (encryptor *GCPEncryptor) Decrypt(ctx context.Context, ciphertext []byte, metadata Metadata) ([]byte, error) {
-	additionalData, err := encode(metadata)
+	additionalData, err := encode.Encode(metadata)
 	if err != nil {
 		return nil, err
 	}
diff --git a/pkg/cloudencrypt/encode.go b/pkg/cloudencrypt/internal/encode/encode.go
similarity index 90%
rename from pkg/cloudencrypt/encode.go
rename to pkg/cloudencrypt/internal/encode/encode.go
index 1004073..b9e40c4 100644
--- a/pkg/cloudencrypt/encode.go
+++ b/pkg/cloudencrypt/internal/encode/encode.go
@@ -1,4 +1,4 @@
-package cloudencrypt
+package encode
 
 import (
 	"bytes"
@@ -9,7 +9,7 @@ import (
 	"github.com/pkg/errors"
 )
 
-func encode(data any) ([]byte, error) {
+func Encode(data any) ([]byte, error) {
 	var buffer bytes.Buffer
 
 	// Base64 encode
@@ -37,7 +37,7 @@ func encode(data any) ([]byte, error) {
 	return buffer.Bytes(), nil
 }
 
-func decode[T any](data []byte) (decoded T, err error) {
+func Decode[T any](data []byte) (decoded T, err error) {
 	// Base64 decode
 	decoder := base64.NewDecoder(base64.StdEncoding, bytes.NewReader(data))
 
diff --git a/pkg/cloudencrypt/encode_test.go b/pkg/cloudencrypt/internal/encode/encode_test.go
similarity index 62%
rename from pkg/cloudencrypt/encode_test.go
rename to pkg/cloudencrypt/internal/encode/encode_test.go
index 18793d8..1b6a8c9 100644
--- a/pkg/cloudencrypt/encode_test.go
+++ b/pkg/cloudencrypt/internal/encode/encode_test.go
@@ -1,25 +1,26 @@
-package cloudencrypt
+package encode
 
 import (
 	"testing"
 
+	"github.com/keboola/go-cloud-encrypt/pkg/cloudencrypt/internal/random"
 	"github.com/stretchr/testify/assert"
 )
 
 func TestEncodeDecode(t *testing.T) {
 	t.Parallel()
 
-	secretKey, err := generateSecretKey()
+	secretKey, err := random.SecretKey()
 	assert.NoError(t, err)
 
 	data := make(map[string][]byte)
 	data["test"] = secretKey
 
-	encoded, err := encode(data)
+	encoded, err := Encode(data)
 	assert.NoError(t, err)
 	assert.NotNil(t, encoded)
 
-	decoded, err := decode[map[string][]byte](encoded)
+	decoded, err := Decode[map[string][]byte](encoded)
 	assert.NoError(t, err)
 	assert.NotNil(t, decoded)
 
diff --git a/pkg/cloudencrypt/internal/random/random.go b/pkg/cloudencrypt/internal/random/random.go
new file mode 100644
index 0000000..65f6efe
--- /dev/null
+++ b/pkg/cloudencrypt/internal/random/random.go
@@ -0,0 +1,21 @@
+package random
+
+import (
+	"crypto/rand"
+
+	"github.com/pkg/errors"
+)
+
+func Bytes(size int) ([]byte, error) {
+	bytes := make([]byte, size)
+	_, err := rand.Read(bytes)
+	if err != nil {
+		return nil, errors.Wrapf(err, "can't generate random bytes: %s", err.Error())
+	}
+
+	return bytes, err
+}
+
+func SecretKey() ([]byte, error) {
+	return Bytes(32)
+}
diff --git a/pkg/cloudencrypt/logged_test.go b/pkg/cloudencrypt/logged_test.go
index 1f06d12..dbb4a45 100644
--- a/pkg/cloudencrypt/logged_test.go
+++ b/pkg/cloudencrypt/logged_test.go
@@ -6,6 +6,7 @@ import (
 	"log"
 	"testing"
 
+	"github.com/keboola/go-cloud-encrypt/pkg/cloudencrypt/internal/random"
 	"github.com/keboola/go-utils/pkg/wildcards"
 	"github.com/stretchr/testify/assert"
 )
@@ -15,7 +16,7 @@ func TestLoggedEncryptor(t *testing.T) {
 
 	ctx := context.Background()
 
-	secretKey, err := generateSecretKey()
+	secretKey, err := random.SecretKey()
 	assert.NoError(t, err)
 
 	nativeEncryptor, err := NewNativeEncryptor(secretKey)
diff --git a/pkg/cloudencrypt/native.go b/pkg/cloudencrypt/native.go
index ce272a8..9bb0967 100644
--- a/pkg/cloudencrypt/native.go
+++ b/pkg/cloudencrypt/native.go
@@ -5,6 +5,8 @@ import (
 	"crypto/aes"
 	"crypto/cipher"
 
+	"github.com/keboola/go-cloud-encrypt/pkg/cloudencrypt/internal/encode"
+	"github.com/keboola/go-cloud-encrypt/pkg/cloudencrypt/internal/random"
 	"github.com/pkg/errors"
 )
 
@@ -30,12 +32,12 @@ func NewNativeEncryptor(secretKey []byte) (*NativeEncryptor, error) {
 }
 
 func (encryptor *NativeEncryptor) Encrypt(ctx context.Context, plaintext []byte, metadata Metadata) ([]byte, error) {
-	additionalData, err := encode(metadata)
+	additionalData, err := encode.Encode(metadata)
 	if err != nil {
 		return nil, err
 	}
 
-	nonce, err := randomBytes(encryptor.gcm.NonceSize())
+	nonce, err := random.Bytes(encryptor.gcm.NonceSize())
 	if err != nil {
 		return nil, err
 	}
@@ -45,7 +47,7 @@ func (encryptor *NativeEncryptor) Encrypt(ctx context.Context, plaintext []byte,
 }
 
 func (encryptor *NativeEncryptor) Decrypt(ctx context.Context, ciphertext []byte, metadata Metadata) ([]byte, error) {
-	additionalData, err := encode(metadata)
+	additionalData, err := encode.Encode(metadata)
 	if err != nil {
 		return nil, err
 	}
diff --git a/pkg/cloudencrypt/native_test.go b/pkg/cloudencrypt/native_test.go
index 1e2fae1..2cc8550 100644
--- a/pkg/cloudencrypt/native_test.go
+++ b/pkg/cloudencrypt/native_test.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"testing"
 
+	"github.com/keboola/go-cloud-encrypt/pkg/cloudencrypt/internal/random"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -12,7 +13,7 @@ func TestNativeEncryptor(t *testing.T) {
 
 	ctx := context.Background()
 
-	secretKey, err := generateSecretKey()
+	secretKey, err := random.SecretKey()
 	assert.NoError(t, err)
 
 	encryptor, err := NewNativeEncryptor(secretKey)