diff --git a/include/haproxy/quic_tls.h b/include/haproxy/quic_tls.h
index 3b0a40970..9cc8f10f1 100644
--- a/include/haproxy/quic_tls.h
+++ b/include/haproxy/quic_tls.h
@@ -125,10 +125,10 @@ int quic_tls_enc_hp_ctx_init(EVP_CIPHER_CTX **aes_ctx,
                               const EVP_CIPHER *aes, unsigned char *key);
 int quic_tls_hp_decrypt(unsigned char *out,
                          const unsigned char *in, size_t inlen,
-                         EVP_CIPHER_CTX *ctx);
+                         EVP_CIPHER_CTX *ctx, unsigned char *key);
 int quic_tls_hp_encrypt(unsigned char *out,
                          const unsigned char *in, size_t inlen,
-                         EVP_CIPHER_CTX *ctx);
+                         EVP_CIPHER_CTX *ctx, unsigned char *key);
 
 int quic_tls_key_update(struct quic_conn *qc);
 void quic_tls_rotate_keys(struct quic_conn *qc);
diff --git a/src/quic_rx.c b/src/quic_rx.c
index 462f996d0..e2dd8fbd0 100644
--- a/src/quic_rx.c
+++ b/src/quic_rx.c
@@ -91,7 +91,7 @@ static int qc_do_rm_hp(struct quic_conn *qc,
 
 	sample = pn + QUIC_PACKET_PN_MAXLEN;
 
-	if (!quic_tls_hp_decrypt(mask, sample, sizeof mask, tls_ctx->rx.hp_ctx)) {
+	if (!quic_tls_hp_decrypt(mask, sample, sizeof mask, tls_ctx->rx.hp_ctx, tls_ctx->rx.hp_key)) {
 		TRACE_ERROR("HP removing failed", QUIC_EV_CONN_RMHP, qc, pkt);
 		goto leave;
 	}
diff --git a/src/quic_tls.c b/src/quic_tls.c
index 29fa73477..566584f78 100644
--- a/src/quic_tls.c
+++ b/src/quic_tls.c
@@ -621,7 +621,7 @@ int quic_tls_enc_hp_ctx_init(EVP_CIPHER_CTX **hp_ctx,
  */
 int quic_tls_hp_encrypt(unsigned char *out,
                          const unsigned char *in, size_t inlen,
-                         EVP_CIPHER_CTX *ctx)
+                         EVP_CIPHER_CTX *ctx, unsigned char *key)
 {
 	int ret = 0;
 
@@ -661,7 +661,7 @@ int quic_tls_dec_hp_ctx_init(EVP_CIPHER_CTX **hp_ctx,
  */
 int quic_tls_hp_decrypt(unsigned char *out,
                          const unsigned char *in, size_t inlen,
-                         EVP_CIPHER_CTX *ctx)
+                         EVP_CIPHER_CTX *ctx, unsigned char *key)
 {
 	int ret = 0;
 
diff --git a/src/quic_tx.c b/src/quic_tx.c
index 550ac1bb9..5f81978ab 100644
--- a/src/quic_tx.c
+++ b/src/quic_tx.c
@@ -1477,7 +1477,7 @@ void quic_apply_header_protection(struct quic_conn *qc, unsigned char *pos,
 
 	*fail = 0;
 
-	if (!quic_tls_hp_encrypt(mask, pn + QUIC_PACKET_PN_MAXLEN, sizeof mask, hp_ctx)) {
+	if (!quic_tls_hp_encrypt(mask, pn + QUIC_PACKET_PN_MAXLEN, sizeof mask, hp_ctx, tls_ctx->tx.hp_key)) {
 		TRACE_ERROR("could not apply header protection", QUIC_EV_CONN_TXPKT, qc);
 		*fail = 1;
 		goto out;