diff --git a/format.md b/format.md
index bc762fb..9f527f3 100644
--- a/format.md
+++ b/format.md
@@ -37,8 +37,8 @@ The distribution archive is encrypted with the distribution key.
 ## distribution key
 
 The distribution key is the AES<256> key, with which the distribution archive
-is encrypted using EAX<AES>. DIST.KEY contains the distribution key signed with
-the deployment key, then encrypted with the provisioning key.
+is encrypted using EAX<AES>. DIST.KEY contains the distribution key encrypted
+with the provisioning key using RSA-OAEP.
 
 ## distribution signature
 
diff --git a/src/unpack.cc b/src/unpack.cc
index d35966e..62be53c 100644
--- a/src/unpack.cc
+++ b/src/unpack.cc
@@ -153,14 +153,29 @@ namespace SignedPackage {
         return false;
     }
 
+    void decrypt_archive(
+            std::filesystem::path archive,
+            std::filesystem::path key,
+            CryptoPP::PrivateKey& provisioning_key
+        )
+    {
+
+    }
+
     std::filesystem::path extract_deployment_archive(
             CryptoPP::PublicKey& deployment_key,
+            CryptoPP::PrivateKey& provisioning_key,
             std::string pkg_path
         )
     {
         std::filesystem::path target_path = mktempdir();
-        extract_archive(pkg_path, target_path, { "DIST.A", "DIST.KEY", "DIST.SIG" });
-        check_signature(target_path / "DIST.A", target_path / "DIST.SIG", deployment_key);
+
+        extract_archive(pkg_path, target_path, { "DIST.A", "DIST.KEY",
+                "DIST.SIG" });
+        check_signature(target_path / "DIST.A", target_path / "DIST.SIG",
+                deployment_key);
+        decrypt_archive(target_path / "DIST.A", target_path / "DIST.KEY",
+                provisioning_key);
 
         return target_path;
     }
@@ -172,8 +187,11 @@ namespace SignedPackage {
             std::string target_path
         )
     {
-        std::string tmp_path = extract_deployment_archive(deployment_key, pkg_path);
+        std::string tmp_path = extract_deployment_archive(deployment_key,
+                provisioning_key, pkg_path);
         ensure_target_path(target_path);
+
+        std::filesystem::remove_all(tmp_path);
     }
 
     void provision_system(
diff --git a/src/unpack.hh b/src/unpack.hh
index 305af53..a675e2d 100644
--- a/src/unpack.hh
+++ b/src/unpack.hh
@@ -29,8 +29,15 @@ namespace SignedPackage {
             CryptoPP::PublicKey& key
         );
 
+    void decrypt_archive(
+            std::filesystem::path archive,
+            std::filesystem::path key,
+            CryptoPP::PrivateKey& provisioning_key
+        );
+
     std::filesystem::path extract_deployment_archive(
             CryptoPP::PublicKey& deployment_key,
+            CryptoPP::PrivateKey& provisioning_key,
             std::string pkg_path
         );