diff --git a/src/cryptsetup.c b/src/cryptsetup.c
index 6515dde6..4fb962c8 100644
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -154,6 +154,25 @@ static int _set_keyslot_encryption_params(struct crypt_device *cd)
 	return crypt_keyslot_set_encryption(cd, ARG_STR(OPT_KEYSLOT_CIPHER_ID), ARG_UINT32(OPT_KEYSLOT_KEY_SIZE_ID) / 8);
 }
 
+static int tools_write_mk(const char *file, const char *key, int keysize)
+{
+	int fd, r = -EINVAL;
+
+	fd = open(file, O_CREAT|O_EXCL|O_WRONLY, S_IRUSR);
+	if (fd < 0) {
+		log_err(_("Cannot open keyfile %s for write."), file);
+		return r;
+	}
+
+	if (write_buffer(fd, key, keysize) == keysize)
+		r = 0;
+	else
+		log_err(_("Cannot write to keyfile %s."), file);
+
+	close(fd);
+	return r;
+}
+
 static int action_open_plain(void)
 {
 	struct crypt_device *cd = NULL, *cd1 = NULL;
diff --git a/src/cryptsetup.h b/src/cryptsetup.h
index 586e5729..6943e388 100644
--- a/src/cryptsetup.h
+++ b/src/cryptsetup.h
@@ -109,8 +109,6 @@ int tools_is_cipher_null(const char *cipher);
 int tools_wipe_progress(uint64_t size, uint64_t offset, void *usrptr);
 int tools_reencrypt_progress(uint64_t size, uint64_t offset, void *usrptr);
 
-int tools_write_mk(const char *file, const char *key, int keysize);
-
 int tools_read_json_file(struct crypt_device *cd, const char *file, char **json, size_t *json_size);
 int tools_write_json_file(struct crypt_device *cd, const char *file, const char *json);
 
diff --git a/src/utils_password.c b/src/utils_password.c
index d10ac912..927c615c 100644
--- a/src/utils_password.c
+++ b/src/utils_password.c
@@ -29,25 +29,6 @@ void tools_passphrase_msg(int r)
 		log_err(_("No usable keyslot is available."));
 }
 
-int tools_write_mk(const char *file, const char *key, int keysize)
-{
-	int fd, r = -EINVAL;
-
-	fd = open(file, O_CREAT|O_EXCL|O_WRONLY, S_IRUSR);
-	if (fd < 0) {
-		log_err(_("Cannot open keyfile %s for write."), file);
-		return r;
-	}
-
-	if (write_buffer(fd, key, keysize) == keysize)
-		r = 0;
-	else
-		log_err(_("Cannot write to keyfile %s."), file);
-
-	close(fd);
-	return r;
-}
-
 /*
  * Only tool that currently blocks signals explicitely is cryptsetup-reencrypt.
  * Leave the tools_get_key stub with signals handling here and remove it later