diff --git a/hbs2-cli/lib/HBS2/CLI/Run/Internal/GroupKey.hs b/hbs2-cli/lib/HBS2/CLI/Run/Internal/GroupKey.hs
index 968747ab..20812440 100644
--- a/hbs2-cli/lib/HBS2/CLI/Run/Internal/GroupKey.hs
+++ b/hbs2-cli/lib/HBS2/CLI/Run/Internal/GroupKey.hs
@@ -26,22 +26,22 @@ groupKeyFromKeyList ks = do
   Symm.generateGroupKey @'HBS2Basic Nothing members
 
 
-encryptBlock :: MonadUnliftIO m
+encryptBlock :: (MonadUnliftIO m, Serialise t)
              => AnyStorage
              -> GroupKey 'Symm 'HBS2Basic
-             -> ByteString
-             -> m (SmallEncryptedBlock ByteString)
+             -> t
+             -> m (SmallEncryptedBlock t)
 
-encryptBlock sto gk bs = do
+encryptBlock sto gk x = do
   gks <- runKeymanClient (extractGroupKeySecret gk)
            >>= orThrowUser "can't extract group key secret"
 
-  Symm.encryptBlock sto gks (Right gk) Nothing bs
+  Symm.encryptBlock sto gks (Right gk) Nothing x
 
-decryptBlock :: MonadUnliftIO m
+decryptBlock :: (MonadUnliftIO m, Serialise t)
              => AnyStorage
-             -> SmallEncryptedBlock ByteString
-             -> m ByteString
+             -> SmallEncryptedBlock t
+             -> m t
 decryptBlock sto seb = do
   let find gk = runKeymanClient (extractGroupKeySecret gk)
 
diff --git a/hbs2-cli/lib/HBS2/CLI/Run/Internal/Merkle.hs b/hbs2-cli/lib/HBS2/CLI/Run/Internal/Merkle.hs
index 4e472b32..7122f3ce 100644
--- a/hbs2-cli/lib/HBS2/CLI/Run/Internal/Merkle.hs
+++ b/hbs2-cli/lib/HBS2/CLI/Run/Internal/Merkle.hs
@@ -3,7 +3,7 @@ module HBS2.CLI.Run.Internal.Merkle where
 import HBS2.CLI.Prelude
 import HBS2.Defaults
 import HBS2.CLI.Run.Internal
-import HBS2.CLI.Run.Internal.GroupKey
+import HBS2.CLI.Run.Internal.GroupKey as G
 
 import HBS2.Hash
 import HBS2.Net.Auth.GroupKeySymm as Symm
@@ -80,7 +80,12 @@ createTreeWithMetadata sto mgk meta lbs = do -- flip runContT pure do
       --
       let segments = readChunkedBS lbs defBlockSize
 
-      let source = ToEncryptSymmBS gks (Right gk) nonce segments  (ShortMetadata mt) Nothing
+      seb <- G.encryptBlock sto gk (ShortMetadata mt)
+
+      hmeta <- putBlock sto (serialise seb)
+                 >>= orThrowUser "can't put block"
+
+      let source = ToEncryptSymmBS gks (Right gk) nonce segments  (AnnHashRef hmeta) Nothing
 
       runExceptT $ writeAsMerkle sto source <&> HashRef
 
diff --git a/hbs2-cli/lib/HBS2/CLI/Run/MetaData.hs b/hbs2-cli/lib/HBS2/CLI/Run/MetaData.hs
index eaa4ebd6..c81e315e 100644
--- a/hbs2-cli/lib/HBS2/CLI/Run/MetaData.hs
+++ b/hbs2-cli/lib/HBS2/CLI/Run/MetaData.hs
@@ -4,7 +4,7 @@ module HBS2.CLI.Run.MetaData (metaDataEntries) where
 
 import HBS2.CLI.Prelude
 import HBS2.CLI.Run.Internal
-import HBS2.CLI.Run.Internal.GroupKey
+import HBS2.CLI.Run.Internal.GroupKey as G
 import HBS2.CLI.Run.Internal.Merkle
 
 import HBS2.Data.Types.Refs
@@ -79,13 +79,23 @@ metaDataEntries = do
             MTreeAnn { _mtaMeta = ShortMetadata s } -> do
               pure $ mkStr s
 
-            MTreeAnn { _mtaMeta = AnnHashRef h } -> do
+            MTreeAnn { _mtaMeta = AnnHashRef h, _mtaCrypt = NullEncryption } -> do
               getBlock sto h
                  >>= toMPlus
                  <&> LBS.toStrict
                  <&> TE.decodeUtf8
                  <&> mkStr
 
+            MTreeAnn { _mtaMeta = AnnHashRef h } -> do
+              getBlock sto h
+                 >>= toMPlus
+                 <&> deserialiseOrFail @(SmallEncryptedBlock AnnMetaData)
+                 >>= toMPlus
+                 >>= lift . G.decryptBlock sto
+                 <&> \case
+                  ShortMetadata s -> mkStr s
+                  _ -> nil
+
             _ -> mzero
 
       case (how, r) of