diff --git a/src/zlevis-encrypt b/src/zlevis-encrypt
index df95863..5099a65 100755
--- a/src/zlevis-encrypt
+++ b/src/zlevis-encrypt
@@ -87,7 +87,7 @@ pcr_bank="$(printf "%s" "$cfg" | jose fmt -j- -Og pcr_bank -u-)" || {
 pcr_cfg=$(printf "%s" "$cfg" | tr -d '[:space:]')
 
 # Handle both string and JSON array formats for pcr_ids
-if printf "%s" "$pcr_cfg" | jose fmt -j- -Og pcr_ids 2>/dev/null && ! pcr_ids="$(jose fmt -j- -Og pcr_ids -u- 2>/dev/null < "$tmp"/pcr_cfg)"; then
+if printf "%s" "$pcr_cfg" | jose fmt -j- -Og pcr_ids 2>/dev/null && ! pcr_ids="$(printf "%s" "$pcr_cfg" | jose fmt -j- -Og pcr_ids -u- 2>/dev/null)"; then
     # Attempt to parse as a JSON array if string parsing fails
     if printf "%s" "$pcr_cfg" | jose fmt -j- -Og pcr_ids -A 2>/dev/null; then
         # Construct a comma-separated string from the array
@@ -176,13 +176,13 @@ else
     obj_attr="$obj_attr|userwithauth"
 fi
 
-# Remove tmp_pcr_digest and tmp_pcr_policy
-rm -f "$tmp_pcr_digest" "$tmp_pcr_policy"
+# Remove tmp_pcr_digest
+rm -f "$tmp_pcr_digest"
 
 # Define and trap tmp jwk_pub and jwk_priv
 tmp_jwk_pub="/tmp/jwk_pub.$$"
 tmp_jwk_priv="/tmp/jwk_priv.$$"
-trap 'rm -f "$tmp_primary_context" "$tmp_jwk_pub" "$tmp_jwk_priv"' EXIT
+trap 'rm -f "$tmp_primary_context" "$tmp_pcr_policy" "$tmp_jwk_pub" "$tmp_jwk_priv"' EXIT
 
 # Create the TPM2 object for the JWK
 case "$tpm2tools_version" in
@@ -195,8 +195,8 @@ if [ -n "$fail" ]; then
 fi
 tpm2_flushcontext -t
 
-# Remove tmp_primary_context
-rm -f "$tmp_primary_context"
+# Remove tmp_primary_context and tmp_pcr_policy
+rm -f "$tmp_primary_context" "$tmp_pcr_policy"
 
 # Encode the JWK public and private keys in Base64
 if ! jwk_pub="$(jose b64 enc -I "$tmp_jwk_pub")"; then