diff --git a/veilid-core/src/core_context.rs b/veilid-core/src/core_context.rs
index b3d46ab3..555bdcf2 100644
--- a/veilid-core/src/core_context.rs
+++ b/veilid-core/src/core_context.rs
@@ -76,9 +76,16 @@ impl ServicesContext {
         }
         self.protected_store = Some(protected_store.clone());
 
-        // Set up tablestore
-        trace!("init table store");
+        // Set up tablestore and crypto system
+        trace!("create table store and crypto system");
         let table_store = TableStore::new(self.config.clone(), protected_store.clone());
+        let crypto = Crypto::new(self.config.clone(), table_store.clone());
+        table_store.set_crypto(crypto.clone());
+
+        // Initialize table store first, so crypto code can load caches
+        // Tablestore can use crypto during init, just not any cached operations or things
+        // that require flushing back to the tablestore
+        trace!("init table store");
         if let Err(e) = table_store.init().await {
             error!("failed to init table store: {}", e);
             self.shutdown().await;
@@ -88,7 +95,6 @@ impl ServicesContext {
 
         // Set up crypto
         trace!("init crypto");
-        let crypto = Crypto::new(self.config.clone(), table_store.clone());
         if let Err(e) = crypto.init().await {
             error!("failed to init crypto: {}", e);
             self.shutdown().await;
diff --git a/veilid-core/src/crypto/mod.rs b/veilid-core/src/crypto/mod.rs
index d70be8f7..822687eb 100644
--- a/veilid-core/src/crypto/mod.rs
+++ b/veilid-core/src/crypto/mod.rs
@@ -132,10 +132,6 @@ impl Crypto {
     pub async fn init(&self) -> EyreResult<()> {
         trace!("Crypto::init");
         let table_store = self.unlocked_inner.table_store.clone();
-
-        // Set crypto for table store
-        table_store.set_crypto(self.clone());
-
         // Init node id from config
         if let Err(e) = self
             .unlocked_inner
diff --git a/veilid-core/src/table_store/table_store.rs b/veilid-core/src/table_store/table_store.rs
index 05703849..0f86f3f3 100644
--- a/veilid-core/src/table_store/table_store.rs
+++ b/veilid-core/src/table_store/table_store.rs
@@ -48,7 +48,7 @@ impl TableStore {
         inner.crypto = Some(crypto);
     }
 
-    // Flush internal control state
+    // Flush internal control state (must not use crypto)
     async fn flush(&self) {
         let (all_table_names_value, all_tables_db) = {
             let inner = self.inner.lock();
@@ -220,6 +220,7 @@ impl TableStore {
     ) -> EyreResult<Vec<u8>> {
         // Check if we are to protect the key
         if device_encryption_key_password.is_empty() {
+            debug!("no dek password");
             // Return the unprotected key bytes
             let mut out = Vec::with_capacity(4 + SHARED_SECRET_LENGTH);
             out.extend_from_slice(&dek.kind.0);
@@ -260,6 +261,7 @@ impl TableStore {
             .load_user_secret("device_encryption_key")
             .await?;
         let Some(dek_bytes) = dek_bytes else {
+            debug!("no device encryption key");
             return Ok(None);
         };
 
@@ -284,7 +286,7 @@ impl TableStore {
                 .protected_store
                 .remove_user_secret("device_encryption_key")
                 .await?;
-            trace!("removed device encryption key. existed: {}", existed);
+            debug!("removed device encryption key. existed: {}", existed);
             return Ok(());
         };
 
@@ -296,6 +298,7 @@ impl TableStore {
         let device_encryption_key_password =
             if let Some(new_device_encryption_key_password) = new_device_encryption_key_password {
                 // Change password
+                debug!("changing dek password");
                 self.config
                     .with_mut(|c| {
                         c.protected_store.device_encryption_key_password =
@@ -305,6 +308,7 @@ impl TableStore {
                     .unwrap()
             } else {
                 // Get device encryption key protection password if we have it
+                debug!("saving with existing dek password");
                 let c = self.config.get();
                 c.protected_store.device_encryption_key_password.clone()
             };
@@ -319,7 +323,7 @@ impl TableStore {
             .protected_store
             .save_user_secret("device_encryption_key", &dek_bytes)
             .await?;
-        trace!("saving device encryption key. existed: {}", existed);
+        debug!("saving device encryption key. existed: {}", existed);
         Ok(())
     }
 
diff --git a/veilid-server/src/cmdline.rs b/veilid-server/src/cmdline.rs
index 1a349bf6..3d4fe163 100644
--- a/veilid-server/src/cmdline.rs
+++ b/veilid-server/src/cmdline.rs
@@ -244,6 +244,13 @@ pub fn process_command_line() -> EyreResult<(Settings, ArgMatches)> {
     if matches.occurrences_of("delete-table-store") != 0 {
         settingsrw.core.table_store.delete = true;
     }
+    if matches.occurrences_of("password") != 0 {
+        settingsrw.core.protected_store.device_encryption_key_password = matches.value_of("password").unwrap().to_owned();
+    }
+    if matches.occurrences_of("new-password") != 0 {
+        settingsrw.core.protected_store.new_device_encryption_key_password = Some(matches.value_of("new-password").unwrap().to_owned());
+    }
+
     if matches.occurrences_of("dump-txt-record") != 0 {
         // Turn off terminal logging so we can be interactive
         settingsrw.logging.terminal.enabled = false;