diff --git a/server/datastore/mysql/migrations/tables/20241116233322_AddLuksDataToHostDiskEncryptionKeys.go b/server/datastore/mysql/migrations/tables/20241116233322_AddLuksDataToHostDiskEncryptionKeys.go
index 2bb5bcb85b28..7a790a454099 100644
--- a/server/datastore/mysql/migrations/tables/20241116233322_AddLuksDataToHostDiskEncryptionKeys.go
+++ b/server/datastore/mysql/migrations/tables/20241116233322_AddLuksDataToHostDiskEncryptionKeys.go
@@ -11,7 +11,7 @@ func init() {
 
 func Up_20241116233322(tx *sql.Tx) error {
 	_, err := tx.Exec(`ALTER TABLE host_disk_encryption_keys
-    		ADD COLUMN base64_encrypted_salt VARCHAR(255) NOT NULL DEFAULT '' AFTER base64_encrypted,
+    		ADD COLUMN base64_encrypted_salt VARCHAR(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '' AFTER base64_encrypted,
     		ADD COLUMN key_slot TINYINT UNSIGNED DEFAULT NULL AFTER base64_encrypted_salt`)
 	if err != nil {
 		return fmt.Errorf("failed to add base64_encrypted_salt and key_slot columns to host_disk_encryption_keys: %w", err)
diff --git a/server/datastore/mysql/schema.sql b/server/datastore/mysql/schema.sql
index 96bb8ef61541..45718cbd1d7c 100644
--- a/server/datastore/mysql/schema.sql
+++ b/server/datastore/mysql/schema.sql
@@ -303,7 +303,7 @@ CREATE TABLE `host_device_auth` (
 CREATE TABLE `host_disk_encryption_keys` (
   `host_id` int unsigned NOT NULL,
   `base64_encrypted` text COLLATE utf8mb4_unicode_ci NOT NULL,
-  `base64_encrypted_salt` varchar(255) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '',
+  `base64_encrypted_salt` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '',
   `key_slot` tinyint unsigned DEFAULT NULL,
   `decryptable` tinyint(1) DEFAULT NULL,
   `created_at` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
diff --git a/server/service/orbit.go b/server/service/orbit.go
index 459c8d600926..0a0e852bb39c 100644
--- a/server/service/orbit.go
+++ b/server/service/orbit.go
@@ -1086,7 +1086,7 @@ func (svc *Service) EscrowLUKSData(ctx context.Context, passphrase string, salt
 	return svc.ds.SaveLUKSData(ctx, host.ID, encryptedPassphrase, encryptedSalt, validatedKeySlot)
 }
 
-func (svc *Service) validateAndEncrypt(ctx context.Context, passphrase string, salt string, keySlot *uint) (string, string, uint, error) {
+func (svc *Service) validateAndEncrypt(ctx context.Context, passphrase string, salt string, keySlot *uint) (encryptedPassphrase string, encryptedSalt string, validatedKeySlot uint, err error) {
 	if passphrase == "" || salt == "" || keySlot == nil {
 		return "", "", 0, badRequest("passphrase, salt, and key_slot must be provided to escrow LUKS data")
 	}
@@ -1094,11 +1094,11 @@ func (svc *Service) validateAndEncrypt(ctx context.Context, passphrase string, s
 		return "", "", 0, newOsqueryError("internal error: missing server private key")
 	}
 
-	encryptedPassphrase, err := mdm.EncryptAndEncode(passphrase, svc.config.Server.PrivateKey)
+	encryptedPassphrase, err = mdm.EncryptAndEncode(passphrase, svc.config.Server.PrivateKey)
 	if err != nil {
 		return "", "", 0, ctxerr.Wrap(ctx, err, "internal error: could not encrypt LUKS data")
 	}
-	encryptedSalt, err := mdm.EncryptAndEncode(salt, svc.config.Server.PrivateKey)
+	encryptedSalt, err = mdm.EncryptAndEncode(salt, svc.config.Server.PrivateKey)
 	if err != nil {
 		return "", "", 0, ctxerr.Wrap(ctx, err, "internal error: could not encrypt LUKS data")
 	}