diff --git a/libi2pd/Destination.cpp b/libi2pd/Destination.cpp
index ad7725fc..21d35c9f 100644
--- a/libi2pd/Destination.cpp
+++ b/libi2pd/Destination.cpp
@@ -357,7 +357,8 @@ namespace client
 		}
 		i2p::data::IdentHash key (buf + DATABASE_STORE_KEY_OFFSET);
 		std::shared_ptr<i2p::data::LeaseSet> leaseSet;
-		if (buf[DATABASE_STORE_TYPE_OFFSET] == 1) // LeaseSet
+		if (buf[DATABASE_STORE_TYPE_OFFSET] == i2p::data::NETDB_STORE_TYPE_LEASESET || // 1
+			buf[DATABASE_STORE_TYPE_OFFSET] == i2p::data::NETDB_STORE_TYPE_STANDARD_LEASESET2) // 3
 		{
 			LogPrint (eLogDebug, "Destination: Remote LeaseSet");
 			std::lock_guard<std::mutex> lock(m_RemoteLeaseSetsMutex);
@@ -382,7 +383,10 @@ namespace client
 			}
 			else
 			{
-				leaseSet = std::make_shared<i2p::data::LeaseSet> (buf + offset, len - offset);
+				if (buf[DATABASE_STORE_TYPE_OFFSET] == i2p::data::NETDB_STORE_TYPE_LEASESET)
+					leaseSet = std::make_shared<i2p::data::LeaseSet> (buf + offset, len - offset); // LeaseSet
+				else
+					leaseSet = std::make_shared<i2p::data::LeaseSet2> (buf[DATABASE_STORE_TYPE_OFFSET], buf + offset, len - offset); // LeaseSet2
 				if (leaseSet->IsValid () && leaseSet->GetIdentHash () == key)
 				{
 					if (leaseSet->GetIdentHash () != GetIdentHash ())
diff --git a/libi2pd/Identity.cpp b/libi2pd/Identity.cpp
index 13ed46b0..02658ecc 100644
--- a/libi2pd/Identity.cpp
+++ b/libi2pd/Identity.cpp
@@ -318,7 +318,7 @@ namespace data
 		return CRYPTO_KEY_TYPE_ELGAMAL;
 	}
 
-	i2p::crypto::Verifier * IdentityEx::CreateVerifier (uint16_t keyType)
+	i2p::crypto::Verifier * IdentityEx::CreateVerifier (SigningKeyType keyType)
 	{
 		switch (keyType)
 		{
@@ -401,10 +401,9 @@ namespace data
 		m_Verifier = nullptr;
 	}
 
-	std::shared_ptr<i2p::crypto::CryptoKeyEncryptor> IdentityEx::CreateEncryptor (const uint8_t * key) const
+	std::shared_ptr<i2p::crypto::CryptoKeyEncryptor> IdentityEx::CreateEncryptor (CryptoKeyType keyType, const uint8_t * key)
 	{
-		if (!key) key = GetEncryptionPublicKey (); // use publicKey
-		switch (GetCryptoKeyType ())
+		switch (keyType)
 		{
 			case CRYPTO_KEY_TYPE_ELGAMAL:
 				return std::make_shared<i2p::crypto::ElGamalEncryptor>(key);
@@ -417,9 +416,15 @@ namespace data
 				return std::make_shared<i2p::crypto::ECIESGOSTR3410Encryptor>(key);
 			break;
 			default:
-				LogPrint (eLogError, "Identity: Unknown crypto key type ", (int)GetCryptoKeyType ());
+				LogPrint (eLogError, "Identity: Unknown crypto key type ", (int)keyType);
 		};
 		return nullptr;
+	}		
+
+	std::shared_ptr<i2p::crypto::CryptoKeyEncryptor> IdentityEx::CreateEncryptor (const uint8_t * key) const
+	{
+		if (!key) key = GetEncryptionPublicKey (); // use publicKey
+		return CreateEncryptor (GetCryptoKeyType (), key);
 	}
 
 	PrivateKeys& PrivateKeys::operator=(const Keys& keys)
diff --git a/libi2pd/Identity.h b/libi2pd/Identity.h
index 268068aa..2a91ef48 100644
--- a/libi2pd/Identity.h
+++ b/libi2pd/Identity.h
@@ -110,8 +110,9 @@ namespace data
   			bool operator == (const IdentityEx & other) const { return GetIdentHash() == other.GetIdentHash(); }
 			void RecalculateIdentHash(uint8_t * buff=nullptr);
 
-			static i2p::crypto::Verifier * CreateVerifier (uint16_t keyType);
-			
+			static i2p::crypto::Verifier * CreateVerifier (SigningKeyType keyType);
+			static std::shared_ptr<i2p::crypto::CryptoKeyEncryptor> CreateEncryptor (CryptoKeyType keyType, const uint8_t * key);			
+
 		private:
 
 			void CreateVerifier () const;
diff --git a/libi2pd/LeaseSet.cpp b/libi2pd/LeaseSet.cpp
index 47632bcb..41483469 100644
--- a/libi2pd/LeaseSet.cpp
+++ b/libi2pd/LeaseSet.cpp
@@ -12,8 +12,8 @@ namespace i2p
 namespace data
 {
 
-	LeaseSet::LeaseSet ():
-		m_IsValid (false), m_StoreLeases (false), m_ExpirationTime (0), m_Buffer (nullptr), m_BufferLen (0)
+	LeaseSet::LeaseSet (bool storeLeases):
+		m_IsValid (false), m_StoreLeases (storeLeases), m_ExpirationTime (0), m_Buffer (nullptr), m_BufferLen (0)
 	{
 	}
 
@@ -69,12 +69,7 @@ namespace data
 			return;
 		}
 
-		// reset existing leases
-		if (m_StoreLeases)
-			for (auto& it: m_Leases)
-				it->isUpdated = false;
-		else
-			m_Leases.clear ();
+		UpdateLeasesBegin ();
 
 		// process leases
 		m_ExpirationTime = 0;
@@ -98,6 +93,29 @@ namespace data
 			return;
 		}
 		m_ExpirationTime += LEASE_ENDDATE_THRESHOLD;
+
+		UpdateLeasesEnd ();
+
+		// verify
+		if (verifySignature && !m_Identity->Verify (m_Buffer, leases - m_Buffer, leases))
+		{
+			LogPrint (eLogWarning, "LeaseSet: verification failed");
+			m_IsValid = false;
+		}
+	}
+
+	void LeaseSet::UpdateLeasesBegin ()
+	{
+		// reset existing leases
+		if (m_StoreLeases)
+			for (auto& it: m_Leases)
+				it->isUpdated = false;
+		else
+			m_Leases.clear ();
+	}
+
+	void LeaseSet::UpdateLeasesEnd ()
+	{
 		// delete old leases
 		if (m_StoreLeases)
 		{
@@ -112,13 +130,6 @@ namespace data
 					++it;
 			}
 		}
-
-		// verify
-		if (verifySignature && !m_Identity->Verify (m_Buffer, leases - m_Buffer, leases))
-		{
-			LogPrint (eLogWarning, "LeaseSet: verification failed");
-			m_IsValid = false;
-		}
 	}
 
 	void LeaseSet::UpdateLease (const Lease& lease, uint64_t ts)
@@ -233,8 +244,8 @@ namespace data
 		memcpy (m_Buffer, buf, len);
 	}
 
-	LeaseSet2::LeaseSet2 (uint8_t storeType, const uint8_t * buf, size_t len):
-		m_StoreType (storeType)
+	LeaseSet2::LeaseSet2 (uint8_t storeType, const uint8_t * buf, size_t len, bool storeLeases):
+		LeaseSet (storeLeases), m_StoreType (storeType)
 	{	
 		SetBuffer (buf, len);
 		if (storeType == NETDB_STORE_TYPE_ENCRYPTED_LEASESET2)
@@ -317,26 +328,37 @@ namespace data
 		int numKeySections = buf[offset]; offset++;
 		for (int i = 0; i < numKeySections; i++)
 		{
-			// skip key for now. TODO: implement encryption key
-			offset += 2; // encryption key type
+			uint16_t keyType = bufbe16toh (buf + offset); offset += 2; // encryption key type
 			if (offset + 2 >= len) return 0;
 			uint16_t encryptionKeyLen = bufbe16toh (buf + offset); offset += 2; 
+			if (offset + encryptionKeyLen >= len) return 0;
+			if (!m_Encryptor && IsStoreLeases ()) // create encryptor with leases only, first key
+			{
+				auto encryptor = i2p::data::IdentityEx::CreateEncryptor (keyType, buf + offset);
+				m_Encryptor = encryptor; // TODO: atomic
+			}
 			offset += encryptionKeyLen; 
-			if (offset >= len) return 0;
 		}	
 		// leases
 		if (offset + 1 >= len) return 0;	
 		int numLeases = buf[offset]; offset++;
 		auto ts = i2p::util::GetMillisecondsSinceEpoch ();
-		for (int i = 0; i < numLeases; i++)
+		if (IsStoreLeases ())
 		{
-			if (offset + 40 > len) return 0;
-			Lease lease;
-			lease.tunnelGateway = buf + offset; offset += 32; // gateway
-			lease.tunnelID = bufbe32toh (buf + offset); offset += 4; // tunnel ID
-			lease.endDate = bufbe32toh (buf + offset)*1000LL; offset += 4; // end date
-			UpdateLease (lease, ts);
+			UpdateLeasesBegin ();
+			for (int i = 0; i < numLeases; i++)
+			{
+				if (offset + 40 > len) return 0;
+				Lease lease;
+				lease.tunnelGateway = buf + offset; offset += 32; // gateway
+				lease.tunnelID = bufbe32toh (buf + offset); offset += 4; // tunnel ID
+				lease.endDate = bufbe32toh (buf + offset)*1000LL; offset += 4; // end date
+				UpdateLease (lease, ts);
+			}
+			UpdateLeasesEnd ();
 		}
+		else
+			offset += numLeases*40; // 40 bytes per lease
 		return offset;
 	}
 
@@ -410,6 +432,13 @@ namespace data
 		SetIsValid (verified);	
 	}
 
+	void LeaseSet2::Encrypt (const uint8_t * data, uint8_t * encrypted, BN_CTX * ctx) const
+	{
+		auto encryptor = m_Encryptor; // TODO: atomic
+		if (encryptor)
+			encryptor->Encrypt (data, encrypted, ctx, true);	
+	}
+
 	LocalLeaseSet::LocalLeaseSet (std::shared_ptr<const IdentityEx> identity, const uint8_t * encryptionPublicKey, std::vector<std::shared_ptr<i2p::tunnel::InboundTunnel> > tunnels):
 		m_ExpirationTime (0), m_Identity (identity)
 	{
diff --git a/libi2pd/LeaseSet.h b/libi2pd/LeaseSet.h
index 68c8f1b7..c1b1df9a 100644
--- a/libi2pd/LeaseSet.h
+++ b/libi2pd/LeaseSet.h
@@ -84,14 +84,17 @@ namespace data
 
 		protected:
 
+			void UpdateLeasesBegin ();
+			void UpdateLeasesEnd ();
 			void UpdateLease (const Lease& lease, uint64_t ts);
 
 			// called from LeaseSet2
-			LeaseSet ();
+			LeaseSet (bool storeLeases);
 			void SetBuffer (const uint8_t * buf, size_t len);
 			void SetIdentity (std::shared_ptr<const IdentityEx> identity) { m_Identity = identity; };
 			void SetExpirationTime (uint64_t t) { m_ExpirationTime = t; };
 			void SetIsValid (bool isValid) { m_IsValid = isValid; };
+			bool IsStoreLeases () const { return m_StoreLeases; };
 
 		private:
 
@@ -122,9 +125,12 @@ namespace data
 	{
 		public:
 
-			LeaseSet2 (uint8_t storeType, const uint8_t * buf, size_t len);
+			LeaseSet2 (uint8_t storeType, const uint8_t * buf, size_t len,  bool storeLeases = true);
 			uint8_t GetStoreType () const { return m_StoreType; };
 
+			// implements RoutingDestination
+			void Encrypt (const uint8_t * data, uint8_t * encrypted, BN_CTX * ctx) const;
+
 		private:
 
 			void ReadFromBuffer (const uint8_t * buf, size_t len);
@@ -138,6 +144,7 @@ namespace data
 		private:
 
 			uint8_t m_StoreType;
+			std::shared_ptr<i2p::crypto::CryptoKeyEncryptor> m_Encryptor; // for standardLS2
 	};
 
 	class LocalLeaseSet
diff --git a/libi2pd/NetDb.cpp b/libi2pd/NetDb.cpp
index 714c327d..0447af99 100644
--- a/libi2pd/NetDb.cpp
+++ b/libi2pd/NetDb.cpp
@@ -297,7 +297,7 @@ namespace data
 		auto it = m_LeaseSets.find(ident);
 		if (it == m_LeaseSets.end ())
 		{
-			auto leaseSet = std::make_shared<LeaseSet2> (storeType, buf, len);
+			auto leaseSet = std::make_shared<LeaseSet2> (storeType, buf, len, false); // we don't need leases in netdb
 			m_LeaseSets[ident] = leaseSet;
 			return true; 
 		}