diff --git a/daemon/HTTPServer.cpp b/daemon/HTTPServer.cpp
index be1ec4ac..167b8c95 100644
--- a/daemon/HTTPServer.cpp
+++ b/daemon/HTTPServer.cpp
@@ -661,7 +661,7 @@ namespace http {
 					else
 					{
 						ls.reset (new i2p::data::LeaseSet2 (storeType));
-						ls->Update (leaseSet->GetBuffer(), leaseSet->GetBufferLen(), false);
+						ls->Update (leaseSet->GetBuffer(), leaseSet->GetBufferLen(), nullptr, false);
 					}
 					if (!ls) return;
 					s << "<div class=\"leaseset listitem";
diff --git a/libi2pd/Destination.cpp b/libi2pd/Destination.cpp
index b243ba0a..52418471 100644
--- a/libi2pd/Destination.cpp
+++ b/libi2pd/Destination.cpp
@@ -450,7 +450,7 @@ namespace client
 					leaseSet = it->second;
 					if (leaseSet->IsNewer (buf + offset, len - offset))
 					{
-						leaseSet->Update (buf + offset, len - offset);
+						leaseSet->Update (buf + offset, len - offset, shared_from_this(), true);
 						if (leaseSet->IsValid () && leaseSet->GetIdentHash () == key && !leaseSet->IsExpired ())
 							LogPrint (eLogDebug, "Destination: Remote LeaseSet updated");
 						else
@@ -471,7 +471,8 @@ namespace client
 					else
 					{	
 						leaseSet = std::make_shared<i2p::data::LeaseSet2> (buf[DATABASE_STORE_TYPE_OFFSET], 
-							buf + offset, len - offset, true, from ? from->GetRemoteStaticKeyType () : GetPreferredCryptoType () ); // LeaseSet2
+							buf + offset, len - offset, true, shared_from_this (), 
+						    from ? from->GetRemoteStaticKeyType () : GetPreferredCryptoType () ); // LeaseSet2
 						if (from)
 						{
 							uint8_t pub[32];
@@ -511,8 +512,8 @@ namespace client
 					if (request->requestedBlindedKey)
 					{
 						auto ls2 = std::make_shared<i2p::data::LeaseSet2> (buf + offset, len - offset,
-							request->requestedBlindedKey, m_LeaseSetPrivKey ? ((const uint8_t *)*m_LeaseSetPrivKey) : nullptr, 
-						    GetPreferredCryptoType ());
+							request->requestedBlindedKey, shared_from_this (), 
+						    m_LeaseSetPrivKey ? ((const uint8_t *)*m_LeaseSetPrivKey) : nullptr, GetPreferredCryptoType ());
 						if (ls2->IsValid () && !ls2->IsExpired ())
 						{
 							leaseSet = ls2;
diff --git a/libi2pd/LeaseSet.cpp b/libi2pd/LeaseSet.cpp
index eb337b63..3001bdfb 100644
--- a/libi2pd/LeaseSet.cpp
+++ b/libi2pd/LeaseSet.cpp
@@ -36,7 +36,7 @@ namespace data
 		ReadFromBuffer ();
 	}
 
-	void LeaseSet::Update (const uint8_t * buf, size_t len, bool verifySignature)
+	void LeaseSet::Update (const uint8_t * buf, size_t len, std::shared_ptr<LocalDestination> dest, bool verifySignature)
 	{
 		SetBuffer (buf, len);
 		ReadFromBuffer (false, verifySignature);
@@ -281,28 +281,29 @@ namespace data
 			LogPrint (eLogError, "LeaseSet2: Actual buffer size ", int(len) , " exceeds full buffer size ", int(m_BufferLen));
 	}
 
-	LeaseSet2::LeaseSet2 (uint8_t storeType, const uint8_t * buf, size_t len, bool storeLeases, CryptoKeyType preferredCrypto):
+	LeaseSet2::LeaseSet2 (uint8_t storeType, const uint8_t * buf, size_t len, 
+	    bool storeLeases, std::shared_ptr<LocalDestination> dest, CryptoKeyType preferredCrypto):
 		LeaseSet (storeLeases), m_StoreType (storeType), m_EncryptionType (preferredCrypto)
 	{
 		SetBuffer (buf, len);
 		if (storeType == NETDB_STORE_TYPE_ENCRYPTED_LEASESET2)
-			ReadFromBufferEncrypted (buf, len, nullptr, nullptr);
+			ReadFromBufferEncrypted (buf, len, nullptr, dest, nullptr);
 		else
-			ReadFromBuffer (buf, len);
+			ReadFromBuffer (buf, len, dest);
 	}
 
 	LeaseSet2::LeaseSet2 (const uint8_t * buf, size_t len, std::shared_ptr<const BlindedPublicKey> key,
-		const uint8_t * secret, CryptoKeyType preferredCrypto):
+		std::shared_ptr<LocalDestination> dest, const uint8_t * secret, CryptoKeyType preferredCrypto):
 		LeaseSet (true), m_StoreType (NETDB_STORE_TYPE_ENCRYPTED_LEASESET2), m_EncryptionType (preferredCrypto)
 	{
-		ReadFromBufferEncrypted (buf, len, key, secret);
+		ReadFromBufferEncrypted (buf, len, key, dest, secret);
 	}
 
-	void LeaseSet2::Update (const uint8_t * buf, size_t len, bool verifySignature)
+	void LeaseSet2::Update (const uint8_t * buf, size_t len, std::shared_ptr<LocalDestination> dest, bool verifySignature)
 	{
 		SetBuffer (buf, len);
 		if (GetStoreType () != NETDB_STORE_TYPE_ENCRYPTED_LEASESET2)
-			ReadFromBuffer (buf, len, false, verifySignature);
+			ReadFromBuffer (buf, len, dest, false, verifySignature);
 		// TODO: implement encrypted
 	}
 
@@ -312,7 +313,8 @@ namespace data
 		return ExtractPublishedTimestamp (buf, len, expiration) > m_PublishedTimestamp;
 	}
 
-	void LeaseSet2::ReadFromBuffer (const uint8_t * buf, size_t len, bool readIdentity, bool verifySignature)
+	void LeaseSet2::ReadFromBuffer (const uint8_t * buf, size_t len, std::shared_ptr<LocalDestination> dest,
+		bool readIdentity, bool verifySignature)
 	{
 		// standard LS2 header
 		std::shared_ptr<const IdentityEx> identity;
@@ -350,7 +352,7 @@ namespace data
 		switch (m_StoreType)
 		{
 			case NETDB_STORE_TYPE_STANDARD_LEASESET2:
-				s = ReadStandardLS2TypeSpecificPart (buf + offset, len - offset);
+				s = ReadStandardLS2TypeSpecificPart (buf + offset, len - offset, dest);
 			break;
 			case NETDB_STORE_TYPE_META_LEASESET2:
 				s = ReadMetaLS2TypeSpecificPart (buf + offset, len - offset);
@@ -392,7 +394,8 @@ namespace data
 		return verified;
 	}
 
-	size_t LeaseSet2::ReadStandardLS2TypeSpecificPart (const uint8_t * buf, size_t len)
+	size_t LeaseSet2::ReadStandardLS2TypeSpecificPart (const uint8_t * buf, size_t len,
+		std::shared_ptr<LocalDestination> dest)
 	{
 		size_t offset = 0;
 		// properties
@@ -417,7 +420,8 @@ namespace data
 				if (keyType <= i2p::data::CRYPTO_KEY_TYPE_ECIES_X25519_AEAD) // skip PQ keys if not supported
 #endif			
 				{	
-					if (keyType <= preferredKeyType && (!m_Encryptor || keyType > m_EncryptionType))
+					if ((keyType == preferredKeyType || !m_Encryptor || keyType > m_EncryptionType) &&
+					    (!dest || dest->SupportsEncryptionType (keyType)))
 					{
 						auto encryptor = i2p::data::IdentityEx::CreateEncryptor (keyType, buf + offset);
 						if (encryptor)
@@ -498,7 +502,8 @@ namespace data
 		return offset;
 	}
 
-	void LeaseSet2::ReadFromBufferEncrypted (const uint8_t * buf, size_t len, std::shared_ptr<const BlindedPublicKey> key, const uint8_t * secret)
+	void LeaseSet2::ReadFromBufferEncrypted (const uint8_t * buf, size_t len, 
+		std::shared_ptr<const BlindedPublicKey> key, std::shared_ptr<LocalDestination> dest, const uint8_t * secret)
 	{
 		size_t offset = 0;
 		// blinded key
@@ -601,7 +606,7 @@ namespace data
 				m_StoreType = innerPlainText[0];
 				SetBuffer (innerPlainText.data () + 1, lenInnerPlaintext - 1);
 				// parse and verify Layer 2
-				ReadFromBuffer (innerPlainText.data () + 1, lenInnerPlaintext - 1);
+				ReadFromBuffer (innerPlainText.data () + 1, lenInnerPlaintext - 1, dest);
 			}
 			else
 				LogPrint (eLogError, "LeaseSet2: Unexpected LeaseSet type ", (int)innerPlainText[0], " inside encrypted LeaseSet");
diff --git a/libi2pd/LeaseSet.h b/libi2pd/LeaseSet.h
index f5197eb5..f6f5f6da 100644
--- a/libi2pd/LeaseSet.h
+++ b/libi2pd/LeaseSet.h
@@ -76,7 +76,7 @@ namespace data
 
 			LeaseSet (const uint8_t * buf, size_t len, bool storeLeases = true);
 			virtual ~LeaseSet () { delete[] m_EncryptionKey; delete[] m_Buffer; };
-			virtual void Update (const uint8_t * buf, size_t len, bool verifySignature = true);
+			virtual void Update (const uint8_t * buf, size_t len, std::shared_ptr<LocalDestination> dest, bool verifySignature);
 			virtual bool IsNewer (const uint8_t * buf, size_t len) const;
 			void PopulateLeases (); // from buffer
 
@@ -155,15 +155,17 @@ namespace data
 		public:
 
 			LeaseSet2 (uint8_t storeType): LeaseSet (true), m_StoreType (storeType) {}; // for update
-			LeaseSet2 (uint8_t storeType, const uint8_t * buf, size_t len, bool storeLeases = true, CryptoKeyType preferredCrypto = CRYPTO_KEY_TYPE_ECIES_X25519_AEAD);
-			LeaseSet2 (const uint8_t * buf, size_t len, std::shared_ptr<const BlindedPublicKey> key, const uint8_t * secret = nullptr, CryptoKeyType preferredCrypto = CRYPTO_KEY_TYPE_ECIES_X25519_AEAD); // store type 5, called from local netdb only
-			uint8_t GetStoreType () const { return m_StoreType; };
-			uint32_t GetPublishedTimestamp () const { return m_PublishedTimestamp; };
+			LeaseSet2 (uint8_t storeType, const uint8_t * buf, size_t len, bool storeLeases = true, 
+				std::shared_ptr<LocalDestination> dest = nullptr, CryptoKeyType preferredCrypto = CRYPTO_KEY_TYPE_ECIES_X25519_AEAD);
+			LeaseSet2 (const uint8_t * buf, size_t len, std::shared_ptr<const BlindedPublicKey> key, 
+				std::shared_ptr<LocalDestination> dest = nullptr, const uint8_t * secret = nullptr, CryptoKeyType preferredCrypto = CRYPTO_KEY_TYPE_ECIES_X25519_AEAD); // store type 5, called from local netdb only
+			uint8_t GetStoreType () const override { return m_StoreType; };
+			uint32_t GetPublishedTimestamp () const override { return m_PublishedTimestamp; };
 			bool IsPublic () const { return m_IsPublic; };
-			bool IsPublishedEncrypted () const { return m_IsPublishedEncrypted; };
-			std::shared_ptr<const i2p::crypto::Verifier> GetTransientVerifier () const { return m_TransientVerifier; };
-			void Update (const uint8_t * buf, size_t len, bool verifySignature);
-			bool IsNewer (const uint8_t * buf, size_t len) const;
+			bool IsPublishedEncrypted () const override { return m_IsPublishedEncrypted; };
+			std::shared_ptr<const i2p::crypto::Verifier> GetTransientVerifier () const override { return m_TransientVerifier; };
+			void Update (const uint8_t * buf, size_t len, std::shared_ptr<LocalDestination> dest, bool verifySignature) override;
+			bool IsNewer (const uint8_t * buf, size_t len) const override;
 
 			// implements RoutingDestination
 			void Encrypt (const uint8_t * data, uint8_t * encrypted) const;
@@ -171,15 +173,17 @@ namespace data
 
 		private:
 
-			void ReadFromBuffer (const uint8_t * buf, size_t len, bool readIdentity = true, bool verifySignature = true);
-			void ReadFromBufferEncrypted (const uint8_t * buf, size_t len, std::shared_ptr<const BlindedPublicKey> key, const uint8_t * secret);
-			size_t ReadStandardLS2TypeSpecificPart (const uint8_t * buf, size_t len);
+			void ReadFromBuffer (const uint8_t * buf, size_t len, std::shared_ptr<LocalDestination> dest,
+				bool readIdentity = true, bool verifySignature = true);
+			void ReadFromBufferEncrypted (const uint8_t * buf, size_t len, std::shared_ptr<const BlindedPublicKey> key, 
+				std::shared_ptr<LocalDestination> dest, const uint8_t * secret);
+			size_t ReadStandardLS2TypeSpecificPart (const uint8_t * buf, size_t len, std::shared_ptr<LocalDestination> dest);
 			size_t ReadMetaLS2TypeSpecificPart (const uint8_t * buf, size_t len);
 
 			template<typename Verifier>
 			bool VerifySignature (Verifier& verifier, const uint8_t * buf, size_t len, size_t signatureOffset);
 
-			uint64_t ExtractExpirationTimestamp (const uint8_t * buf, size_t len) const;
+			uint64_t ExtractExpirationTimestamp (const uint8_t * buf, size_t len) const override;
 			uint64_t ExtractPublishedTimestamp (const uint8_t * buf, size_t len, uint64_t& expiration) const;
 			size_t ExtractClientAuthData (const uint8_t * buf, size_t len, const uint8_t * secret, const uint8_t * subcredential, uint8_t * authCookie) const; // subcredential is subcredential + timestamp, return length of autData without flag
 
diff --git a/libi2pd/NetDb.cpp b/libi2pd/NetDb.cpp
index e53738e5..cab40e43 100644
--- a/libi2pd/NetDb.cpp
+++ b/libi2pd/NetDb.cpp
@@ -361,7 +361,7 @@ namespace data
 			{
 				if(it->second->GetExpirationTime() < expires)
 				{
-					it->second->Update (buf, len, false); // signature is verified already
+					it->second->Update (buf, len, nullptr, false); // signature is verified already
 					if (CheckLogLevel (eLogInfo))
 						LogPrint (eLogInfo, "NetDb: LeaseSet updated: ", ident.ToBase32());
 					updated = true;