diff --git a/cmd/init/main.go b/cmd/init/main.go
index ace12f7..e92b7b3 100644
--- a/cmd/init/main.go
+++ b/cmd/init/main.go
@@ -17,14 +17,12 @@
 package main
 
 import (
-	"io/ioutil"
+	"fmt"
 	"os"
-	"os/exec"
 	"os/signal"
 	"runtime/debug"
 	"smalltown/internal/network"
-	node2 "smalltown/internal/node"
-	"smalltown/internal/storage"
+	"smalltown/internal/node"
 	"smalltown/pkg/tpm"
 
 	"go.uber.org/zap"
@@ -38,6 +36,7 @@
 			debug.PrintStack()
 		}
 		unix.Sync()
+		// TODO: Switch this to Reboot when init panics are less likely
 		unix.Reboot(unix.LINUX_REBOOT_CMD_POWER_OFF)
 	}()
 	logger, err := zap.NewDevelopment()
@@ -64,85 +63,22 @@
 	signalChannel := make(chan os.Signal, 2)
 	signal.Notify(signalChannel)
 
-	if err := storage.FindPartitions(); err != nil {
-		logger.Panic("Failed to search for partitions", zap.Error(err))
-	}
-
-	if err := os.Mkdir("/esp", 0755); err != nil {
-		panic(err)
-	}
-
-	if err := unix.Mount(storage.ESPDevicePath, "/esp", "vfat", unix.MS_NOEXEC|unix.MS_NODEV|unix.MS_SYNC, ""); err != nil {
-		logger.Panic("Failed to mount ESP partition", zap.Error(err))
-	}
-
 	if err := tpm.Initialize(logger.With(zap.String("component", "tpm"))); err != nil {
 		logger.Panic("Failed to initialize TPM 2.0", zap.Error(err))
 	}
 
-	// TODO(lorenz): This really doesn't belong here and needs to be asynchronous as well
-	var keyLocation = "/esp/EFI/smalltown/data-key.bin"
-	sealedKeyFile, err := os.Open(keyLocation)
-	if os.IsNotExist(err) {
-		logger.Info("Initializing encrypted storage, this might take a while...")
-		key, err := tpm.GenerateSafeKey(256 / 8)
-		if err != nil {
-			panic(err)
-		}
-		sealedKey, err := tpm.Seal(key, tpm.SecureBootPCRs)
-		if err != nil {
-			panic(err)
-		}
-		if err := storage.InitializeEncryptedBlockDevice("data", storage.SmalltownDataCryptPath, key); err != nil {
-			panic(err)
-		}
-		mkfsCmd := exec.Command("/bin/mkfs.xfs", "-qf", "/dev/data")
-		if _, err := mkfsCmd.Output(); err != nil {
-			panic(err)
-		}
-		// Existence of this file indicates that the encrypted storage has been successfully initialized
-		if err := ioutil.WriteFile(keyLocation, sealedKey, 0600); err != nil {
-			panic(err)
-		}
-		logger.Info("Initialized encrypted storage")
-	} else if err != nil {
-		panic(err)
-	} else {
-		sealedKey, err := ioutil.ReadAll(sealedKeyFile)
-		if err != nil {
-			panic(err)
-		}
-		key, err := tpm.Unseal(sealedKey)
-		if err != nil {
-			panic(err)
-		}
-		if err := storage.MapEncryptedBlockDevice("data", storage.SmalltownDataCryptPath, key); err != nil {
-			panic(err)
-		}
-		logger.Info("Opened encrypted storage")
-	}
-	sealedKeyFile.Close()
-
-	if err := os.Mkdir("/data", 0755); err != nil {
-		panic(err)
-	}
-
-	if err := unix.Mount("/dev/data", "/data", "xfs", unix.MS_NOEXEC|unix.MS_NODEV, ""); err != nil {
-		panic(err)
-	}
-
 	networkSvc, err := network.NewNetworkService(network.Config{}, logger.With(zap.String("component", "network")))
 	if err != nil {
 		panic(err)
 	}
 	networkSvc.Start()
 
-	node, err := node2.NewSmalltownNode(logger, "/esp/EFI/smalltown", "/data", 7833, 7834)
+	nodeInstance, err := node.NewSmalltownNode(logger, 7833, 7834)
 	if err != nil {
 		panic(err)
 	}
 
-	err = node.Start()
+	err = nodeInstance.Start()
 	if err != nil {
 		panic(err)
 	}
diff --git a/cmd/mkimage/main.go b/cmd/mkimage/main.go
index 78eccfb..650cfd1 100644
--- a/cmd/mkimage/main.go
+++ b/cmd/mkimage/main.go
@@ -20,14 +20,11 @@
 	"fmt"
 	"io/ioutil"
 	"os"
-	"smalltown/generated/common"
-	"smalltown/internal/config"
 
 	"github.com/diskfs/go-diskfs"
 	"github.com/diskfs/go-diskfs/disk"
 	"github.com/diskfs/go-diskfs/filesystem"
 	"github.com/diskfs/go-diskfs/partition/gpt"
-	"github.com/naoina/toml"
 )
 
 var SmalltownDataPartition gpt.Type = gpt.Type("9eeec464-6885-414a-b278-4305c51f7966")
@@ -36,13 +33,6 @@
 	return (size * 1024 * 1024) / 512
 }
 
-var cfg = config.Config{
-	NodeName:      "smalltown-testing",
-	DataDirectory: "/data",
-	ExternalHost:  "",
-	TrustBackend:  common.TrustBackend_DUMMY,
-}
-
 func main() {
 	if len(os.Args) < 3 {
 		fmt.Println("Usage: mkimage <UEFI payload> <image path>")
@@ -114,16 +104,6 @@
 		fmt.Printf("Failed to write EFI payload: %v", err)
 		os.Exit(1)
 	}
-	configFile, err := fs.OpenFile("/EFI/smalltown/config.toml", os.O_CREATE|os.O_RDWR)
-	if err != nil {
-		fmt.Printf("Failed to open config for writing: %v", err)
-		os.Exit(1)
-	}
-	configData, _ := toml.Marshal(cfg)
-	if _, err := configFile.Write(configData); err != nil {
-		fmt.Printf("Failed to write config: %v", err)
-		os.Exit(1)
-	}
 	if err := diskImg.File.Close(); err != nil {
 		fmt.Printf("Failed to write image: %v", err)
 		os.Exit(1)
diff --git a/internal/storage/data.go b/internal/storage/data.go
index 30c6686..2ffd180 100644
--- a/internal/storage/data.go
+++ b/internal/storage/data.go
@@ -16,3 +16,150 @@
 
 package storage
 
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"smalltown/internal/common"
+	"smalltown/pkg/tpm"
+	"sync"
+
+	"go.uber.org/zap"
+	"golang.org/x/sys/unix"
+)
+
+const (
+	dataMountPath         = "/data"
+	espMountPath          = "/esp"
+	espDataPath           = espMountPath + "/EFI/smalltown"
+	etcdSealedKeyLocation = espDataPath + "/data-key.bin"
+)
+
+type Manager struct {
+	logger              *zap.Logger
+	dataReady           bool
+	initializationError error
+	mutex               sync.RWMutex
+}
+
+func Initialize(logger *zap.Logger) (*Manager, error) {
+	if err := FindPartitions(); err != nil {
+		return nil, err
+	}
+
+	if err := os.Mkdir("/esp", 0755); err != nil {
+		return nil, err
+	}
+
+	// We're mounting ESP sync for reliability, this lowers our chances of getting half-written files
+	if err := unix.Mount(ESPDevicePath, espMountPath, "vfat", unix.MS_NOEXEC|unix.MS_NODEV|unix.MS_SYNC, ""); err != nil {
+		return nil, err
+	}
+
+	manager := &Manager{
+		logger:    logger,
+		dataReady: false,
+	}
+
+	manager.mutex.Lock()
+	defer manager.mutex.Unlock()
+
+	sealedKeyFile, err := os.Open(etcdSealedKeyLocation)
+	if os.IsNotExist(err) {
+		logger.Info("Initializing encrypted storage, this might take a while...")
+		go manager.initializeData()
+	} else if err != nil {
+		return nil, err
+	} else {
+		sealedKey, err := ioutil.ReadAll(sealedKeyFile)
+		sealedKeyFile.Close()
+		if err != nil {
+			return nil, err
+		}
+		key, err := tpm.Unseal(sealedKey)
+		if err != nil {
+			return nil, err
+		}
+		if err := MapEncryptedBlockDevice("data", SmalltownDataCryptPath, key); err != nil {
+			return nil, err
+		}
+		if err := manager.mountData(); err != nil {
+			return nil, err
+		}
+		logger.Info("Mounted encrypted storage")
+	}
+	return manager, nil
+}
+
+func (s *Manager) initializeData() {
+	key, err := tpm.GenerateSafeKey(256 / 8)
+	if err != nil {
+		s.logger.Error("Failed to generate master key", zap.Error(err))
+		s.initializationError = fmt.Errorf("Failed to generate master key: %w", err)
+		return
+	}
+	sealedKey, err := tpm.Seal(key, tpm.FullSystemPCRs)
+	if err != nil {
+		s.logger.Error("Failed to seal master key", zap.Error(err))
+		s.initializationError = fmt.Errorf("Failed to seal master key: %w", err)
+		return
+	}
+	if err := InitializeEncryptedBlockDevice("data", SmalltownDataCryptPath, key); err != nil {
+		s.logger.Error("Failed to initialize encrypted block device", zap.Error(err))
+		s.initializationError = fmt.Errorf("Failed to initialize encrypted block device: %w", err)
+		return
+	}
+	mkfsCmd := exec.Command("/bin/mkfs.xfs", "-qf", "/dev/data")
+	if _, err := mkfsCmd.Output(); err != nil {
+		s.logger.Error("Failed to format encrypted block device", zap.Error(err))
+		s.initializationError = fmt.Errorf("Failed to format encrypted block device: %w", err)
+		return
+	}
+	// This file is the marker if the partition has
+	if err := ioutil.WriteFile(etcdSealedKeyLocation, sealedKey, 0600); err != nil {
+		panic(err)
+	}
+
+	if err := s.mountData(); err != nil {
+		s.initializationError = err
+		return
+	}
+
+	s.mutex.Lock()
+	s.dataReady = true
+	s.mutex.Unlock()
+
+	s.logger.Info("Initialized encrypted storage")
+}
+
+func (s *Manager) mountData() error {
+	if err := os.Mkdir("/data", 0755); err != nil {
+		return err
+	}
+
+	if err := unix.Mount("/dev/data", "/data", "xfs", unix.MS_NOEXEC|unix.MS_NODEV, ""); err != nil {
+		return err
+	}
+	return nil
+}
+
+// GetPathInPlace returns a path in the given place
+// It may return ErrNotInitialized if the place you're trying to access
+// is not initialized or ErrUnknownPlace if the place is not known
+func (s *Manager) GetPathInPlace(place common.DataPlace, path string) (string, error) {
+	s.mutex.RLock()
+	defer s.mutex.RUnlock()
+	switch place {
+	case common.PlaceESP:
+		return filepath.Join(espDataPath, path), nil
+	case common.PlaceData:
+		if s.dataReady {
+			return filepath.Join(dataMountPath, path), nil
+		}
+		return "", common.ErrNotInitialized
+	default:
+		return "", common.ErrUnknownPlace
+	}
+}
diff --git a/internal/storage/xfs.go b/internal/storage/xfs.go
new file mode 100644
index 0000000..30c6686
--- /dev/null
+++ b/internal/storage/xfs.go
@@ -0,0 +1,18 @@
+// Copyright 2020 The Monogon Project Authors.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package storage
+