diff --git a/Database.hs b/Database.hs
--- a/Database.hs
+++ b/Database.hs
@@ -23,9 +23,9 @@
 import           System.FilePath
 import           System.IO
 
-import           Crypto.Hash                (Digest, SHA1,
-                                             digestToHexByteString, hashlazy)
-import           Crypto.Types.PubKey.RSA    (PrivateKey, PublicKey)
+import           Crypto.Hash                (Digest, SHA1, hashlazy)
+import           Crypto.PubKey.RSA.Types    (PrivateKey, PublicKey)
+import           Data.ByteArray.Encoding    (Base (..), convertToBase)
 
 import           Lock
 import           Metagame
@@ -36,6 +36,7 @@
 sha1 = hashlazy
 hash :: String -> String
 hash = CS.unpack . digestToHexByteString . sha1 . CL.pack
+    where digestToHexByteString = convertToBase Base16
 
 data Record
     = RecPasswordLegacy Codename
diff --git a/Interact.hs b/Interact.hs
--- a/Interact.hs
+++ b/Interact.hs
@@ -35,9 +35,9 @@
 import           System.Directory
 import           System.FilePath
 
-import           Codec.Crypto.RSA           (encrypt)
-import           Crypto.Random              (SystemRandom, newGenIO)
-import           Crypto.Types.PubKey.RSA    (PublicKey)
+import           Crypto.Hash.Algorithms     (SHA256 (..))
+import           Crypto.PubKey.RSA.OAEP     (defaultOAEPParams, encrypt)
+import           Crypto.PubKey.RSA.Types    (PublicKey)
 
 import           AsciiLock
 import           Cache
@@ -789,9 +789,8 @@
 encryptPassword publicKey name password = msum
     [ MaybeT . liftIO .
         handle (\(e :: SomeException) -> return Nothing) $ do
-        g <- newGenIO :: IO SystemRandom
-        return . Just . CS.unpack . BL.toStrict . fst . encrypt g publicKey .
-            BL.fromStrict . CS.pack $ hashed
+        Right c <- encrypt (defaultOAEPParams SHA256) publicKey . CS.pack $ hashed
+        return . Just . CS.unpack $ c
     , confirmOrBail
         "Failed to encrypt password - send unencrypted?"
         >> return hashed
diff --git a/Protocol.hs b/Protocol.hs
--- a/Protocol.hs
+++ b/Protocol.hs
@@ -13,7 +13,7 @@
 import           Control.Monad
 import           Data.Binary
 
-import           Crypto.Types.PubKey.RSA (PublicKey)
+import           Crypto.PubKey.RSA.Types (PublicKey)
 
 import           BinaryInstances
 import           Lock
diff --git a/Server.hs b/Server.hs
--- a/Server.hs
+++ b/Server.hs
@@ -26,6 +26,7 @@
 import           Control.Monad.Trans.Reader
 import           Control.Monad.Trans.State
 import           Data.Array
+import           Data.Bifunctor             (bimap)
 import qualified Data.Binary                as B
 import qualified Data.ByteString.Char8      as CS
 import qualified Data.ByteString.Lazy       as BL
@@ -53,10 +54,10 @@
 import           Text.Feed.Import           (parseFeedFromFile)
 import qualified Text.XML                   as XML
 
-import           Codec.Crypto.RSA           (RSAError, decrypt, generateKeyPair)
 import qualified Crypto.Argon2              as A2
-import           Crypto.Random              (SystemRandom, newGenIO)
-import           Crypto.Types.PubKey.RSA    (PrivateKey, PublicKey)
+import           Crypto.Hash.Algorithms     (SHA256 (..))
+import           Crypto.PubKey.RSA          (generate)
+import           Crypto.PubKey.RSA.OAEP     (decrypt, defaultOAEPParams)
 
 import           Network.Mail.Mime          (plainPart)
 import qualified Network.Mail.SMTP          as SMTP
@@ -130,17 +131,16 @@
     alreadySet <- recordExists RecServerInfo
     unless alreadySet $ putRecord RecServerInfo (RCServerInfo $ defaultServerInfo locksize)
 
-rsaKeyLength = 2048
-
 setKeyPair :: DBM ()
 setKeyPair = do
     alreadySet <- recordExists RecPublicKey
     unless alreadySet $ do
-        g <- liftIO newGenIO :: DBM SystemRandom
-        let (publicKey, secretKey, _) = generateKeyPair g rsaKeyLength
+        (publicKey, secretKey) <- liftIO $ generate 256 65537
         putRecord RecPublicKey $ RCPublicKey publicKey
         putRecord RecSecretKey $ RCSecretKey secretKey
 
+-- Note: switching to cryptonite's argon2 implementation would not be
+-- straightforwardsly backwards-compatible, the output format is different.
 argon2 :: String -> ExceptT String IO String
 argon2 s = either (throwE . show) return $
         TSh.unpack <$> A2.hashEncoded hashOptions (CS.pack s) (CS.pack salt)
@@ -406,10 +406,9 @@
         decryptPassword :: String -> ExceptT String IO String
         decryptPassword pw = do
             RCSecretKey secretKey <- getRecordErrored RecSecretKey
-            liftIO $ evaluate (CS.unpack . BL.toStrict .
-                decrypt secretKey . BL.fromStrict . CS.pack $ pw)
+            ExceptT . return . bimap show CS.unpack .
+                decrypt Nothing (defaultOAEPParams SHA256) secretKey . CS.pack $ pw
                 -- <=intricacy-0.6.2 sends the hashed password unencrypted
-                `catch` \(e :: RSAError) -> return pw
         convertLegacyPW :: Codename -> IO ()
         convertLegacyPW name = void . runExceptT $ do
             RCPasswordLegacy legacyPw <- getRecordErrored (RecPasswordLegacy name)
diff --git a/Version.hs b/Version.hs
--- a/Version.hs
+++ b/Version.hs
@@ -11,4 +11,4 @@
 module Version where
 
 version :: String
-version = "0.7.2"
+version = "0.8.0.1"
diff --git a/intricacy.cabal b/intricacy.cabal
--- a/intricacy.cabal
+++ b/intricacy.cabal
@@ -1,6 +1,6 @@
 cabal-version:      >=1.10
 name:               intricacy
-version:            0.8.0
+version:            0.8.0.1
 license:            GPL-3
 license-file:       COPYING
 maintainer:         mbays@sdf.org
@@ -116,11 +116,9 @@
             vector >=0.9 && <0.13,
             binary >=0.5 && <0.9,
             network-fancy >=0.1.5 && <0.3,
-            cryptohash >=0.8 && <0.12,
-            safe >=0.2 && <0.4,
-            RSA >=2.0 && <2.5,
-            crypto-pubkey-types >=0.2 && <0.5,
-            crypto-api >=0.10 && <0.14
+            safe >=0.3.18 && <0.4,
+            memory >= 0.11 && <0.16,
+            cryptonite >= 0.16 && <0.28
 
         if !impl(ghc >=8.0)
             build-depends: semigroups ==0.18.*
@@ -220,10 +218,7 @@
             vector >=0.9 && <0.13,
             binary >=0.5 && <0.9,
             network-fancy >=0.1.5 && <0.3,
-            cryptohash >=0.8 && <0.12,
-            RSA >=2.0 && <2.5,
-            crypto-pubkey-types >=0.2 && <0.5,
-            crypto-api >=0.10 && <0.14,
+            safe >=0.3.18 && <0.4,
             random >=1.0 && <1.3,
             pipes >=4 && <4.4,
             feed >=1.1 && <1.4,
@@ -233,6 +228,8 @@
             text-short ==0.1.*,
             mime-mail >=0.4.4 && < 0.6,
             smtp-mail >=0.1.4.1 && < 0.4,
+            memory >= 0.11 && <0.16,
+            cryptonite >= 0.16 && <0.28,
             argon2 ==1.3.*
 
         if !impl(ghc >=8.0)
