diff --git a/Gopkg.toml b/Gopkg.toml
index 2f651bc..f5d2d10 100644
--- a/Gopkg.toml
+++ b/Gopkg.toml
@@ -25,6 +25,10 @@
 #   unused-packages = true
 
 
+[[constraint]]
+  name = "github.com/Luzifer/go-openssl"
+  version = "3.0.0"
+
 [[constraint]]
   name = "github.com/Luzifer/rconfig"
   version = "1.1.0"
diff --git a/decryption.go b/decryption.go
index 477a1f4..779f345 100644
--- a/decryption.go
+++ b/decryption.go
@@ -6,9 +6,10 @@ import (
 	"io"
 	"io/ioutil"
 
-	openssl "github.com/Luzifer/go-openssl"
 	"golang.org/x/crypto/openpgp"
 	"golang.org/x/crypto/openpgp/armor"
+
+	openssl "github.com/Luzifer/go-openssl"
 )
 
 type decryptMethod func(body []byte, passphrase string) ([]byte, error)
@@ -20,7 +21,10 @@ func decryptMethodFromName(name string) (decryptMethod, error) {
 		return decryptGPGSymmetric, nil
 
 	case "openssl-md5":
-		return decryptOpenSSLMD5, nil
+		return decryptOpenSSL(openssl.DigestMD5Sum), nil
+
+	case "openssl-sha256":
+		return decryptOpenSSL(openssl.DigestSHA256Sum), nil
 
 	default:
 		return nil, fmt.Errorf("Decrypt method %q not found", name)
@@ -56,6 +60,8 @@ func decryptGPGSymmetric(body []byte, passphrase string) ([]byte, error) {
 	return ioutil.ReadAll(md.UnverifiedBody)
 }
 
-func decryptOpenSSLMD5(body []byte, passphrase string) ([]byte, error) {
-	return openssl.New().DecryptString(cfg.Password, string(body))
+func decryptOpenSSL(kdf openssl.DigestFunc) decryptMethod {
+	return func(body []byte, passphrase string) ([]byte, error) {
+		return openssl.New().DecryptBytes(cfg.Password, body, kdf)
+	}
 }
diff --git a/main.go b/main.go
index 866643a..bfdeed8 100644
--- a/main.go
+++ b/main.go
@@ -7,14 +7,15 @@ import (
 	"os/exec"
 	"strings"
 
-	"github.com/Luzifer/rconfig"
 	log "github.com/sirupsen/logrus"
+
+	"github.com/Luzifer/rconfig"
 )
 
 var (
 	cfg = struct {
 		CleanEnv         bool   `flag:"clean" default:"false" description:"Do not pass current environment to child process"`
-		EncryptionMethod string `flag:"encryption" default:"openssl-md5" description:"Encryption method used for encrypted env-file (Available: gpg-symmetric, openssl-md5)"`
+		EncryptionMethod string `flag:"encryption" default:"openssl-md5" description:"Encryption method used for encrypted env-file (Available: gpg-symmetric, openssl-md5, openssl-sha256)"`
 		EnvFile          string `flag:"env-file" default:".env" description:"Location of the environment file"`
 		LogLevel         string `flag:"log-level" default:"info" description:"Log level (debug, info, warn, error, fatal)"`
 		PasswordFile     string `flag:"password-file" default:"" description:"Read encryption key from file"`