diff --git a/cpp/src/csandbox.cc b/cpp/src/csandbox.cc
index 25de708a6707e55c775ed6fdf8f621833a5b0e8a..b6101f95b0638e92932a58599140295e224982ae 100644
--- a/cpp/src/csandbox.cc
+++ b/cpp/src/csandbox.cc
@@ -1,7 +1,10 @@
+#include "vereign/crypto/rand.hh"
 #include "vereign/kvstore/sqlite_storage.hh"
 #include <boost/core/ignore_unused.hpp>
 #include <iostream>
 #include <boost/filesystem.hpp>
+#include <openssl/digest.h>
+#include <openssl/evp.h>
 #include <vereign/core/string.hh>
 
 #include <vereign/bytes/view.hh>
@@ -17,13 +20,5 @@ auto main(int argc, char** argv) -> int {
   boost::ignore_unused(argc);
   boost::ignore_unused(argv);
 
-  auto dir = fs::TempDir("trtr_");
-  auto rm = fs::RemoveAllGuard{dir};
-  std::cout << dir << std::endl;
-
-  std::ofstream f{fs::path::Join(dir, "hello")};
-  f << "ops";
-  f.close();
-
   return 0;
 }
diff --git a/cpp/src/vereign/kvstore/detail/base_crypto_storage.cc b/cpp/src/vereign/kvstore/detail/base_crypto_storage.cc
index d2278a6dad01e3016f8fce82f36bc4e24e15e230..940ccb5016ff1e780872451331847df63a8acab2 100644
--- a/cpp/src/vereign/kvstore/detail/base_crypto_storage.cc
+++ b/cpp/src/vereign/kvstore/detail/base_crypto_storage.cc
@@ -17,7 +17,7 @@
 namespace {
 
   // FIXME: should these be injected and provided by the integrator
-  constexpr int tagSizeBytes = 64;
+  constexpr int tagSizeBytes = 16;
   constexpr int lockRetryCount = 10;
   constexpr auto lockRetrySleep = std::chrono::milliseconds{1000};
 }
diff --git a/cpp/src/vereign/kvstore/detail/linux_crypto_storage.cc b/cpp/src/vereign/kvstore/detail/linux_crypto_storage.cc
index 0d420f0ad7a2829a7c4f2d46c4170e7bbdc8ad56..03a6c26c3b8dba1e79492dec86c937aa8bc5901d 100644
--- a/cpp/src/vereign/kvstore/detail/linux_crypto_storage.cc
+++ b/cpp/src/vereign/kvstore/detail/linux_crypto_storage.cc
@@ -17,7 +17,7 @@
 namespace {
   // FIXME: should these be injected and provided by the integrator
   constexpr int iterations = 1 << 18;
-  constexpr int saltSizeBytes = 64;
+  constexpr int saltSizeBytes = 16;
   constexpr int aesKeySizeBytes = 32;
 
   constexpr int lockRetryCount = 10;
@@ -44,12 +44,13 @@ void CryptoStorageImpl::Open(const std::string& pin) {
 
   bytes::Buffer key{aesKeySizeBytes};
 
-  int result = PKCS5_PBKDF2_HMAC_SHA1(
+  int result = PKCS5_PBKDF2_HMAC(
     pin.data(),
     pin.length(),
     salt.View().Data(),
     salt.View().Size(),
     iterations,
+    EVP_sha256(),
     key.FreeCap(),
     key.end()
   );
@@ -70,12 +71,13 @@ void CryptoStorageImpl::Reset(const std::string& pin) {
 
   bytes::Buffer key{aesKeySizeBytes};
 
-  int result = PKCS5_PBKDF2_HMAC_SHA1(
+  int result = PKCS5_PBKDF2_HMAC(
     pin.data(),
     pin.length(),
     salt.View().Data(),
     salt.View().Size(),
     iterations,
+    EVP_sha256(),
     key.FreeCap(),
     key.end()
   );