diff --git a/app/services/session_encryptor.rb b/app/services/session_encryptor.rb
index ba062a76f88..0ed6926c024 100644
--- a/app/services/session_encryptor.rb
+++ b/app/services/session_encryptor.rb
@@ -1,25 +1,27 @@
 class SessionEncryptor
-  def self.build_user_access_key
-    key = Figaro.env.session_encryption_key
-    UserAccessKey.new(password: key, salt: key)
+  def user_access_key
+    @user_access_key ||= begin
+      key = Figaro.env.session_encryption_key
+      uak = UserAccessKey.new(password: key, salt: key)
+      uak.random_r = OpenSSL::Digest::SHA256.digest(key)
+      uak
+    end
   end
 
-  cattr_reader :user_access_key do
-    build_user_access_key
-  end
-
-  def self.load(value)
+  def load(value)
     decrypted = encryptor.decrypt(value, user_access_key)
 
     JSON.parse(decrypted, quirks_mode: true).with_indifferent_access
   end
 
-  def self.dump(value)
+  def dump(value)
     plain = JSON.generate(value, quirks_mode: true)
     encryptor.encrypt(plain, user_access_key)
   end
 
-  def self.encryptor
+  private
+
+  def encryptor
     Pii::PasswordEncryptor.new
   end
 end
diff --git a/app/services/usps_confirmation_entry.rb b/app/services/usps_confirmation_entry.rb
index 2e90944da1e..34e925e5335 100644
--- a/app/services/usps_confirmation_entry.rb
+++ b/app/services/usps_confirmation_entry.rb
@@ -10,7 +10,7 @@
   :issuer
 ) do
   def self.user_access_key
-    SessionEncryptor.user_access_key
+    SessionEncryptor.new.user_access_key
   end
 
   def self.encryptor
diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
index a2c3168f912..48f41bd95f8 100644
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@@ -14,7 +14,7 @@
     key_prefix: "#{Figaro.env.domain_name}:session:",
     url: Figaro.env.redis_url,
   },
-  serializer: SessionEncryptor,
+  serializer: SessionEncryptor.new,
 }
 
 Rails.application.config.session_store :redis_session_store, options
diff --git a/spec/services/session_encryptor_spec.rb b/spec/services/session_encryptor_spec.rb
index 2e8b7026718..366e839850b 100644
--- a/spec/services/session_encryptor_spec.rb
+++ b/spec/services/session_encryptor_spec.rb
@@ -3,24 +3,30 @@
 describe SessionEncryptor do
   describe '#load' do
     it 'decrypts encrypted session' do
-      session = SessionEncryptor.dump(foo: 'bar')
+      session = SessionEncryptor.new.dump(foo: 'bar')
 
-      expect(SessionEncryptor.load(session)).to eq('foo' => 'bar')
+      expect(SessionEncryptor.new.load(session)).to eq('foo' => 'bar')
     end
   end
 
+  it 'makes a round trip okay' do
+    encryptor1 = SessionEncryptor.new
+    encryptor2 = SessionEncryptor.new
+
+    encryptor1.load(encryptor1.dump('asdf' => '1234'))
+    encryptor2.load(encryptor2.dump('asdf' => '1234'))
+
+    payload = { 'hello' => 'world' }
+    encrypted_text = encryptor1.dump(payload)
+    expect(encryptor2.load(encrypted_text)).to eq(payload)
+  end
+
   describe '#dump' do
     it 'encrypts session' do
-      session = SessionEncryptor.dump(foo: 'bar')
+      session = SessionEncryptor.new.dump(foo: 'bar')
 
       expect(session).to_not match 'foo'
       expect(session).to_not match 'bar'
     end
   end
-
-  describe '#encryptor' do
-    it 'is a Pii::Encryptor' do
-      expect(SessionEncryptor.encryptor).to be_a Pii::Encryptor
-    end
-  end
 end