diff --git a/app/services/encryption/encryptors/pii_encryptor.rb b/app/services/encryption/encryptors/pii_encryptor.rb
index 2cc61810111..ccca310745b 100644
--- a/app/services/encryption/encryptors/pii_encryptor.rb
+++ b/app/services/encryption/encryptors/pii_encryptor.rb
@@ -38,7 +38,7 @@ def initialize(password)
       end
 
       def encrypt(plaintext)
-        salt = Devise.friendly_token[0, 20]
+        salt = SecureRandom.hex(32)
         cost = Figaro.env.scrypt_cost
         aes_encryption_key = scrypt_password_digest(salt: salt, cost: cost)
         aes_encrypted_ciphertext = aes_cipher.encrypt(plaintext, aes_encryption_key)
@@ -61,7 +61,7 @@ def scrypt_password_digest(salt:, cost:)
         scrypt_salt = cost + OpenSSL::Digest::SHA256.hexdigest(salt)
         scrypted = SCrypt::Engine.hash_secret password, scrypt_salt, 32
         scrypt_password_digest = SCrypt::Password.new(scrypted).digest
-        scrypt_password_digest[0...32]
+        [scrypt_password_digest].pack('H*')
       end
     end
   end
diff --git a/spec/services/encryption/encryptors/pii_encryptor_spec.rb b/spec/services/encryption/encryptors/pii_encryptor_spec.rb
index bc3d8440e2c..0533227d503 100644
--- a/spec/services/encryption/encryptors/pii_encryptor_spec.rb
+++ b/spec/services/encryption/encryptors/pii_encryptor_spec.rb
@@ -14,10 +14,11 @@
     end
 
     it 'uses the user access key encryptor to encrypt the plaintext' do
-      salt = '0' * 20
-      allow(Devise).to receive(:friendly_token).and_return(salt)
+      salt = '0' * 64
+      allow(SecureRandom).to receive(:hex).once.with(32).and_return(salt)
 
-      scrypt_digest = '1' * 64
+      scrypt_digest = '31' * 32 # hex_encode('1111..')
+      decoded_scrypt_digest = '1' * 32
 
       scrypt_password = instance_double(SCrypt::Password)
       expect(scrypt_password).to receive(:digest).and_return(scrypt_digest)
@@ -26,7 +27,7 @@
       cipher = instance_double(Encryption::AesCipher)
       expect(Encryption::AesCipher).to receive(:new).and_return(cipher)
       expect(cipher).to receive(:encrypt).
-        with(plaintext, scrypt_digest[0...32]).
+        with(plaintext, decoded_scrypt_digest).
         and_return('aes_ciphertext')
 
       kms_client = instance_double(Encryption::KmsClient)
@@ -63,10 +64,10 @@
     end
 
     it 'uses layered AES and KMS to decrypt the contents' do
-      salt = '0' * 20
-      allow(Devise).to receive(:friendly_token).and_return(salt)
+      salt = '0' * 64
 
-      scrypt_digest = '1' * 64
+      scrypt_digest = '31' * 32 # hex_encode('1111..')
+      decoded_scrypt_digest = '1' * 32
 
       scrypt_password = instance_double(SCrypt::Password)
       expect(scrypt_password).to receive(:digest).and_return(scrypt_digest)
@@ -81,7 +82,7 @@
       cipher = instance_double(Encryption::AesCipher)
       expect(Encryption::AesCipher).to receive(:new).and_return(cipher)
       expect(cipher).to receive(:decrypt).
-        with('aes_ciphertext', scrypt_digest[0...32]).
+        with('aes_ciphertext', decoded_scrypt_digest).
         and_return(plaintext)
 
       result = subject.decrypt({