diff --git a/go.mod b/go.mod
index c410bef6..6899e418 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/elastic/elastic-agent-libs
 
-go 1.22.12
+go 1.24
 
 require (
 	github.com/Microsoft/go-winio v0.5.2
@@ -20,7 +20,6 @@ require (
 	go.elastic.co/ecszap v1.0.2
 	go.elastic.co/go-licence-detector v0.6.0
 	go.uber.org/zap v1.27.0
-	golang.org/x/crypto v0.32.0
 	golang.org/x/net v0.34.0
 	golang.org/x/sys v0.29.0
 	golang.org/x/text v0.21.0
@@ -53,6 +52,7 @@ require (
 	go.opentelemetry.io/otel/metric v1.28.0 // indirect
 	go.opentelemetry.io/otel/trace v1.28.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
+	golang.org/x/crypto v0.32.0 // indirect
 	golang.org/x/mod v0.17.0 // indirect
 	golang.org/x/sync v0.10.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
diff --git a/keystore/file_keystore.go b/keystore/file_keystore.go
index 41236e5c..81512e50 100644
--- a/keystore/file_keystore.go
+++ b/keystore/file_keystore.go
@@ -21,6 +21,7 @@ import (
 	"bytes"
 	"crypto/aes"
 	"crypto/cipher"
+	"crypto/pbkdf2"
 	"crypto/rand"
 	"crypto/sha512"
 	"encoding/base64"
@@ -32,8 +33,6 @@ import (
 	"runtime"
 	"sync"
 
-	"golang.org/x/crypto/pbkdf2"
-
 	"github.com/elastic/elastic-agent-libs/config"
 	"github.com/elastic/elastic-agent-libs/file"
 )
@@ -81,7 +80,6 @@ func Factory(c *config.C, defaultPath string, strictPerms bool) (Keystore, error
 		c = config.NewConfig()
 	}
 	err := c.Unpack(&cfg)
-
 	if err != nil {
 		return nil, fmt.Errorf("could not read keystore configuration, err: %w", err)
 	}
@@ -330,7 +328,6 @@ func (k *FileKeystore) encrypt(reader io.Reader) (io.Reader, error) {
 	// randomly generate the salt and the initialization vector, this information will be saved
 	// on disk in the file as part of the header
 	iv, err := randomBytes(iVLength)
-
 	if err != nil {
 		return nil, err
 	}
@@ -342,7 +339,10 @@ func (k *FileKeystore) encrypt(reader io.Reader) (io.Reader, error) {
 
 	// Stretch the user provided key
 	password, _ := k.password.Get()
-	passwordBytes := k.hashPassword(password, salt)
+	passwordBytes, err := k.hashPassword(password, salt)
+	if err != nil {
+		return nil, err
+	}
 
 	// Select AES-256: because len(passwordBytes) == 32 bytes
 	block, err := aes.NewCipher(passwordBytes)
@@ -388,7 +388,10 @@ func (k *FileKeystore) decrypt(reader io.Reader) (io.Reader, error) {
 	encodedBytes := data[saltLength+iVLength:]
 
 	password, _ := k.password.Get()
-	passwordBytes := k.hashPassword(password, salt)
+	passwordBytes, err := k.hashPassword(password, salt)
+	if err != nil {
+		return nil, err
+	}
 
 	block, err := aes.NewCipher(passwordBytes)
 	if err != nil {
@@ -456,15 +459,14 @@ func (k *FileKeystore) ConfiguredPath() string {
 	return k.Path
 }
 
-func (k *FileKeystore) hashPassword(password, salt []byte) []byte {
-	return pbkdf2.Key(password, salt, iterationsCount, keyLength, sha512.New)
+func (k *FileKeystore) hashPassword(password, salt []byte) ([]byte, error) {
+	return pbkdf2.Key(sha512.New, string(password), salt, iterationsCount, keyLength)
 }
 
 // randomBytes return a slice of random bytes of the defined length
 func randomBytes(length int) ([]byte, error) {
 	r := make([]byte, length)
 	_, err := rand.Read(r)
-
 	if err != nil {
 		return nil, err
 	}