diff --git a/lib/ocrypto/asym_decryption.go b/lib/ocrypto/asym_decryption.go
index 1982b58dc7..768a651dba 100644
--- a/lib/ocrypto/asym_decryption.go
+++ b/lib/ocrypto/asym_decryption.go
@@ -107,8 +107,11 @@ type ECDecryptor struct {
 }
 
 func NewECDecryptor(sk *ecdh.PrivateKey) (ECDecryptor, error) {
-	// TK Make these reasonable? IIRC salt should be longer, info maybe a parameters?
-	salt := []byte("salt")
+	// TK Move salt and info out of library, into API option functions
+	digest := sha256.New()
+	digest.Write([]byte("TDF"))
+	salt := digest.Sum(nil)
+
 	return ECDecryptor{sk, salt, nil}, nil
 }
 
diff --git a/lib/ocrypto/asym_encryption.go b/lib/ocrypto/asym_encryption.go
index f8cfd68b95..ef251322a2 100644
--- a/lib/ocrypto/asym_encryption.go
+++ b/lib/ocrypto/asym_encryption.go
@@ -81,8 +81,10 @@ func FromPublicPEM(publicKeyInPem string) (PublicKeyEncryptor, error) {
 
 func newECIES(pub *ecdh.PublicKey) (ECEncryptor, error) {
 	ek, err := pub.Curve().GenerateKey(rand.Reader)
-	// TK Make these reasonable? IIRC salt should be longer, info maybe a parameters?
-	salt := []byte("salt")
+	// TK Move salt and info out of library, into API option functions
+	digest := sha256.New()
+	digest.Write([]byte("TDF"))
+	salt := digest.Sum(nil)
 	return ECEncryptor{pub, ek, salt, nil}, err
 }
 
diff --git a/sdk/kas_client.go b/sdk/kas_client.go
index 8c685f25af..cfa426e35c 100644
--- a/sdk/kas_client.go
+++ b/sdk/kas_client.go
@@ -2,6 +2,7 @@ package sdk
 
 import (
 	"context"
+	"crypto/sha256"
 	"errors"
 	"fmt"
 	"net"
@@ -194,7 +195,11 @@ func (k *KASClient) handleECKeyResponse(response *kas.RewrapResponse) (map[strin
 	if err != nil {
 		return nil, fmt.Errorf("ocrypto.ComputeECDHKey failed: %w", err)
 	}
-	sessionKey, err := ocrypto.CalculateHKDF([]byte("salt"), ecdhKey)
+
+	digest := sha256.New()
+	digest.Write([]byte("TDF"))
+	salt := digest.Sum(nil)
+	sessionKey, err := ocrypto.CalculateHKDF(salt, ecdhKey)
 	if err != nil {
 		return nil, fmt.Errorf("ocrypto.CalculateHKDF failed: %w", err)
 	}
diff --git a/sdk/tdf.go b/sdk/tdf.go
index 87d853a46f..413603ae86 100644
--- a/sdk/tdf.go
+++ b/sdk/tdf.go
@@ -3,6 +3,7 @@ package sdk
 import (
 	"bytes"
 	"context"
+	"crypto/sha256"
 	"encoding/hex"
 	"encoding/json"
 	"errors"
@@ -579,7 +580,10 @@ func generateWrapKeyWithEC(mode ocrypto.ECCMode, kasPublicKey string, symKey []b
 		return ecKeyWrappedKeyInfo{}, fmt.Errorf("ocrypto.ComputeECDHKey failed:%w", err)
 	}
 
-	sessionKey, err := ocrypto.CalculateHKDF([]byte("salt"), ecdhKey)
+	digest := sha256.New()
+	digest.Write([]byte("TDF"))
+	salt := digest.Sum(nil)
+	sessionKey, err := ocrypto.CalculateHKDF(salt, ecdhKey)
 	if err != nil {
 		return ecKeyWrappedKeyInfo{}, fmt.Errorf("ocrypto.CalculateHKDF failed:%w", err)
 	}