diff --git a/system/clearpilot/dev/encrypt.sh b/system/clearpilot/dev/encrypt.sh
index 970de21..c391125 100755
--- a/system/clearpilot/dev/encrypt.sh
+++ b/system/clearpilot/dev/encrypt.sh
@@ -1,17 +1,19 @@
 #!/bin/bash
 
-dongle_id=$(cat /data/params/d/DongleId)
-if [[ ! $dongle_id == 90bb71* ]]; then
+# Uses hardware serial as identity check and encryption key
+serial=$(sed 's/.*androidboot.serialno=\([^ ]*\).*/\1/' /proc/cmdline)
+if [[ $serial != 3889765b ]]; then
+    echo "Wrong device (serial=$serial)"
     exit 1
 fi
 
 # Encrypt SSH keys if source files exist using the custom encrypt tool
-if [ -f /data/openpilot/system/clearpilot/dev/id_rsa.pub ]; then
-   bash /data/openpilot/system/clearpilot/tools/encrypt /data/openpilot/system/clearpilot/dev/id_rsa.pub /data/openpilot/system/clearpilot/dev/id_rsa.pub.cpt
+if [ -f /data/openpilot/system/clearpilot/dev/id_ed25519.pub ]; then
+   bash /data/openpilot/system/clearpilot/tools/encrypt /data/openpilot/system/clearpilot/dev/id_ed25519.pub /data/openpilot/system/clearpilot/dev/id_ed25519.pub.cpt
 fi
 
-if [ -f /data/openpilot/system/clearpilot/dev/id_rsa ]; then
-   bash /data/openpilot/system/clearpilot/tools/encrypt /data/openpilot/system/clearpilot/dev/id_rsa /data/openpilot/system/clearpilot/dev/id_rsa.cpt
+if [ -f /data/openpilot/system/clearpilot/dev/id_ed25519 ]; then
+   bash /data/openpilot/system/clearpilot/tools/encrypt /data/openpilot/system/clearpilot/dev/id_ed25519 /data/openpilot/system/clearpilot/dev/id_ed25519.cpt
 fi
 
 if [ -f /data/openpilot/system/clearpilot/dev/reverse_ssh ]; then
diff --git a/system/clearpilot/dev/id_ed25519.cpt b/system/clearpilot/dev/id_ed25519.cpt
new file mode 100644
index 0000000..ea4672b
Binary files /dev/null and b/system/clearpilot/dev/id_ed25519.cpt differ
diff --git a/system/clearpilot/dev/id_ed25519.pub.cpt b/system/clearpilot/dev/id_ed25519.pub.cpt
new file mode 100644
index 0000000..4ca9c65
--- /dev/null
+++ b/system/clearpilot/dev/id_ed25519.pub.cpt
@@ -0,0 +1,2 @@
+•í-À‘-j¦ñqã	A†3ä"|}ôÚÁñžš.\ñ`þQ¥¶ßA^´­Ð×~LìbýÊ	ÞÔm!Òzï[®Wí(¯«rýfo¼À˜¦Miê[&ÄoúÏV=ˆQ"2A“i8ÐpÀ­"Á!þ1­“æ–G:š4ïá<-Ý
+#
\ No newline at end of file
diff --git a/system/clearpilot/provision.sh b/system/clearpilot/provision.sh
index 24322b3..39ef21c 100644
--- a/system/clearpilot/provision.sh
+++ b/system/clearpilot/provision.sh
@@ -44,16 +44,18 @@ echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.bashrc && source ~/.bashrc
 echo "Packages installed"
 
 # Decrypt and install SSH identity keys (for git auth)
-dongle_id=$(cat /data/params/d/DongleId 2>/dev/null)
+# Uses hardware serial from /proc/cmdline as device identity and decryption key
+serial=$(sed 's/.*androidboot.serialno=\([^ ]*\).*/\1/' /proc/cmdline)
 ssh_dir="/data/ssh/.ssh"
-if [[ $dongle_id == 90bb71* ]] && [[ ! -f "$ssh_dir/id_rsa" || ! -f "$ssh_dir/id_rsa.pub" ]]; then
-    echo "Decrypting SSH identity keys..."
-    bash /data/openpilot/system/clearpilot/tools/decrypt /data/openpilot/system/clearpilot/dev/id_rsa.cpt /data/openpilot/system/clearpilot/dev/id_rsa
-    bash /data/openpilot/system/clearpilot/tools/decrypt /data/openpilot/system/clearpilot/dev/id_rsa.pub.cpt /data/openpilot/system/clearpilot/dev/id_rsa.pub
+if [[ $serial == 3889765b ]] && [[ ! -f "$ssh_dir/id_ed25519" || ! -f "$ssh_dir/id_ed25519.pub" ]]; then
+    echo "Decrypting SSH identity keys (serial=$serial)..."
+    bash /data/openpilot/system/clearpilot/tools/decrypt /data/openpilot/system/clearpilot/dev/id_ed25519.cpt /data/openpilot/system/clearpilot/dev/id_ed25519
+    bash /data/openpilot/system/clearpilot/tools/decrypt /data/openpilot/system/clearpilot/dev/id_ed25519.pub.cpt /data/openpilot/system/clearpilot/dev/id_ed25519.pub
     mkdir -p "$ssh_dir"
-    cp /data/openpilot/system/clearpilot/dev/id_rsa /data/openpilot/system/clearpilot/dev/id_rsa.pub "$ssh_dir"
+    cp /data/openpilot/system/clearpilot/dev/id_ed25519 /data/openpilot/system/clearpilot/dev/id_ed25519.pub "$ssh_dir/"
     chmod 700 "$ssh_dir"
-    chmod 600 "$ssh_dir/id_rsa" "$ssh_dir/id_rsa.pub"
+    chmod 600 "$ssh_dir/id_ed25519"
+    chmod 644 "$ssh_dir/id_ed25519.pub"
     echo "SSH identity keys installed to $ssh_dir"
 fi
 
diff --git a/system/clearpilot/tools/decrypt b/system/clearpilot/tools/decrypt
index a736b82..836cb95 100755
--- a/system/clearpilot/tools/decrypt
+++ b/system/clearpilot/tools/decrypt
@@ -10,8 +10,11 @@ fi
 src="$1"
 dest="$2"
 
-# Read DongleId for decryption key
-dongle_id=/data/params/d/DongleId
+# Use hardware serial as decryption key
+serial=$(sed 's/.*androidboot.serialno=\([^ ]*\).*/\1/' /proc/cmdline)
+keyfile=$(mktemp)
+echo -n "$serial" > "$keyfile"
 
 # Decrypt the file
-cat "$src" | ccrypt -d -k "$dongle_id" > "$dest"
+cat "$src" | ccrypt -d -k "$keyfile" > "$dest"
+rm -f "$keyfile"
diff --git a/system/clearpilot/tools/encrypt b/system/clearpilot/tools/encrypt
index 9496892..49b112e 100755
--- a/system/clearpilot/tools/encrypt
+++ b/system/clearpilot/tools/encrypt
@@ -10,8 +10,11 @@ fi
 src="$1"
 dest="$2"
 
-# Read DongleId for encryption key
-dongle_id=/data/params/d/DongleId
+# Use hardware serial as encryption key
+serial=$(sed 's/.*androidboot.serialno=\([^ ]*\).*/\1/' /proc/cmdline)
+keyfile=$(mktemp)
+echo -n "$serial" > "$keyfile"
 
 # Encrypt the file
-cat "$src" | ccrypt -e -k "$dongle_id" > "$dest"
+cat "$src" | ccrypt -e -k "$keyfile" > "$dest"
+rm -f "$keyfile"