diff --git a/bin/node b/bin/node
index aeed5462..823ab159 100755
--- a/bin/node
+++ b/bin/node
@@ -10,7 +10,7 @@ process.on('uncaughtException', function(err) {
 });
 
 var node = bcoin.fullnode({
-  passphrase: 'node',
+  // passphrase: 'node',
   prune: process.argv.indexOf('--prune') !== -1,
   useCheckpoints: process.argv.indexOf('--checkpoints') !== -1,
   listen: process.argv.indexOf('--listen') !== -1,
diff --git a/bin/spvnode b/bin/spvnode
index 6bb6014f..00ba7ef4 100755
--- a/bin/spvnode
+++ b/bin/spvnode
@@ -5,7 +5,7 @@ var utils = bcoin.utils;
 var assert = utils.assert;
 
 var node = bcoin.spvnode({
-  passphrase: 'node',
+  // passphrase: 'node',
   preload: process.argv.indexOf('--preload') !== -1,
   useCheckpoints: process.argv.indexOf('--checkpoints') !== -1
 });
diff --git a/lib/bcoin/hd.js b/lib/bcoin/hd.js
index ce31da16..512a3442 100644
--- a/lib/bcoin/hd.js
+++ b/lib/bcoin/hd.js
@@ -863,14 +863,14 @@ HDPrivateKey.prototype.toJSON = function toJSON(passphrase) {
     json.encrypted = passphrase ? true : false;
     if (this.mnemonic) {
       json.phrase = passphrase
-        ? utils.encrypt(this.mnemonic.phrase, passphrase)
+        ? utils.encrypt(this.mnemonic.phrase, passphrase).toString('hex')
         : this.mnemonic.phrase;
       json.passphrase = passphrase
-        ? utils.encrypt(this.mnemonic.passphrase, passphrase)
+        ? utils.encrypt(this.mnemonic.passphrase, passphrase).toString('hex')
         : this.mnemonic.passphrase;
     }
     json.xprivkey = passphrase
-      ? utils.encrypt(this.xprivkey, passphrase)
+      ? utils.encrypt(this.xprivkey, passphrase).toString('hex')
       : this.xprivkey;
     return json;
   }
@@ -898,10 +898,10 @@ HDPrivateKey.parseJSON = function parseJSON(json, passphrase) {
   if (json.phrase) {
     data.mnemonic = {
       phrase: json.encrypted
-        ? utils.decrypt(json.phrase, passphrase)
+        ? utils.decrypt(json.phrase, passphrase).toString('utf8')
         : json.phrase,
       passphrase: json.encrypted
-        ? utils.decrypt(json.passphrase, passphrase)
+        ? utils.decrypt(json.passphrase, passphrase).toString('utf8')
         : json.passphrase
     };
     if (!json.xprivkey)
@@ -910,7 +910,7 @@ HDPrivateKey.parseJSON = function parseJSON(json, passphrase) {
 
   if (json.xprivkey) {
     data.xprivkey = json.encrypted
-      ? utils.decrypt(json.xprivkey, passphrase)
+      ? utils.decrypt(json.xprivkey, passphrase).toString('utf8')
       : json.xprivkey;
     return data;
   }
diff --git a/lib/bcoin/keypair.js b/lib/bcoin/keypair.js
index 1674d78a..51bec7e6 100644
--- a/lib/bcoin/keypair.js
+++ b/lib/bcoin/keypair.js
@@ -207,7 +207,7 @@ KeyPair.prototype.toJSON = function toJSON(passphrase) {
 
   if (this.key.privateKey) {
     json.privateKey = passphrase
-      ? utils.encrypt(this.toSecret(), passphrase)
+      ? utils.encrypt(this.toSecret(), passphrase).toString('hex')
       : this.toSecret();
     return json;
   }
@@ -237,7 +237,7 @@ KeyPair.parseJSON = function parseJSON(json, passphrase) {
   if (json.privateKey) {
     privateKey = json.privateKey;
     if (json.encrypted)
-      privateKey = utils.decrypt(privateKey, passphrase);
+      privateKey = utils.decrypt(privateKey, passphrase).toString('utf8');
     return KeyPair.parseSecret(privateKey);
   }
 
diff --git a/lib/bcoin/utils.js b/lib/bcoin/utils.js
index c5148bde..81b29f14 100644
--- a/lib/bcoin/utils.js
+++ b/lib/bcoin/utils.js
@@ -363,72 +363,64 @@ utils.pbkdf2 = function pbkdf2(key, salt, iterations, dkLen) {
  * @const
  */
 
-utils.salt = 'bcoin:';
+utils.salt = new Buffer('bcoin:', 'ascii');
 
 /**
- * Encrypt a string.
- * @param {String} data
+ * Encrypt with aes-256-cbc.
+ * @param {Buffer|String} data
  * @param {String} passphrase
- * @returns {String} Hex string.
+ * @returns {Buffer} Hex string.
  * @throws on no passphrase
  */
 
 utils.encrypt = function encrypt(data, passphrase) {
   var cipher, out;
 
-  if (!crypto)
-    return data;
+  assert(crypto, 'No crypto module available.');
+  assert(passphrase, 'No passphrase.');
 
-  if (data[0] === ':')
-    return data;
-
-  if (!passphrase)
-    throw new Error('No passphrase.');
+  if (typeof data === 'string')
+    data = new Buffer(data, 'utf8');
 
   cipher = crypto.createCipher('aes-256-cbc', passphrase);
 
-  out = '';
-  out += cipher.update(utils.salt + data, 'utf8', 'hex');
-  out += cipher.final('hex');
+  out = Buffer.concat([
+    cipher.update(utils.salt),
+    cipher.update(data),
+    cipher.final()
+  ]);
 
-  return ':' + out;
+  return out;
 };
 
 /**
- * Decrypt an encrypted hex string.
- * @param {String} data - Hex string.
+ * Decrypt from aes-256-cbc.
+ * @param {Buffer|String} data
  * @param {String} passphrase
- * @returns {String}
+ * @returns {Buffer}
  * @throws on bad decrypt.
  */
 
 utils.decrypt = function decrypt(data, passphrase) {
   var decipher, out;
 
-  if (!crypto) {
-    if (data[0] === ':')
-      throw new Error('Cannot decrypt.');
-    return data;
-  }
+  assert(crypto, 'No crypto module available.');
+  assert(passphrase, 'No passphrase.');
 
-  if (data[0] !== ':')
-    return data;
-
-  if (!passphrase)
-    throw new Error('No passphrase.');
-
-  data = data.substring(1);
+  if (typeof data === 'string')
+    data = new Buffer(data, 'hex');
 
   decipher = crypto.createDecipher('aes-256-cbc', passphrase);
 
-  out = '';
-  out += decipher.update(data, 'hex', 'utf8');
-  out += decipher.final('utf8');
+  out = Buffer.concat([
+    decipher.update(data),
+    decipher.final()
+  ]);
 
-  if (out.indexOf(utils.salt) !== 0)
+  if (utils.icmp(out, utils.salt, 0) !== 0)
     throw new Error('Decrypt failed.');
 
-  out = out.substring(utils.salt.length);
+  out = out.slice(utils.salt.length);
 
   return out;
 };