diff --git a/src/libexim-kitencrypt-dlfunc.c b/src/libexim-kitencrypt-dlfunc.c
index 85f50f9..a541698 100644
--- a/src/libexim-kitencrypt-dlfunc.c
+++ b/src/libexim-kitencrypt-dlfunc.c
@@ -4,15 +4,15 @@
 #include <sodium.h>
 
 /* Local encryption key */
-#include "secretkey.h"
+#include "recipient_pk.h"
 
 /* Exim4 dlfunc API header */
 #include <local_scan.h>
 
 int kitencrypt(uschar **yield, int argc, uschar *argv[]) {
 	int sinit;
-	size_t inputlen;
-	unsigned char * input;
+	size_t messagelen;
+	unsigned char * message;
 
 	sinit = sodium_init();
 	if (sinit == -1 ) {
@@ -24,18 +24,19 @@ int kitencrypt(uschar **yield, int argc, uschar *argv[]) {
 		return ERROR;
 	}
 
-	input = argv[0];
-	inputlen = strlen(input);
+	// get cleartext message
+	message = argv[0];
+	messagelen = strlen(message);
 
-	unsigned char nonce[crypto_secretbox_NONCEBYTES];
-	randombytes_buf(nonce, sizeof nonce);
-
-	unsigned int cipherlen = inputlen + crypto_secretbox_MACBYTES;
+	// prepare buffer for ciphertext
+	unsigned int cipherlen = messagelen + crypto_box_SEALBYTES;
 	unsigned char * ciphertext = malloc(cipherlen);
 	explicit_bzero(ciphertext, cipherlen);
 
-	crypto_secretbox_easy(ciphertext, input, inputlen, nonce, key);
+	// encrypt message
+	crypto_box_seal(ciphertext, message, messagelen, recipient_pk);
 
+	// base64-encode the ciphertext
 	unsigned int outputsize = sodium_base64_ENCODED_LEN(cipherlen, sodium_base64_VARIANT_URLSAFE);
 	unsigned char * outstring = malloc(outputsize);
 	explicit_bzero(outstring, outputsize);