diff --git a/Cargo.lock b/Cargo.lock
index 5581ac0b..a1b55f2a 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -167,22 +167,6 @@ dependencies = [
  "constant_time_eq",
 ]
 
-[[package]]
-name = "blake3"
-version = "0.2.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "667d945f23cefed0b5f973af35c4bc3319caa6776fbda270e4897d8504afa8e4"
-dependencies = [
- "arrayref",
- "arrayvec",
- "cc",
- "cfg-if 0.1.10",
- "constant_time_eq",
- "crypto-mac 0.7.0",
- "digest 0.8.1",
- "rayon",
-]
-
 [[package]]
 name = "blake3"
 version = "0.3.8"
@@ -194,8 +178,9 @@ dependencies = [
  "cc",
  "cfg-if 0.1.10",
  "constant_time_eq",
- "crypto-mac 0.8.0",
+ "crypto-mac",
  "digest 0.9.0",
+ "rayon",
 ]
 
 [[package]]
@@ -314,9 +299,9 @@ dependencies = [
 
 [[package]]
 name = "crossbeam-channel"
-version = "0.5.2"
+version = "0.5.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e54ea8bc3fb1ee042f5aace6e3c6e025d3874866da222930f70ce62aceba0bfa"
+checksum = "fdbfe11fe19ff083c48923cf179540e8cd0535903dc35e178a1fdeeb59aef51f"
 dependencies = [
  "cfg-if 1.0.0",
  "crossbeam-utils",
@@ -335,10 +320,11 @@ dependencies = [
 
 [[package]]
 name = "crossbeam-epoch"
-version = "0.9.7"
+version = "0.9.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c00d6d2ea26e8b151d99093005cb442fb9a37aeaca582a03ec70946f49ab5ed9"
+checksum = "1145cf131a2c6ba0615079ab6a638f7e1973ac9c2634fcbeaaad6114246efe8c"
 dependencies = [
+ "autocfg",
  "cfg-if 1.0.0",
  "crossbeam-utils",
  "lazy_static",
@@ -348,9 +334,9 @@ dependencies = [
 
 [[package]]
 name = "crossbeam-utils"
-version = "0.8.7"
+version = "0.8.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b5e5bed1f1c269533fa816a0a5492b3545209a205ca1a54842be180eb63a16a6"
+checksum = "0bf124c720b7686e3c2663cf54062ab0f68a88af2fb6a030e87e30bf721fcb38"
 dependencies = [
  "cfg-if 1.0.0",
  "lazy_static",
@@ -366,16 +352,6 @@ dependencies = [
  "typenum",
 ]
 
-[[package]]
-name = "crypto-mac"
-version = "0.7.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4434400df11d95d556bac068ddfedd482915eb18fe8bea89bc80b6e4b1c179e5"
-dependencies = [
- "generic-array 0.12.4",
- "subtle 1.0.0",
-]
-
 [[package]]
 name = "crypto-mac"
 version = "0.8.0"
@@ -383,7 +359,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b584a330336237c1eecd3e94266efb216c56ed91225d634cb2991c5f3fd1aeab"
 dependencies = [
  "generic-array 0.14.5",
- "subtle 2.4.1",
+ "subtle",
 ]
 
 [[package]]
@@ -412,7 +388,7 @@ checksum = "f2fb860ca6fafa5552fb6d0e816a69c8e49f0908bf524e30a90d97c85892d506"
 dependencies = [
  "block-buffer 0.10.2",
  "crypto-common",
- "subtle 2.4.1",
+ "subtle",
 ]
 
 [[package]]
@@ -426,10 +402,19 @@ dependencies = [
 ]
 
 [[package]]
-name = "dirs-sys"
-version = "0.3.6"
+name = "dirs"
+version = "3.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "03d86534ed367a67548dc68113a0f5db55432fdfbb6e6f9d77704397d95d5780"
+checksum = "30baa043103c9d0c2a57cf537cc2f35623889dc0d405e6c3cccfadbc81c71309"
+dependencies = [
+ "dirs-sys",
+]
+
+[[package]]
+name = "dirs-sys"
+version = "0.3.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1b1d1d91c932ef41c0f2663aa8b0ca0342d444d842c06914aa0a7e352d0bada6"
 dependencies = [
  "libc",
  "redox_users",
@@ -469,6 +454,16 @@ dependencies = [
  "synstructure",
 ]
 
+[[package]]
+name = "error-chain"
+version = "0.12.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2d2f06b9cac1506ece98fe3231e3cc9c4410ec3d5b1f24ae1c8946f0742cdefc"
+dependencies = [
+ "backtrace",
+ "version_check 0.9.4",
+]
+
 [[package]]
 name = "failure"
 version = "0.1.8"
@@ -599,6 +594,15 @@ dependencies = [
  "libc",
 ]
 
+[[package]]
+name = "hex"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
+dependencies = [
+ "serde",
+]
+
 [[package]]
 name = "httparse"
 version = "1.6.0"
@@ -653,12 +657,6 @@ dependencies = [
  "unicode-normalization",
 ]
 
-[[package]]
-name = "index-fixed"
-version = "0.3.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4161ceaf2f41b6cd3f6502f5da085d4ad4393a51e0c70ed2fce1d5698d798fae"
-
 [[package]]
 name = "instant"
 version = "0.1.12"
@@ -697,9 +695,9 @@ checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
 
 [[package]]
 name = "libc"
-version = "0.2.119"
+version = "0.2.120"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1bf2e165bb3457c8e098ea76f3e3bc9db55f87aa90d52d0e6be741470916aaa4"
+checksum = "ad5c14e80759d0939d013e6ca49930e59fc53dd8e5009132f76240c179380c09"
 
 [[package]]
 name = "libflate"
@@ -713,6 +711,18 @@ dependencies = [
  "take_mut",
 ]
 
+[[package]]
+name = "libsodium-sys"
+version = "0.2.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6b779387cd56adfbc02ea4a668e704f729be8d6a6abd2c27ca5ee537849a92fd"
+dependencies = [
+ "cc",
+ "libc",
+ "pkg-config",
+ "walkdir",
+]
+
 [[package]]
 name = "log"
 version = "0.3.9"
@@ -752,6 +762,17 @@ dependencies = [
  "autocfg",
 ]
 
+[[package]]
+name = "memsec"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2af4f95d8737f4ffafbd1fb3c703cdc898868a244a59786793cba0520ebdcbdd"
+dependencies = [
+ "getrandom 0.1.16",
+ "libc",
+ "winapi",
+]
+
 [[package]]
 name = "mime"
 version = "0.2.6"
@@ -865,16 +886,49 @@ checksum = "58893f751c9b0412871a09abd62ecd2a00298c6c83befa223ef98c52aef40cbe"
 
 [[package]]
 name = "pkgar"
-version = "0.1.6"
+version = "0.1.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "74003f2ac9baa8600352a677bd8763088cc35498a4364abe9ae5898832015bb9"
+checksum = "104bb0b89cb3244b3d99bb561ed56bb692584ec14333ee25b6e6e3f765a04a1c"
 dependencies = [
- "blake3 0.2.3",
+ "blake3",
  "clap",
+ "error-chain",
+ "pkgar-core",
+ "pkgar-keys",
  "plain",
- "rand 0.7.3",
- "rand_core 0.5.1",
- "sodalite",
+ "sodiumoxide",
+ "user-error",
+]
+
+[[package]]
+name = "pkgar-core"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7c79d8984e1dae9d1bfc30b90ead1d5279b90da97c1e566da6ff2d087f03ee02"
+dependencies = [
+ "bitflags",
+ "blake3",
+ "plain",
+ "sodiumoxide",
+]
+
+[[package]]
+name = "pkgar-keys"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "23c2343ced644887eedccd945bd629af7bb834159937f20a2a72fc35e525fe70"
+dependencies = [
+ "clap",
+ "dirs 3.0.2",
+ "error-chain",
+ "hex",
+ "lazy_static",
+ "seckey",
+ "serde",
+ "sodiumoxide",
+ "termion",
+ "toml 0.5.8",
+ "user-error",
 ]
 
 [[package]]
@@ -964,19 +1018,6 @@ dependencies = [
  "winapi",
 ]
 
-[[package]]
-name = "rand"
-version = "0.7.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6a6b1679d49b24bbfe0c803429aa1874472f50d9b363131f0e89fc356b544d03"
-dependencies = [
- "getrandom 0.1.16",
- "libc",
- "rand_chacha 0.2.2",
- "rand_core 0.5.1",
- "rand_hc",
-]
-
 [[package]]
 name = "rand"
 version = "0.8.5"
@@ -984,20 +1025,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
 dependencies = [
  "libc",
- "rand_chacha 0.3.1",
+ "rand_chacha",
  "rand_core 0.6.3",
 ]
 
-[[package]]
-name = "rand_chacha"
-version = "0.2.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f4c8ed856279c9737206bf725bf36935d8666ead7aa69b52be55af369d193402"
-dependencies = [
- "ppv-lite86",
- "rand_core 0.5.1",
-]
-
 [[package]]
 name = "rand_chacha"
 version = "0.3.1"
@@ -1023,15 +1054,6 @@ version = "0.4.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9c33a3c44ca05fa6f1807d8e6743f3824e8509beca625669633be0acbdf509dc"
 
-[[package]]
-name = "rand_core"
-version = "0.5.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "90bde5296fc891b0cef12a6d03ddccc162ce7b2aff54160af9338f8d40df6d19"
-dependencies = [
- "getrandom 0.1.16",
-]
-
 [[package]]
 name = "rand_core"
 version = "0.6.3"
@@ -1041,15 +1063,6 @@ dependencies = [
  "getrandom 0.2.5",
 ]
 
-[[package]]
-name = "rand_hc"
-version = "0.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ca3129af7b92a17112d59ad498c6f81eaf463253766b90396d39ea7a39d6613c"
-dependencies = [
- "rand_core 0.5.1",
-]
-
 [[package]]
 name = "rayon"
 version = "1.5.1"
@@ -1088,9 +1101,10 @@ dependencies = [
 name = "redox_cookbook"
 version = "0.1.0"
 dependencies = [
- "blake3 0.3.8",
+ "blake3",
  "pbr",
  "pkgar",
+ "pkgar-keys",
  "redoxer",
  "serde",
  "sha2",
@@ -1101,9 +1115,9 @@ dependencies = [
 
 [[package]]
 name = "redox_installer"
-version = "0.2.8"
+version = "0.2.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8feb7cd91040cf60d9663582304000838ced9dd3165b355d4f96292db5a98a47"
+checksum = "735a7bad71e93cda883318cf30f3bcd99830a79c7917e2b3d9da4c6d1d3567e4"
 dependencies = [
  "arg_parser",
  "failure",
@@ -1112,6 +1126,7 @@ dependencies = [
  "rand 0.8.5",
  "redox_liner",
  "redox_pkgutils",
+ "redox_syscall",
  "redoxfs",
  "rust-argon2",
  "serde",
@@ -1181,21 +1196,22 @@ dependencies = [
 
 [[package]]
 name = "redox_users"
-version = "0.4.0"
+version = "0.4.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "528532f3d801c87aec9def2add9ca802fe569e44a544afe633765267840abe64"
+checksum = "7776223e2696f1aa4c6b0170e83212f47296a00424305117d013dfe86fb0fe55"
 dependencies = [
  "getrandom 0.2.5",
  "redox_syscall",
+ "thiserror",
 ]
 
 [[package]]
 name = "redoxer"
-version = "0.2.24"
+version = "0.2.25"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "879e3c35af1aeeba2dc8f95ce2417861793324eac2742fdb8f533cd1ac8f113f"
+checksum = "62413f6255f2ba2489b1276bf9ac84970490a4f694d02df48b958af65ce2072a"
 dependencies = [
- "dirs",
+ "dirs 2.0.2",
  "proc-mounts",
  "redox_installer",
  "redox_syscall",
@@ -1345,6 +1361,16 @@ version = "4.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1c107b6f4780854c8b126e228ea8869f4d7b71260f962fefb57b996b8959ba6b"
 
+[[package]]
+name = "seckey"
+version = "0.11.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "33b371a3e46636d13277af1daacbecb6f5acbe653bd378a4822ecd1c67790fbb"
+dependencies = [
+ "getrandom 0.1.16",
+ "memsec",
+]
+
 [[package]]
 name = "serde"
 version = "1.0.136"
@@ -1391,12 +1417,13 @@ dependencies = [
 ]
 
 [[package]]
-name = "sodalite"
-version = "0.3.0"
+name = "sodiumoxide"
+version = "0.2.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "67643084c740297bac275b1d97901ec27ca5984be4e8f75d86a33498e0e3e61c"
+checksum = "7038b67c941e23501573cb7242ffb08709abe9b11eb74bceff875bbda024a6a8"
 dependencies = [
- "index-fixed",
+ "libc",
+ "libsodium-sys",
 ]
 
 [[package]]
@@ -1405,12 +1432,6 @@ version = "0.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8ea5119cdb4c55b55d432abb513a0429384878c15dde60cc77b1c99de1a95a6a"
 
-[[package]]
-name = "subtle"
-version = "1.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2d67a5a62ba6e01cb2192ff309324cb4875d0c451d55fe2319433abe7a05a8ee"
-
 [[package]]
 name = "subtle"
 version = "2.4.1"
@@ -1419,9 +1440,9 @@ checksum = "6bdef32e8150c2a081110b42772ffe7d7c9032b606bc226c8260fd97e0976601"
 
 [[package]]
 name = "syn"
-version = "1.0.86"
+version = "1.0.89"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8a65b3f4ffa0092e9887669db0eae07941f023991ab58ea44da8fe8e2d511c6b"
+checksum = "ea297be220d52398dcc07ce15a209fce436d361735ac1db700cab3b6cdfb9f54"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -1501,6 +1522,26 @@ dependencies = [
  "unicode-width",
 ]
 
+[[package]]
+name = "thiserror"
+version = "1.0.30"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "854babe52e4df1653706b98fcfc05843010039b406875930a70e4d9644e5c417"
+dependencies = [
+ "thiserror-impl",
+]
+
+[[package]]
+name = "thiserror-impl"
+version = "1.0.30"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "aa32fd3f627f367fe16f893e2597ae3c05020f8bba2666a4e6ea73d377e5714b"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "thread-scoped"
 version = "1.0.2"
@@ -1621,6 +1662,12 @@ dependencies = [
  "percent-encoding",
 ]
 
+[[package]]
+name = "user-error"
+version = "1.2.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "07a91d0648d862a02d641c82292791accfe66d36df75d8149ebc9768f2e36863"
+
 [[package]]
 name = "uuid"
 version = "0.5.1"
diff --git a/Cargo.toml b/Cargo.toml
index 0d4b32d3..f1d43249 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -22,8 +22,9 @@ path = "src/lib.rs"
 [dependencies]
 blake3 = "0.3.4"
 pbr = "1.0.2"
-pkgar = "0.1.6"
-redoxer = "0.2.24"
+pkgar = "0.1.7"
+pkgar-keys = "0.1.0"
+redoxer = "0.2.25"
 serde = { version = "1.0.110", features = ["derive"] }
 sha2 = "0.8.2"
 termion = "1.5.5"
diff --git a/cook.sh b/cook.sh
index a81505d1..5ac9471e 100755
--- a/cook.sh
+++ b/cook.sh
@@ -280,8 +280,8 @@ function op {
                         pkgar \
                             extract \
                             sysroot \
-                            --file "$REPO/$i.pkgar" \
-                            --public "${ROOT}/build/public.key"
+                            --archive "$REPO/$i.pkgar" \
+                            --pkey "${ROOT}/build/id_ed25519.pub.toml"
                     done
                 fi
 
@@ -441,19 +441,10 @@ function op {
             rm -rfv stage
             ;;
         pkg)
-            if [ ! -e "${ROOT}/build/secret.key" ]
-            then
-                mkdir -p "${ROOT}/build"
-                pkgar \
-                    keygen \
-                    --secret "${ROOT}/build/secret.key" \
-                    --public "${ROOT}/build/public.key"
-            fi
-
             pkgar \
                 create \
-                --secret "${ROOT}/build/secret.key" \
-                --file stage.pkgar \
+                --archive stage.pkgar \
+                --skey "${ROOT}/build/id_ed25519.toml" \
                 stage
             ;;
         unpkg)
diff --git a/src/bin/cook.rs b/src/bin/cook.rs
index 702ba8e6..1523db67 100644
--- a/src/bin/cook.rs
+++ b/src/bin/cook.rs
@@ -397,10 +397,10 @@ fn build(recipe_dir: &Path, source_dir: &Path, build: &BuildRecipe) -> Result<Pa
         create_dir(&sysroot_dir_tmp.join("lib"))?;
 
         for dependency in build.dependencies.iter() {
-            let public_path = "build/public.key";
+            let public_path = "build/id_ed25519.pub.toml";
             //TODO: sanitize name
             let archive_path = format!("recipes/{}/stage.pkgar", dependency);
-            pkgar::bin::extract(
+            pkgar::extract(
                 public_path,
                 &archive_path,
                 sysroot_dir_tmp.to_str().unwrap()
@@ -547,14 +547,19 @@ fi
 fn package(recipe_dir: &Path, stage_dir: &Path, package: &PackageRecipe) -> Result<PathBuf, String> {
     //TODO: metadata like dependencies, name, and version
 
-    let secret_path = "build/secret.key";
-    let public_path = "build/public.key";
+    let secret_path = "build/id_ed25519.toml";
+    let public_path = "build/id_ed25519.pub.toml";
     if ! Path::new(secret_path).is_file() || ! Path::new(public_path).is_file() {
         if ! Path::new("build").is_dir() {
             create_dir(Path::new("build"))?;
         }
-        pkgar::bin::keygen(secret_path, public_path).map_err(|err| format!(
-            "failed to generate pkgar keys: {:?}",
+        let (public_key, secret_key) = pkgar_keys::SecretKeyFile::new();
+        public_key.save(&public_path).map_err(|err| format!(
+            "failed to save pkgar public key: {:?}",
+            err
+        ))?;
+        secret_key.save(&secret_path).map_err(|err| format!(
+            "failed to save pkgar secret key: {:?}",
             err
         ))?;
     }
@@ -570,7 +575,7 @@ fn package(recipe_dir: &Path, stage_dir: &Path, package: &PackageRecipe) -> Resu
         }
     }
     if ! package_file.is_file() {
-        pkgar::bin::create(
+        pkgar::create(
             secret_path,
             package_file.to_str().unwrap(),
             stage_dir.to_str().unwrap()