diff --git a/Cargo.lock b/Cargo.lock
index 09c2c8aa2..f0f46950c 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -812,11 +812,12 @@ checksum = "9b7820b9daea5457c9f21c69448905d723fbd21136ccf521748f23fd49e723ee"
 
 [[package]]
 name = "pbkdf2"
-version = "0.11.0"
+version = "0.12.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "83a0692ec44e4cf1ef28ca317f14f8f07da2d95ec3fa01f86e4467b725e60917"
+checksum = "f0ca0b5a68607598bf3bad68f32227a8164f6254833f84eafaac409cd6746c31"
 dependencies = [
  "digest",
+ "hmac",
 ]
 
 [[package]]
@@ -864,7 +865,6 @@ dependencies = [
  "der",
  "des",
  "hex-literal",
- "hmac",
  "pbkdf2",
  "scrypt",
  "sha1",
@@ -1184,11 +1184,10 @@ checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd"
 
 [[package]]
 name = "scrypt"
-version = "0.10.0"
+version = "0.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9f9e24d2b632954ded8ab2ef9fea0a0c769ea56ea98bddbafbad22caeeadf45d"
+checksum = "0516a385866c09368f0b5bcd1caff3366aace790fcd46e2bb032697bb172fd1f"
 dependencies = [
- "hmac",
  "pbkdf2",
  "salsa20",
  "sha2",
diff --git a/pkcs5/Cargo.toml b/pkcs5/Cargo.toml
index de054abd4..0dd9e9a86 100644
--- a/pkcs5/Cargo.toml
+++ b/pkcs5/Cargo.toml
@@ -22,9 +22,8 @@ spki = { version = "0.7", path = "../spki" }
 cbc = { version = "0.1.2", optional = true }
 aes = { version = "0.8.2", optional = true, default-features = false }
 des = { version = "0.8.1", optional = true, default-features = false }
-hmac = { version = "0.12.1", optional = true, default-features = false }
-pbkdf2 = { version = "0.11", optional = true, default-features = false }
-scrypt = { version = "0.10", optional = true, default-features = false }
+pbkdf2 = { version = "0.12.1", optional = true, default-features = false }
+scrypt = { version = "0.11", optional = true, default-features = false }
 sha1 = { version = "0.10.1", optional = true, default-features = false }
 sha2 = { version = "0.10.2", optional = true, default-features = false }
 
@@ -33,10 +32,10 @@ hex-literal = "0.3"
 
 [features]
 alloc = []
-3des = ["pbes2", "des"]
-des-insecure = ["pbes2", "des"]
-pbes2 = ["aes", "cbc", "hmac", "pbkdf2", "scrypt", "sha2"]
-sha1-insecure = ["pbes2", "sha1"]
+3des = ["dep:des", "pbes2"]
+des-insecure = ["dep:des", "pbes2"]
+pbes2 = ["dep:aes", "dep:cbc", "dep:pbkdf2", "dep:scrypt", "dep:sha2"]
+sha1-insecure = ["dep:sha1", "pbes2"]
 
 [package.metadata.docs.rs]
 all-features = true
diff --git a/pkcs5/src/lib.rs b/pkcs5/src/lib.rs
index 5cf1f0897..08993c245 100644
--- a/pkcs5/src/lib.rs
+++ b/pkcs5/src/lib.rs
@@ -39,6 +39,9 @@ use der::{
     Decode, DecodeValue, Encode, EncodeValue, Header, Length, Reader, Sequence, Tag, Writer,
 };
 
+#[cfg(feature = "pbes2")]
+pub use scrypt;
+
 #[cfg(all(feature = "alloc", feature = "pbes2"))]
 use alloc::vec::Vec;
 
diff --git a/pkcs5/src/pbes2.rs b/pkcs5/src/pbes2.rs
index 2d3e5dc9c..301105cc2 100644
--- a/pkcs5/src/pbes2.rs
+++ b/pkcs5/src/pbes2.rs
@@ -104,7 +104,8 @@ impl<'a> Parameters<'a> {
     ///
     /// For more information on scrypt parameters, see documentation for the
     /// [`scrypt::Params`] struct.
-    #[cfg(feature = "scrypt")]
+    // TODO(tarcieri): encapsulate `scrypt::Params`?
+    #[cfg(feature = "pbes2")]
     pub fn scrypt_aes128cbc(
         params: scrypt::Params,
         salt: &'a [u8],
@@ -123,7 +124,8 @@ impl<'a> Parameters<'a> {
     ///
     /// When in doubt, use `Default::default()` as the [`scrypt::Params`].
     /// This also avoids the need to import the type from the `scrypt` crate.
-    #[cfg(feature = "scrypt")]
+    // TODO(tarcieri): encapsulate `scrypt::Params`?
+    #[cfg(feature = "pbes2")]
     pub fn scrypt_aes256cbc(
         params: scrypt::Params,
         salt: &'a [u8],
diff --git a/pkcs5/src/pbes2/encryption.rs b/pkcs5/src/pbes2/encryption.rs
index 6b30d8c45..ea029b66a 100644
--- a/pkcs5/src/pbes2/encryption.rs
+++ b/pkcs5/src/pbes2/encryption.rs
@@ -5,16 +5,15 @@ use crate::{Error, Result};
 use cbc::cipher::{
     block_padding::Pkcs7, BlockCipher, BlockDecryptMut, BlockEncryptMut, KeyInit, KeyIvInit,
 };
-use hmac::{
-    digest::{
+use pbkdf2::{
+    hmac::digest::{
         block_buffer::Eager,
         core_api::{BlockSizeUser, BufferKindUser, CoreProxy, FixedOutputCore, UpdateCore},
         generic_array::typenum::{IsLess, Le, NonZero, U256},
         HashMarker,
     },
-    Hmac,
+    pbkdf2_hmac,
 };
-use pbkdf2::pbkdf2;
 use scrypt::scrypt;
 
 /// Maximum size of a derived encryption key
@@ -157,18 +156,19 @@ impl EncryptionKey {
     fn derive_with_pbkdf2<D>(password: &[u8], params: &Pbkdf2Params<'_>, length: usize) -> Self
     where
         D: CoreProxy,
-        D::Core: HashMarker
+        D::Core: Sync
+            + HashMarker
             + UpdateCore
             + FixedOutputCore
             + BufferKindUser<BufferKind = Eager>
             + Default
-            + Clone
-            + Sync,
+            + Clone,
         <D::Core as BlockSizeUser>::BlockSize: IsLess<U256>,
         Le<<D::Core as BlockSizeUser>::BlockSize, U256>: NonZero,
     {
         let mut buffer = [0u8; MAX_KEY_LEN];
-        pbkdf2::<Hmac<D>>(
+
+        pbkdf2_hmac::<D>(
             password,
             params.salt,
             params.iteration_count,
diff --git a/pkcs5/src/pbes2/kdf.rs b/pkcs5/src/pbes2/kdf.rs
index 4e0ef5a55..63378cbcb 100644
--- a/pkcs5/src/pbes2/kdf.rs
+++ b/pkcs5/src/pbes2/kdf.rs
@@ -35,7 +35,7 @@ pub const HMAC_WITH_SHA512_OID: ObjectIdentifier =
 pub const SCRYPT_OID: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.3.6.1.4.1.11591.4.11");
 
 /// Type used for expressing scrypt cost
-type ScryptCost = u16;
+type ScryptCost = u64;
 
 /// Password-based key derivation function.
 #[derive(Clone, Debug, Eq, PartialEq)]
@@ -395,12 +395,13 @@ pub struct ScryptParams<'a> {
 }
 
 impl<'a> ScryptParams<'a> {
-    #[cfg(feature = "scrypt")]
+    #[cfg(feature = "pbes2")]
     const INVALID_ERR: Error = Error::AlgorithmParametersInvalid { oid: SCRYPT_OID };
 
     /// Get the [`ScryptParams`] for the provided upstream [`scrypt::Params`]
     /// and a provided salt string.
-    #[cfg(feature = "scrypt")]
+    // TODO(tarcieri): encapsulate `scrypt::Params`?
+    #[cfg(feature = "pbes2")]
     pub fn from_params_and_salt(params: scrypt::Params, salt: &'a [u8]) -> Result<Self> {
         Ok(Self {
             salt,
@@ -455,7 +456,7 @@ impl<'a> TryFrom<AnyRef<'a>> for ScryptParams<'a> {
     }
 }
 
-#[cfg(feature = "scrypt")]
+#[cfg(feature = "pbes2")]
 impl<'a> TryFrom<ScryptParams<'a>> for scrypt::Params {
     type Error = Error;
 
@@ -464,7 +465,7 @@ impl<'a> TryFrom<ScryptParams<'a>> for scrypt::Params {
     }
 }
 
-#[cfg(feature = "scrypt")]
+#[cfg(feature = "pbes2")]
 impl<'a> TryFrom<&ScryptParams<'a>> for scrypt::Params {
     type Error = Error;
 
@@ -482,6 +483,7 @@ impl<'a> TryFrom<&ScryptParams<'a>> for scrypt::Params {
             log_n,
             params.block_size.into(),
             params.parallelization.into(),
+            scrypt::Params::RECOMMENDED_LEN,
         )
         .map_err(|_| ScryptParams::INVALID_ERR)
     }
diff --git a/pkcs8/Cargo.toml b/pkcs8/Cargo.toml
index 0dbfa4611..c96423b13 100644
--- a/pkcs8/Cargo.toml
+++ b/pkcs8/Cargo.toml
@@ -35,7 +35,7 @@ des-insecure = ["encryption", "pkcs5/des-insecure"]
 encryption = ["alloc", "pkcs5/alloc", "pkcs5/pbes2", "rand_core"]
 getrandom = ["rand_core/getrandom"]
 pem = ["alloc", "der/pem", "spki/pem"]
-sha1 = ["encryption", "pkcs5/sha1"]
+sha1-insecure = ["encryption", "pkcs5/sha1-insecure"]
 std = ["alloc", "der/std", "spki/std"]
 
 [package.metadata.docs.rs]
diff --git a/pkcs8/tests/encrypted_private_key.rs b/pkcs8/tests/encrypted_private_key.rs
index 1c11ca203..dbe0a18e7 100644
--- a/pkcs8/tests/encrypted_private_key.rs
+++ b/pkcs8/tests/encrypted_private_key.rs
@@ -183,7 +183,7 @@ fn encrypt_ed25519_der_encpriv_aes256_pbkdf2_sha256() {
 #[test]
 fn encrypt_ed25519_der_encpriv_aes256_scrypt() {
     let scrypt_params = pkcs5::pbes2::Parameters::scrypt_aes256cbc(
-        Default::default(),
+        pkcs5::scrypt::Params::new(15, 8, 1, 32).unwrap(),
         &hex!("E6211E2348AD69E0"),
         &hex!("9BD0A6251F2254F9FD5963887C27CF01"),
     )