diff --git a/fabulaws/__init__.py b/fabulaws/__init__.py
index 39e0411..9fd0f8d 100644
--- a/fabulaws/__init__.py
+++ b/fabulaws/__init__.py
@@ -1 +1 @@
-__version__ = "1.0.9"
+__version__ = "1.0.10"
diff --git a/fabulaws/ubuntu/packages/postgres.py b/fabulaws/ubuntu/packages/postgres.py
index e7d9079..5df37c1 100644
--- a/fabulaws/ubuntu/packages/postgres.py
+++ b/fabulaws/ubuntu/packages/postgres.py
@@ -76,7 +76,9 @@ def __init__(self, *args, **kwargs):
         # Override individual default settings with whatever settings the project has specified.
         self.postgresql_settings = self.postgresql_settings.copy()
         self.postgresql_settings.update(db_settings.pop("postgresql_settings", {}))
-
+        self.pg_pw_encryption = self.postgresql_settings.get(
+            "password_encryption", default="md5"
+        )
         if db_settings:
             # There were keys we did not recognize; complain rather than let the
             # user think we're applying setttings that we're not.
@@ -211,14 +213,19 @@ def pg_set_sysctl_params(self, restart=True):
         if restart:
             self.pg_cmd("restart")
 
+    @uses_fabric
+    def pg_replace_pw_encryption(self, before="scram-sha-256", after="md5"):
+        files.sed(self.pg_hba, before=before, after=after, flags="i", use_sudo=True)
+
     @uses_fabric
     def pg_allow_from(self, ip_ranges, restart=True):
         """Allow external connections from the given IP range."""
-
         self.pg_set_str("listen_addresses", "*")
         files.uncomment(self.pg_hba, "local +replication", use_sudo=True)
         for ip_range in ip_ranges:
-            hostssl_line = "hostssl    all    all    %s    md5" % ip_range
+            hostssl_line = (
+                f"hostssl    all    all    {ip_range} {self.pg_pw_encryption}"
+            )
             files.append(self.pg_hba, hostssl_line, use_sudo=True)
         if restart:
             self.pg_cmd("restart")
@@ -239,7 +246,9 @@ def pg_allow_replication(self, user, password, ip_ranges, restart=True):
         self.create_db_user(user, password, replication=True)
         files.uncomment(self.pg_hba, "local +replication", use_sudo=True)
         for ip_range in ip_ranges:
-            hostssl_line = "hostssl    replication    all    %s    md5" % ip_range
+            hostssl_line = (
+                f"hostssl    replication    all   {ip_range}   {self.pg_pw_encryption}"
+            )
             files.append(self.pg_hba, hostssl_line, use_sudo=True)
         if restart:
             sudo("service postgresql restart")
@@ -302,6 +311,7 @@ def setup(self):
         if self.postgresql_tune:
             self.pg_tune_config(restart=False)
         self.pg_set_sysctl_params(restart=False)
+        self.pg_replace_pw_encryption()
         self.pg_allow_from(self.postgresql_networks, restart=False)
         self.pg_update_settings(self.postgresql_settings, restart=False)
         self.pg_cmd("restart")