diff --git a/lib/crypto-primitives/src/Cryptography/Cipher/AES256CBC.hs b/lib/crypto-primitives/src/Cryptography/Cipher/AES256CBC.hs
index 395b26e33be..8637ac6bb66 100644
--- a/lib/crypto-primitives/src/Cryptography/Cipher/AES256CBC.hs
+++ b/lib/crypto-primitives/src/Cryptography/Cipher/AES256CBC.hs
@@ -107,7 +107,7 @@ encrypt
     -- ^ Payload: must be a multiple of a block size, ie., 16 bytes.
     -> Either CipherError ByteString
 encrypt mode keyBytes ivBytes saltM msg
-    | any ((/= 8) . BS.length) saltM =
+    | any ((/= saltLengthBytes) . BS.length) saltM =
         Left WrongSaltSize
     | mode == WithoutPadding && BS.length msg `mod` 16 /= 0 =
         Left WrongPayloadSize
@@ -129,9 +129,6 @@ encrypt mode keyBytes ivBytes saltM msg
             WithoutPadding -> id
             WithPadding -> PKCS7.pad
 
-saltPrefix :: ByteString
-saltPrefix = "Salted__"
-
 -- | Decrypt using AES256 using CBC mode.
 decrypt
     :: CipherMode
@@ -147,30 +144,31 @@ decrypt mode key iv msg = do
     when (mode == WithoutPadding && BS.length msg `mod` 16 /= 0) $
         Left WrongPayloadSize
     initedIV <- first FromCryptonite (createIV iv)
-    let (prefix,rest) = BS.splitAt 8 msg
-    let saltDetected = prefix == saltPrefix
-    if saltDetected then
-        second (, Just $ BS.take 8 rest) $
-        bimap FromCryptonite
-        (\c -> cbcDecrypt c initedIV (BS.drop 8 rest)) (initCipher key) >>=
-        unpad
-    else
-        second (, Nothing) $
-        bimap FromCryptonite
-        (\c -> cbcDecrypt c initedIV msg) (initCipher key) >>=
-        unpad
+    case BS.stripPrefix saltPrefix msg of
+        Just rest ->
+            second (, Just $ BS.take saltLengthBytes rest) $
+            bimap FromCryptonite
+            (\c -> cbcDecrypt c initedIV (BS.drop saltLengthBytes rest))
+            (initCipher key) >>=
+            unpad
+        Nothing ->
+            second (, Nothing) $
+            bimap FromCryptonite
+            (\c -> cbcDecrypt c initedIV msg) (initCipher key) >>=
+            unpad
   where
     unpad :: ByteString -> Either CipherError ByteString
     unpad p = case mode of
         WithoutPadding -> Right p
         WithPadding -> maybeToEither EmptyPayload (PKCS7.unpad p)
 
+saltLengthBytes :: Int
+saltLengthBytes = 8
+
+saltPrefix :: ByteString
+saltPrefix = "Salted__"
+
 getSaltFromEncrypted :: ByteString -> Maybe ByteString
-getSaltFromEncrypted msg = do
-    when (BS.length msg < 32) Nothing
-    let (prefix,rest) = BS.splitAt 8 msg
-    let saltDetected = prefix == saltPrefix
-    if saltDetected then
-        Just $ BS.take 8 rest
-    else
-        Nothing
+getSaltFromEncrypted msg
+    | BS.length msg < 32 = Nothing
+    | otherwise = BS.take saltLengthBytes <$> BS.stripPrefix saltPrefix msg