diff --git a/ironic_python_agent/extensions/rescue.py b/ironic_python_agent/extensions/rescue.py
index 036a17f79..a9eafd434 100644
--- a/ironic_python_agent/extensions/rescue.py
+++ b/ironic_python_agent/extensions/rescue.py
@@ -10,9 +10,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-import crypt
-
 from oslo_log import log
+from oslo_utils import secretutils
 
 from ironic_python_agent.extensions import base
 
@@ -43,7 +42,8 @@ class RescueExtension(base.BaseAgentExtension):
         if hashed:
             hashed_password = password
         else:
-            hashed_password = crypt.crypt(rescue_password)
+            hashed_password = secretutils.crypt_password(
+                rescue_password, secretutils.crypt_mksalt('SHA-256'))
         try:
             with open(PASSWORD_FILE, 'w') as f:
                 f.write(hashed_password)
diff --git a/ironic_python_agent/tests/unit/extensions/test_rescue.py b/ironic_python_agent/tests/unit/extensions/test_rescue.py
index 4c807e51b..7f59982bd 100644
--- a/ironic_python_agent/tests/unit/extensions/test_rescue.py
+++ b/ironic_python_agent/tests/unit/extensions/test_rescue.py
@@ -25,7 +25,8 @@ class TestRescueExtension(test_base.BaseTestCase):
         self.agent_extension = rescue.RescueExtension()
         self.agent_extension.agent = FakeAgent()
 
-    @mock.patch('ironic_python_agent.extensions.rescue.crypt.crypt',
+    @mock.patch('ironic_python_agent.extensions.rescue.secretutils.'
+                'crypt_password',
                 autospec=True)
     def test_write_rescue_password(self, mock_crypt):
         mock_crypt.return_value = '12deadbeef'
@@ -34,13 +35,14 @@ class TestRescueExtension(test_base.BaseTestCase):
                         mock_open):
             self.agent_extension.write_rescue_password('password')
 
-        mock_crypt.assert_called_once_with('password')
+        mock_crypt.assert_called_once_with('password', mock.ANY)
         mock_open.assert_called_once_with(
             '/etc/ipa-rescue-config/ipa-rescue-password', 'w')
         file_handle = mock_open()
         file_handle.write.assert_called_once_with('12deadbeef')
 
-    @mock.patch('ironic_python_agent.extensions.rescue.crypt.crypt',
+    @mock.patch('ironic_python_agent.extensions.rescue.secretutils.'
+                'crypt_password',
                 autospec=True)
     def test_write_rescue_password_ioerror(self, mock_crypt):
         mock_crypt.return_value = '12deadbeef'
@@ -53,7 +55,8 @@ class TestRescueExtension(test_base.BaseTestCase):
                 IOError, self.agent_extension.write_rescue_password,
                 'password')
 
-    @mock.patch('ironic_python_agent.extensions.rescue.crypt.crypt',
+    @mock.patch('ironic_python_agent.extensions.rescue.secretutils.'
+                'crypt_password',
                 autospec=True)
     def _write_password_hashed_test(self, password, mock_crypt):
         mock_open = mock.mock_open()
diff --git a/requirements.txt b/requirements.txt
index 683f6b0bd..a639a50d4 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -4,7 +4,7 @@ oslo.config>=5.2.0 # Apache-2.0
 oslo.concurrency>=3.26.0 # Apache-2.0
 oslo.log>=4.6.1 # Apache-2.0
 oslo.service>=1.24.0 # Apache-2.0
-oslo.utils>=7.3.0 # Apache-2.0
+oslo.utils>=8.0.0 # Apache-2.0
 Pint>=0.5 # BSD
 psutil>=3.2.2 # BSD
 pyudev>=0.18 # LGPLv2.1+