diff --git a/tunnel/crypto.go b/tunnel/crypto.go
index e7f5a2f0..fd76eb95 100644
--- a/tunnel/crypto.go
+++ b/tunnel/crypto.go
@@ -14,22 +14,17 @@ var (
 	// gcmStandardNonceSize from crypto/cipher/gcm.go is 12 bytes
 	// 100 - is max size of pool
 	noncePool = bpool.NewBytePool(100, 12)
-	hashPool  = bpool.NewBytePool(1024*32, 32)
 )
 
 // hash hahes the data into 32 bytes key and returns it
 // hash uses sha256 underneath to hash the supplied key
-func hash(key string) []byte {
-	hasher := sha256.New()
-	hasher.Write([]byte(key))
-	out := hashPool.Get()
-	defer hashPool.Put(out[:0])
-	out = hasher.Sum(out[:0])
-	return out
+func hash(key []byte) []byte {
+	sum := sha256.Sum256(key)
+	return sum[:]
 }
 
 // Encrypt encrypts data and returns the encrypted data
-func Encrypt(data []byte, key string) ([]byte, error) {
+func Encrypt(data []byte, key []byte) ([]byte, error) {
 	// generate a new AES cipher using our 32 byte key
 	c, err := aes.NewCipher(hash(key))
 	if err != nil {
@@ -59,7 +54,7 @@ func Encrypt(data []byte, key string) ([]byte, error) {
 }
 
 // Decrypt decrypts the payload and returns the decrypted data
-func Decrypt(data []byte, key string) ([]byte, error) {
+func Decrypt(data []byte, key []byte) ([]byte, error) {
 	// generate AES cipher for decrypting the message
 	c, err := aes.NewCipher(hash(key))
 	if err != nil {
@@ -81,10 +76,10 @@ func Decrypt(data []byte, key string) ([]byte, error) {
 	// NOTE: we need to parse out nonce from the payload
 	// we prepend the nonce to every encrypted payload
 	nonce, ciphertext := data[:nonceSize], data[nonceSize:]
-	plaintext, err := gcm.Open(nil, nonce, ciphertext, nil)
+	ciphertext, err = gcm.Open(ciphertext[:0], nonce, ciphertext, nil)
 	if err != nil {
 		return nil, err
 	}
 
-	return plaintext, nil
+	return ciphertext, nil
 }
diff --git a/tunnel/crypto_test.go b/tunnel/crypto_test.go
index 6f8498b9..4faac2cf 100644
--- a/tunnel/crypto_test.go
+++ b/tunnel/crypto_test.go
@@ -6,7 +6,7 @@ import (
 )
 
 func TestEncrypt(t *testing.T) {
-	key := "tokenpassphrase"
+	key := []byte("tokenpassphrase")
 	data := []byte("supersecret")
 
 	cipherText, err := Encrypt(data, key)
@@ -21,7 +21,7 @@ func TestEncrypt(t *testing.T) {
 }
 
 func TestDecrypt(t *testing.T) {
-	key := "tokenpassphrase"
+	key := []byte("tokenpassphrase")
 	data := []byte("supersecret")
 
 	cipherText, err := Encrypt(data, key)
diff --git a/tunnel/default.go b/tunnel/default.go
index 398f52ad..7cb636dd 100644
--- a/tunnel/default.go
+++ b/tunnel/default.go
@@ -131,7 +131,7 @@ func (t *tun) newSession(channel, sessionId string) (*session, bool) {
 		recv:    make(chan *message, 128),
 		send:    t.send,
 		errChan: make(chan error, 1),
-		key:     t.token + channel + sessionId,
+		key:     []byte(t.token + channel + sessionId),
 	}
 
 	// save session
diff --git a/tunnel/listener.go b/tunnel/listener.go
index 4e35360b..dedde945 100644
--- a/tunnel/listener.go
+++ b/tunnel/listener.go
@@ -78,7 +78,7 @@ func (t *tunListener) process() {
 				// create a new session session
 				sess = &session{
 					// the session key
-					key: t.token + m.channel + sessionId,
+					key: []byte(t.token + m.channel + sessionId),
 					// the id of the remote side
 					tunnel: m.tunnel,
 					// the channel
diff --git a/tunnel/session.go b/tunnel/session.go
index 6dd90a3d..be34e55f 100644
--- a/tunnel/session.go
+++ b/tunnel/session.go
@@ -1,7 +1,7 @@
 package tunnel
 
 import (
-	"encoding/hex"
+	"encoding/base32"
 	"io"
 	"time"
 
@@ -48,7 +48,7 @@ type session struct {
 	// the error response
 	errChan chan error
 	// key for session encryption
-	key string
+	key []byte
 }
 
 // message is sent over the send channel
@@ -348,8 +348,8 @@ func (s *session) Send(m *transport.Message) error {
 			log.Debugf("failed to encrypt message header %s: %v", k, err)
 			return err
 		}
-		// hex encode the encrypted header value
-		data.Header[k] = hex.EncodeToString(val)
+		// add the encrypted header value
+		data.Header[k] = base32.StdEncoding.EncodeToString(val)
 	}
 
 	// create a new message
@@ -391,33 +391,33 @@ func (s *session) Recv(m *transport.Message) error {
 
 	log.Tracef("Received %+v from recv backlog", msg)
 
-	key := s.token + s.channel + msg.session
+	key := []byte(s.token + s.channel + msg.session)
 	// decrypt the received payload using the token
 	// we have to used msg.session because multicast has a shared
 	// session id of "multicast" in this session struct on
 	// the listener side
-	body, err := Decrypt(msg.data.Body, key)
+	msg.data.Body, err = Decrypt(msg.data.Body, key)
 	if err != nil {
 		log.Debugf("failed to decrypt message body: %v", err)
 		return err
 	}
-	msg.data.Body = body
 
-	// encrypt all the headers
+	// dencrypt all the headers
 	for k, v := range msg.data.Header {
-		// hex decode the header values
-		h, err := hex.DecodeString(v)
+		// decode the header values
+		h, err := base32.StdEncoding.DecodeString(v)
 		if err != nil {
 			log.Debugf("failed to decode message header %s: %v", k, err)
 			return err
 		}
-		// encrypt the transport message payload
-		val, err := Decrypt([]byte(h), key)
+
+		// dencrypt the transport message payload
+		val, err := Decrypt(h, key)
 		if err != nil {
 			log.Debugf("failed to decrypt message header %s: %v", k, err)
 			return err
 		}
-		// hex encode the encrypted header value
+		// add decrypted header value
 		msg.data.Header[k] = string(val)
 	}