diff --git a/contrib/backends/srndv2/src/srnd/config.go b/contrib/backends/srndv2/src/srnd/config.go
index 46b25db..bc368e0 100644
--- a/contrib/backends/srndv2/src/srnd/config.go
+++ b/contrib/backends/srndv2/src/srnd/config.go
@@ -10,7 +10,6 @@ import (
 	"encoding/base32"
 	"fmt"
 	"github.com/majestrate/configparser"
-	"github.com/majestrate/nacl"
 	"io/ioutil"
 	"log"
 	"net"
@@ -240,7 +239,7 @@ func GenSRNdConfig() *configparser.Configuration {
 	sect.Add("json-api", "0")
 	sect.Add("json-api-username", "fucking-change-this-value")
 	sect.Add("json-api-password", "seriously-fucking-change-this-value")
-	secret_bytes := nacl.RandBytes(8)
+	secret_bytes := randbytes(8)
 	secret := base32.StdEncoding.EncodeToString(secret_bytes)
 	sect.Add("api-secret", secret)
 
diff --git a/contrib/backends/srndv2/src/srnd/crypto_nacl.go b/contrib/backends/srndv2/src/srnd/crypto_nacl.go
new file mode 100644
index 0000000..e636feb
--- /dev/null
+++ b/contrib/backends/srndv2/src/srnd/crypto_nacl.go
@@ -0,0 +1,15 @@
+package srnd
+
+import "github.com/majestrate/nacl"
+
+func nacl_cryptoVerifyFucky(hash, sig, pk []byte) bool {
+	return nacl.CryptoVerifyFucky(hash, sig, pk)
+}
+
+func nacl_cryptoSignFucky(hash, sk []byte) (sig []byte) {
+	return nacl.CryptoSignFucky(hash, sk)
+}
+
+func nacl_cryptoVerifyDetached(hash, sig, pk []byte) bool {
+	return nacl.CryptoVerifyDetached(hash, sig, pk)
+}
diff --git a/contrib/backends/srndv2/src/srnd/daemon.go b/contrib/backends/srndv2/src/srnd/daemon.go
index 9445631..3fe2ebd 100644
--- a/contrib/backends/srndv2/src/srnd/daemon.go
+++ b/contrib/backends/srndv2/src/srnd/daemon.go
@@ -7,7 +7,6 @@ import (
 	"crypto/tls"
 	"errors"
 	"fmt"
-	"github.com/majestrate/nacl"
 	"log"
 	"net"
 	"net/http"
@@ -166,14 +165,10 @@ func (self *NNTPDaemon) WrapSign(nntp NNTPMessage) {
 		if seed == nil {
 			log.Println("invalid secretkey will not sign")
 		} else {
-			kp := nacl.LoadSignKey(seed)
-			defer kp.Free()
-			sec := kp.Secret()
+			pk, sec := seedToKeyPair(seed)
 			sig := msgidFrontendSign(sec, nntp.MessageID())
-			pk := hexify(kp.Public())
 			nntp.Headers().Add("X-Frontend-Signature", sig)
-			nntp.Headers().Add("X-Frontend-Pubkey", pk)
-			log.Println("signed", nntp.MessageID(), "as from", pk)
+			nntp.Headers().Add("X-Frontend-Pubkey", hexify(pk))
 		}
 	} else {
 		log.Println("sending", nntp.MessageID(), "unsigned")
@@ -467,8 +462,7 @@ func (self *NNTPDaemon) syncPull(proxy_type, proxy_addr, remote_addr string) {
 		if reader {
 			// we can do it
 			err = nntp.scrapeServer(self, conn)
-			if err == nil {
-				// we succeeded
+			if err == nil { // we succeeded
 				log.Println(nntp.name, "Scrape successful")
 				nntp.Quit(conn)
 				conn.Close()
diff --git a/contrib/backends/srndv2/src/srnd/frontend_http.go b/contrib/backends/srndv2/src/srnd/frontend_http.go
index d2c276f..5587b97 100644
--- a/contrib/backends/srndv2/src/srnd/frontend_http.go
+++ b/contrib/backends/srndv2/src/srnd/frontend_http.go
@@ -16,7 +16,6 @@ import (
 	"github.com/gorilla/mux"
 	"github.com/gorilla/sessions"
 	"github.com/gorilla/websocket"
-	"github.com/majestrate/nacl"
 	"io"
 	"log"
 	"mime"
@@ -921,14 +920,9 @@ func (self *httpFrontend) handle_postRequest(pr *postRequest, b bannedFunc, e er
 	}
 	// pack it before sending so that the article is well formed
 	// sign if needed
-	if len(tripcode_privkey) == nacl.CryptoSignSeedLen() {
-		kp := nacl.LoadSignKey(tripcode_privkey)
-		if kp == nil {
-			e(errors.New("seed keypair was nil?"))
-			return
-		}
-		defer kp.Free()
-		nntp.headers.Set("X-PubKey-Ed25519", hexify(kp.Public()))
+	if len(tripcode_privkey) == 32 {
+		pk, _ := seedToKeyPair(tripcode_privkey)
+		nntp.headers.Set("X-PubKey-Ed25519", hexify(pk))
 		nntp.Pack()
 		err = self.daemon.store.RegisterPost(nntp)
 		if err != nil {
diff --git a/contrib/backends/srndv2/src/srnd/message.go b/contrib/backends/srndv2/src/srnd/message.go
index 766abbc..d40b72e 100644
--- a/contrib/backends/srndv2/src/srnd/message.go
+++ b/contrib/backends/srndv2/src/srnd/message.go
@@ -10,7 +10,6 @@ import (
 	"errors"
 	"fmt"
 	"github.com/dchest/blake2b"
-	"github.com/majestrate/nacl"
 	"io"
 	"log"
 	"mime"
@@ -181,22 +180,15 @@ func signArticle(nntp NNTPMessage, seed []byte) (signed *nntpArticle, err error)
 	mw.Write([]byte{10})
 	if err == nil {
 		// build keypair
-		kp := nacl.LoadSignKey(seed)
-		if kp == nil {
-			log.Println("failed to load seed for signing article")
-			return
-		}
-		defer kp.Free()
-		sk := kp.Secret()
-		pk := getSignPubkey(sk)
+		pk, sk := seedToKeyPair(seed)
 		// sign it nigguh
 		digest := sha.Sum(nil)
-		sig := cryptoSign(digest, sk)
+		sig := cryptoSignFucky(digest, sk)
 		// log that we signed it
 		// log.Printf("signed %s pubkey=%s sig=%s hash=%s", nntp.MessageID(), pk, sig, hexify(digest))
 		signed.headers.Set("X-Signature-Ed25519-SHA512", sig)
-		signed.headers.Set("X-PubKey-Ed25519", pk)
-		sig = cryptoSignNew(blake.Sum(nil), sk)
+		signed.headers.Set("X-PubKey-Ed25519", hexify(pk[:]))
+		sig = cryptoSignProper(blake.Sum(nil), sk)
 		signed.headers.Set("X-Signature-Ed25519-BLAKE2B", sig)
 	}
 	return
@@ -472,7 +464,7 @@ func verifyMessageSHA512(pk, sig string, body *io.LimitedReader, innerHandler fu
 		hash := h.Sum(nil)
 		log.Printf("hash=%s", hexify(hash))
 		log.Printf("sig=%s", hexify(sig_bytes))
-		if nacl.CryptoVerifyFucky(hash, sig_bytes, pk_bytes) {
+		if nacl_cryptoVerifyFucky(hash, sig_bytes, pk_bytes) {
 			log.Println("signature is valid :^)")
 		} else {
 			err = errors.New("invalid signature")
@@ -510,7 +502,7 @@ func verifyMessageBLAKE2B(pk, sig string, body *io.LimitedReader, innerHandler f
 		hash := h.Sum(nil)
 		log.Printf("hash=%s", hexify(hash))
 		log.Printf("sig=%s", hexify(sig_bytes))
-		if nacl.CryptoVerifyDetached(hash, sig_bytes, pk_bytes) {
+		if nacl_cryptoVerifyDetached(hash, sig_bytes, pk_bytes) {
 			log.Println("signature is valid :^)")
 		} else {
 			err = errors.New("invalid signature")
diff --git a/contrib/backends/srndv2/src/srnd/mod_http.go b/contrib/backends/srndv2/src/srnd/mod_http.go
index 1378181..3f675dd 100644
--- a/contrib/backends/srndv2/src/srnd/mod_http.go
+++ b/contrib/backends/srndv2/src/srnd/mod_http.go
@@ -13,7 +13,6 @@ import (
 	"fmt"
 	"github.com/gorilla/csrf"
 	"github.com/gorilla/sessions"
-	"github.com/majestrate/nacl"
 	"io"
 	"log"
 	"net"
@@ -416,12 +415,9 @@ func (self httpModUI) CheckPubkey(pubkey, scope string) (bool, error) {
 func (self httpModUI) CheckKey(privkey, scope string) (bool, error) {
 	privkey_bytes, err := hex.DecodeString(privkey)
 	if err == nil {
-		kp := nacl.LoadSignKey(privkey_bytes)
-		if kp != nil {
-			defer kp.Free()
-			pubkey := hex.EncodeToString(kp.Public())
-			return self.CheckPubkey(pubkey, scope)
-		}
+		pk, _ := seedToKeyPair(privkey_bytes)
+		pubkey := hex.EncodeToString(pk)
+		return self.CheckPubkey(pubkey, scope)
 	}
 	log.Println("invalid key format for key", privkey)
 	return false, err
diff --git a/contrib/backends/srndv2/src/srnd/util.go b/contrib/backends/srndv2/src/srnd/util.go
index 81d4629..95746e4 100644
--- a/contrib/backends/srndv2/src/srnd/util.go
+++ b/contrib/backends/srndv2/src/srnd/util.go
@@ -6,12 +6,12 @@ package srnd
 
 import (
 	"bufio"
+	"crypto/rand"
 	"crypto/sha1"
 	"crypto/sha512"
 	"encoding/base64"
 	"encoding/hex"
 	"fmt"
-	"github.com/majestrate/nacl"
 	"golang.org/x/crypto/curve25519"
 	"golang.org/x/crypto/ed25519"
 	"io"
@@ -104,9 +104,15 @@ func OpenFileWriter(fname string) (io.WriteCloser, error) {
 	return os.Create(fname)
 }
 
+func randbytes(l int) []byte {
+	b := make([]byte, l)
+	io.ReadFull(rand.Reader, b)
+	return b
+}
+
 // make a random string
 func randStr(length int) string {
-	return hex.EncodeToString(nacl.RandBytes(length))[length:]
+	return hex.EncodeToString(randbytes(length))[length:]
 }
 
 // time for right now as int64
@@ -212,7 +218,7 @@ func i2pDestHashLen() int {
 // generate a new encryption key for it
 // return the encryption key and the encrypted address
 func newAddrEnc(addr string) (string, string) {
-	key_bytes := nacl.RandBytes(encAddrBytes())
+	key_bytes := randbytes(encAddrBytes())
 	key := base64.StdEncoding.EncodeToString(key_bytes)
 	return key, encAddr(addr, key)
 }
@@ -291,13 +297,16 @@ func ValidNewsgroup(newsgroup string) bool {
 	return newsgroupValidFormat(newsgroup)
 }
 
+func genKeypair() (pk, sk []byte) {
+	sk = randbytes(32)
+	pk, _ = seedToKeyPair(sk)
+	return
+}
+
 // generate a new signing keypair
 // public, secret
 func newSignKeypair() (string, string) {
-	kp := nacl.GenSignKeypair()
-	defer kp.Free()
-	pk := kp.Public()
-	sk := kp.Seed()
+	pk, sk := genKeypair()
 	return hex.EncodeToString(pk), hex.EncodeToString(sk)
 }
 
@@ -387,15 +396,16 @@ func hexify(data []byte) string {
 // extract pubkey from secret key
 // return as hex
 func getSignPubkey(sk []byte) string {
-	k, _ := nacl.GetSignPubkey(sk)
-	return hexify(k)
+	_, pk := seedToKeyPair(sk)
+	return hexify(pk)
 }
 
 // sign data with secret key the fucky srnd way
 // return signature as hex
-func cryptoSign(h, sk []byte) string {
+// XXX: DEPRECATED
+func cryptoSignFucky(h, sk []byte) string {
 	// sign
-	sig := nacl.CryptoSignFucky(h, sk)
+	sig := nacl_cryptoSignFucky(h, sk)
 	if sig == nil {
 		return "[failed to sign]"
 	}
@@ -403,19 +413,20 @@ func cryptoSign(h, sk []byte) string {
 }
 
 // convert seed to secret key
-func seedToSecretNew(seed []byte) (full ed25519.PrivateKey) {
-	var out [32]byte
+func seedToKeyPair(seed []byte) (full ed25519.PrivateKey, pub ed25519.PublicKey) {
 	var in [32]byte
+	var out [32]byte
 	copy(in[:], seed[0:32])
 	curve25519.ScalarBaseMult(&out, &in)
+	copy(pub[:], out[:])
 	copy(full[:], in[:])
-	copy(full[:32], out[:])
+	copy(full[:32], pub[:])
 	return
 }
 
-func cryptoSignNew(h, sk []byte) string {
+func cryptoSignProper(h, sk []byte) string {
 	// convert key
-	key := seedToSecretNew(sk)
+	key, _ := seedToKeyPair(sk)
 	// sign
 	sig := ed25519.Sign(key, h)
 	if sig == nil {
@@ -429,7 +440,7 @@ func cryptoSignNew(h, sk []byte) string {
 func parseTripcodeSecret(str string) []byte {
 	// try decoding hex
 	raw := unhex(str)
-	keylen := nacl.CryptoSignSeedLen()
+	keylen := 32
 	if raw == nil || len(raw) != keylen {
 		// treat this as a "regular" chan tripcode
 		// decode as bytes then pad the rest with 0s if it doesn't fit
@@ -670,17 +681,17 @@ func extractRealIP(r *http.Request) (ip string, err error) {
 
 func serverPubkeyIsValid(pubkey string) bool {
 	b := unhex(pubkey)
-	return b != nil && len(b) == nacl.CryptoSignPubKeySize()
+	return b != nil && len(b) == 32
 }
 
 func verifyFrontendSig(pubkey, sig, msgid string) bool {
 	s := unhex(sig)
 	k := unhex(pubkey)
 	h := sha512.Sum512([]byte(msgid))
-	return nacl.CryptoVerifyFucky(h[:], s, k)
+	return nacl_cryptoVerifyFucky(h[:], s, k)
 }
 
 func msgidFrontendSign(sk []byte, msgid string) string {
 	h := sha512.Sum512([]byte(msgid))
-	return cryptoSign(h[:], sk)
+	return cryptoSignFucky(h[:], sk)
 }