diff --git a/README.md b/README.md
index ecf398b..a60453e 100644
--- a/README.md
+++ b/README.md
@@ -28,7 +28,7 @@ Or follow: https://support.plex.tv/articles/204059436-finding-an-authentication-
 ### 2. Generate an encryption key
 
 ```bash
-python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
+openssl rand -base64 32
 ```
 
 Save the output — you'll need it for the `ENCRYPTION_KEY` variable below.
@@ -65,7 +65,7 @@ docker compose up -d
 |---|---|---|
 | `PLEX_URL` | — | URL of your Plex server, e.g. `http://192.168.1.50:32400` |
 | `PLEX_TOKEN` | — | Your Plex authentication token |
-| `ENCRYPTION_KEY` | — | Fernet key for encrypting sensitive settings at rest (see above) |
+| `ENCRYPTION_KEY` | — | Key for encrypting sensitive settings at rest (see above) |
 | `PORT` | `7842` | Host port for the dashboard |
 | `POLL_INTERVAL` | `30` | Seconds between Plex polls |
 | `OUTLIER_THRESHOLD` | `0.10` | A country must account for <10% of sessions to be flagged |
diff --git a/app/crypto.py b/app/crypto.py
index c701d62..0cb99da 100644
--- a/app/crypto.py
+++ b/app/crypto.py
@@ -6,6 +6,8 @@
 meaning encrypted settings will become unreadable after a container restart).
 """
 import os
+import base64
+import hashlib
 import logging
 from cryptography.fernet import Fernet
 
@@ -21,14 +23,15 @@ def _get_key() -> bytes:
 
     env_key = os.environ.get("ENCRYPTION_KEY", "").strip()
     if env_key:
-        _key = env_key.encode()
+        # Derive a valid 32-byte Fernet key from any input string (e.g. openssl rand -base64 32)
+        raw = hashlib.sha256(env_key.encode()).digest()
+        _key = base64.urlsafe_b64encode(raw)
     else:
         _key = Fernet.generate_key()
         logger.warning(
             "ENCRYPTION_KEY not set — using an ephemeral key. "
             "Encrypted settings will be LOST on restart. "
-            "Generate a permanent key with: "
-            'python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"'
+            "Generate a permanent key with: openssl rand -base64 32"
         )
     return _key
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 3ef4c94..559ecf1 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -12,7 +12,7 @@ services:
       - POLL_INTERVAL=${POLL_INTERVAL:-30}
       - OUTLIER_THRESHOLD=${OUTLIER_THRESHOLD:-0.10}
       - OUTLIER_MIN_SESSIONS=${OUTLIER_MIN_SESSIONS:-5}
-      # Generate with: python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
+      # Generate with: openssl rand -base64 32
       - ENCRYPTION_KEY=${ENCRYPTION_KEY}
     volumes:
       - plexgeo_data:/data