diff --git a/Cargo.toml b/Cargo.toml
index 7768bba..513df09 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -16,7 +16,7 @@ delog = "0.1.6"
 heapless-bytes = "0.3.0"
 num-bigint-dig = { version = "0.8.2", default-features = false }
 postcard = { version = "0.7", default-features = false, features = ["heapless"] }
-rsa = { version = "0.8.1", default-features = false, features = ["sha2"]}
+rsa = { version = "0.9", default-features = false, features = ["sha2"]}
 serde = { version = "1.0.152", default-features = false, features = ["derive"] }
 
 trussed = "0.1"
@@ -35,7 +35,7 @@ virt = ["std", "trussed/virt"]
 std = []
 
 # Add support for raw RSA keys
-raw = ["rsa/expose-internals"]
+raw = ["rsa/hazmat"]
 
 log-all = []
 log-none = []
diff --git a/src/lib.rs b/src/lib.rs
index 01303a8..a972f34 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -12,7 +12,9 @@ use rsa::{
     pkcs1v15::SigningKey,
     pkcs8::{DecodePrivateKey, DecodePublicKey, EncodePrivateKey, EncodePublicKey},
     signature::hazmat::PrehashSigner,
-    Pkcs1v15Sign, PublicKey, PublicKeyParts, RsaPrivateKey, RsaPublicKey,
+    signature::SignatureEncoding,
+    traits::PublicKeyParts,
+    Pkcs1v15Sign, RsaPrivateKey, RsaPublicKey,
 };
 use trussed::{
     api::{reply, request, Reply, Request},
@@ -242,16 +244,22 @@ fn sign(
     // We assume we get digest into this function, too.
 
     let native_signature = match kind {
-        key::Kind::Rsa2048 => SigningKey::<Sha256>::new(priv_key).sign_prehash(&request.message),
-        key::Kind::Rsa3072 => SigningKey::<Sha384>::new(priv_key).sign_prehash(&request.message),
-        key::Kind::Rsa4096 => SigningKey::<Sha512>::new(priv_key).sign_prehash(&request.message),
+        key::Kind::Rsa2048 => {
+            SigningKey::<Sha256>::new_unprefixed(priv_key).sign_prehash(&request.message)
+        }
+        key::Kind::Rsa3072 => {
+            SigningKey::<Sha384>::new_unprefixed(priv_key).sign_prehash(&request.message)
+        }
+        key::Kind::Rsa4096 => {
+            SigningKey::<Sha512>::new_unprefixed(priv_key).sign_prehash(&request.message)
+        }
         _ => unreachable!(),
     }
     .map_err(|_err| {
         error!("Failed to sign message: {:?}", _err);
         Error::InternalError
     })?;
-    let our_signature = Signature::from_slice(native_signature.as_ref()).unwrap();
+    let our_signature = Signature::from_slice(&native_signature.to_bytes()).unwrap();
 
     Ok(reply::Sign {
         signature: our_signature,
@@ -284,7 +292,7 @@ fn verify(
 
     let verification_ok = pub_key
         .verify(
-            Pkcs1v15Sign::new_raw(),
+            Pkcs1v15Sign::new_unprefixed(),
             &request.message,
             &request.signature,
         )
@@ -341,7 +349,7 @@ fn rsa_raw<R: RngCore + CryptoRng, const N: usize>(
         .expect("Failed to deserialize an RSA private key from PKCS#8 DER");
 
     let c = rsa::BigUint::from_bytes_be(plaintext);
-    let res = rsa::internals::decrypt(Some(rng), &priv_key, &c).map_err(|_err| {
+    let res = rsa::hazmat::rsa_decrypt(Some(rng), &priv_key, &c).map_err(|_err| {
         error!("Failed raw decryption: {:?}", _err);
         Error::InternalError
     })?;
diff --git a/tests/rsa2048.rs b/tests/rsa2048.rs
index 9e356af..3ab3ae9 100644
--- a/tests/rsa2048.rs
+++ b/tests/rsa2048.rs
@@ -4,7 +4,7 @@
 #![cfg(feature = "virt")]
 
 use rsa::sha2::Sha256;
-use rsa::{Pkcs1v15Encrypt, Pkcs1v15Sign, PublicKeyParts};
+use rsa::{traits::PublicKeyParts, Pkcs1v15Encrypt, Pkcs1v15Sign};
 use trussed::client::CryptoClient;
 use trussed::syscall;
 use trussed::types::KeyId;
@@ -17,7 +17,7 @@ use trussed_rsa_alloc::*;
 
 use hex_literal::hex;
 use num_bigint_dig::BigUint;
-use rsa::{PublicKey, RsaPrivateKey};
+use rsa::RsaPrivateKey;
 
 // Tests below can be run on a PC using the "virt" feature
 
diff --git a/tests/rsa3072.rs b/tests/rsa3072.rs
index d20276b..4cf1ce2 100644
--- a/tests/rsa3072.rs
+++ b/tests/rsa3072.rs
@@ -4,7 +4,7 @@
 #![cfg(feature = "virt")]
 
 use rsa::sha2::Sha384;
-use rsa::{Pkcs1v15Encrypt, Pkcs1v15Sign, PublicKeyParts};
+use rsa::{traits::PublicKeyParts, Pkcs1v15Encrypt, Pkcs1v15Sign};
 use trussed::client::CryptoClient;
 use trussed::syscall;
 use trussed::types::KeyId;
@@ -17,7 +17,7 @@ use trussed_rsa_alloc::*;
 
 use hex_literal::hex;
 use num_bigint_dig::BigUint;
-use rsa::{PublicKey, RsaPrivateKey};
+use rsa::RsaPrivateKey;
 
 // Tests below can be run on a PC using the "virt" feature
 
diff --git a/tests/rsa4096.rs b/tests/rsa4096.rs
index fb06ba1..0373d96 100644
--- a/tests/rsa4096.rs
+++ b/tests/rsa4096.rs
@@ -4,7 +4,7 @@
 #![cfg(feature = "virt")]
 
 use rsa::sha2::Sha512;
-use rsa::{Pkcs1v15Encrypt, Pkcs1v15Sign, PublicKeyParts};
+use rsa::{traits::PublicKeyParts, Pkcs1v15Encrypt, Pkcs1v15Sign};
 use trussed::client::CryptoClient;
 use trussed::syscall;
 use trussed::types::KeyId;
@@ -17,7 +17,7 @@ use trussed_rsa_alloc::*;
 
 use hex_literal::hex;
 use num_bigint_dig::BigUint;
-use rsa::{PublicKey, RsaPrivateKey};
+use rsa::RsaPrivateKey;
 
 // Tests below can be run on a PC using the "virt" feature