diff --git a/apis/chef/src/main/java/org/jclouds/chef/filters/SignedHeaderAuth.java b/apis/chef/src/main/java/org/jclouds/chef/filters/SignedHeaderAuth.java
index 30b26c0804..0cab71f57a 100644
--- a/apis/chef/src/main/java/org/jclouds/chef/filters/SignedHeaderAuth.java
+++ b/apis/chef/src/main/java/org/jclouds/chef/filters/SignedHeaderAuth.java
@@ -18,6 +18,7 @@ package org.jclouds.chef.filters;
 
 import static com.google.common.base.Charsets.UTF_8;
 import static com.google.common.base.Preconditions.checkArgument;
+import static com.google.common.base.Preconditions.checkNotNull;
 import static com.google.common.hash.Hashing.sha1;
 import static com.google.common.io.BaseEncoding.base64;
 import static com.google.common.io.ByteStreams.toByteArray;
@@ -33,6 +34,7 @@ import javax.inject.Provider;
 import javax.inject.Singleton;
 
 import org.jclouds.Constants;
+import org.jclouds.crypto.Crypto;
 import org.jclouds.date.TimeStamp;
 import org.jclouds.domain.Credentials;
 import org.jclouds.http.HttpException;
@@ -50,6 +52,7 @@ import org.jclouds.logging.Logger;
 import org.jclouds.util.Strings2;
 
 import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.Preconditions;
 import com.google.common.base.Predicate;
 import com.google.common.base.Splitter;
 import com.google.common.base.Supplier;
@@ -74,6 +77,7 @@ public class SignedHeaderAuth implements HttpRequestFilter {
    private final Provider<String> timeStampProvider;
    private final String emptyStringHash;
    private final HttpUtils utils;
+   private final Crypto crypto;
 
    @Resource
    @Named(Constants.LOGGER_SIGNATURE)
@@ -81,13 +85,14 @@ public class SignedHeaderAuth implements HttpRequestFilter {
 
    @Inject
    public SignedHeaderAuth(SignatureWire signatureWire, @org.jclouds.location.Provider Supplier<Credentials> creds,
-         Supplier<PrivateKey> supplyKey, @TimeStamp Provider<String> timeStampProvider, HttpUtils utils) {
-      this.signatureWire = signatureWire;
-      this.creds = creds;
-      this.supplyKey = supplyKey;
-      this.timeStampProvider = timeStampProvider;
+         Supplier<PrivateKey> supplyKey, @TimeStamp Provider<String> timeStampProvider, HttpUtils utils, Crypto crypto) {
+      this.signatureWire = checkNotNull(signatureWire, "signatureWire");
+      this.creds = checkNotNull(creds, "creds");
+      this.supplyKey = checkNotNull(supplyKey, "supplyKey");
+      this.timeStampProvider = checkNotNull(timeStampProvider, "timeStampProvider");
       this.emptyStringHash = hashBody(Payloads.newStringPayload(""));
-      this.utils = utils;
+      this.utils = checkNotNull(utils, "utils");
+      this.crypto = checkNotNull(crypto, "crypto");
    }
 
    public HttpRequest filter(HttpRequest input) throws HttpException {
@@ -186,7 +191,7 @@ public class SignedHeaderAuth implements HttpRequestFilter {
 
    public String sign(String toSign) {
       try {
-         byte[] encrypted = toByteArray(new RSAEncryptingPayload(Payloads.newStringPayload(toSign), supplyKey.get()));
+         byte[] encrypted = toByteArray(new RSAEncryptingPayload(crypto, Payloads.newStringPayload(toSign), supplyKey.get()));
          return base64().encode(encrypted);
       } catch (IOException e) {
          throw new HttpException("error signing request", e);
diff --git a/apis/chef/src/main/java/org/jclouds/chef/internal/BaseChefService.java b/apis/chef/src/main/java/org/jclouds/chef/internal/BaseChefService.java
index 9619b445ac..c22e6972d8 100644
--- a/apis/chef/src/main/java/org/jclouds/chef/internal/BaseChefService.java
+++ b/apis/chef/src/main/java/org/jclouds/chef/internal/BaseChefService.java
@@ -54,6 +54,7 @@ import org.jclouds.chef.strategy.ListNodesInEnvironment;
 import org.jclouds.chef.strategy.ListEnvironments;
 import org.jclouds.chef.strategy.ListNodes;
 import org.jclouds.chef.strategy.UpdateAutomaticAttributesOnNode;
+import org.jclouds.crypto.Crypto;
 import org.jclouds.domain.JsonBall;
 import org.jclouds.io.Payloads;
 import org.jclouds.io.payloads.RSADecryptingPayload;
@@ -90,6 +91,8 @@ public class BaseChefService implements ChefService {
    private final ListEnvironments listEnvironments;
    private final ListNodesInEnvironment listNodesInEnvironment;
    private final Json json;
+   private final Crypto crypto;
+   
    @Resource
    @Named(ChefProperties.CHEF_LOGGER)
    protected Logger logger = Logger.NULL;
@@ -104,7 +107,7 @@ public class BaseChefService implements ChefService {
          @Named(CHEF_BOOTSTRAP_DATABAG) String databag, GroupToBootScript groupToBootScript,
          BootstrapConfigForGroup bootstrapConfigForGroup, RunListForGroup runListForGroup,
          ListEnvironments listEnvironments, ListNodesInEnvironment listNodesInEnvironment,
-         ListCookbookVersionsInEnvironment listCookbookVersionsInEnvironment, Json json) {
+         ListCookbookVersionsInEnvironment listCookbookVersionsInEnvironment, Json json, Crypto crypto) {
       this.chefContext = checkNotNull(chefContext, "chefContext");
       this.api = checkNotNull(api, "api");
       this.cleanupStaleNodesAndClients = checkNotNull(cleanupStaleNodesAndClients, "cleanupStaleNodesAndClients");
@@ -126,6 +129,7 @@ public class BaseChefService implements ChefService {
       this.listNodesInEnvironment = checkNotNull(listNodesInEnvironment, "listNodesInEnvironment");
       this.listCookbookVersionsInEnvironment = checkNotNull(listCookbookVersionsInEnvironment, "listCookbookVersionsInEnvironment");
       this.json = checkNotNull(json, "json");
+      this.crypto = checkNotNull(crypto, "crypto");
    }
 
    @Override
@@ -135,13 +139,13 @@ public class BaseChefService implements ChefService {
 
    @Override
    public byte[] encrypt(InputSupplier<? extends InputStream> supplier) throws IOException {
-      return ByteStreams.toByteArray(new RSAEncryptingPayload(Payloads.newPayload(supplier.getInput()), privateKey
+      return ByteStreams.toByteArray(new RSAEncryptingPayload(crypto, Payloads.newPayload(supplier.getInput()), privateKey
             .get()));
    }
 
    @Override
    public byte[] decrypt(InputSupplier<? extends InputStream> supplier) throws IOException {
-      return ByteStreams.toByteArray(new RSADecryptingPayload(Payloads.newPayload(supplier.getInput()), privateKey
+      return ByteStreams.toByteArray(new RSADecryptingPayload(crypto, Payloads.newPayload(supplier.getInput()), privateKey
             .get()));
    }
 
diff --git a/apis/chef/src/test/java/org/jclouds/chef/filters/SignedHeaderAuthTest.java b/apis/chef/src/test/java/org/jclouds/chef/filters/SignedHeaderAuthTest.java
index 0e6ca4ad61..bfba190af6 100644
--- a/apis/chef/src/test/java/org/jclouds/chef/filters/SignedHeaderAuthTest.java
+++ b/apis/chef/src/test/java/org/jclouds/chef/filters/SignedHeaderAuthTest.java
@@ -28,6 +28,7 @@ import javax.ws.rs.HttpMethod;
 
 import org.jclouds.ContextBuilder;
 import org.jclouds.chef.ChefApiMetadata;
+import org.jclouds.crypto.Crypto;
 import org.jclouds.domain.Credentials;
 import org.jclouds.http.HttpRequest;
 import org.jclouds.http.HttpUtils;
@@ -193,6 +194,7 @@ public class SignedHeaderAuthTest {
             .modules(ImmutableSet.<Module> of(new MockModule(), new NullLoggingModule())).buildInjector();
 
       HttpUtils utils = injector.getInstance(HttpUtils.class);
+      Crypto crypto = injector.getInstance(Crypto.class);
 
       Supplier<PrivateKey> privateKey = injector.getInstance(Key.get(new TypeLiteral<Supplier<PrivateKey>>() {
       }));
@@ -205,7 +207,7 @@ public class SignedHeaderAuthTest {
                   return TIMESTAMP_ISO8601;
                }
 
-            }, utils);
+            }, utils, crypto);
    }
 
 }
diff --git a/apis/chef/src/test/java/org/jclouds/chef/functions/ParseClientFromJsonTest.java b/apis/chef/src/test/java/org/jclouds/chef/functions/ParseClientFromJsonTest.java
index 671ff93ee2..e8bebcb403 100644
--- a/apis/chef/src/test/java/org/jclouds/chef/functions/ParseClientFromJsonTest.java
+++ b/apis/chef/src/test/java/org/jclouds/chef/functions/ParseClientFromJsonTest.java
@@ -19,6 +19,7 @@ package org.jclouds.chef.functions;
 import static org.testng.Assert.assertEquals;
 
 import java.io.IOException;
+import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
@@ -29,6 +30,7 @@ import org.jclouds.chef.config.ChefParserModule;
 import org.jclouds.chef.domain.Client;
 import org.jclouds.crypto.Crypto;
 import org.jclouds.crypto.Pems;
+import org.jclouds.encryption.internal.JCECrypto;
 import org.jclouds.http.HttpResponse;
 import org.jclouds.http.functions.ParseJson;
 import org.jclouds.io.Payloads;
@@ -77,16 +79,16 @@ public class ParseClientFromJsonTest {
       privateKey = crypto.rsaKeyFactory().generatePrivate(Pems.privateKeySpec(ByteSource.wrap(PRIVATE_KEY.getBytes(Charsets.UTF_8))));
    }
 
-   public void test() throws IOException {
+   public void test() throws IOException, CertificateException, NoSuchAlgorithmException {
 
       Client user = Client.builder().certificate(certificate).orgname("jclouds").clientname("adriancole-jcloudstest")
             .name("adriancole-jcloudstest").isValidator(false).privateKey(privateKey).build();
 
-      byte[] encrypted = ByteStreams.toByteArray(new RSAEncryptingPayload(Payloads.newPayload("fooya"), user
+      byte[] encrypted = ByteStreams.toByteArray(new RSAEncryptingPayload(new JCECrypto(), Payloads.newPayload("fooya"), user
             .getCertificate().getPublicKey()));
 
       assertEquals(
-            ByteStreams.toByteArray(new RSADecryptingPayload(Payloads.newPayload(encrypted), user.getPrivateKey())),
+            ByteStreams.toByteArray(new RSADecryptingPayload(new JCECrypto(), Payloads.newPayload(encrypted), user.getPrivateKey())),
             "fooya".getBytes());
 
       assertEquals(