diff --git a/CHANGELOG.md b/CHANGELOG.md
index 80988981..1efe77d1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@ In Development
 --------------
 
 * Migrate to the ECDSAP256SHA256 DNSSEC algorithm. If a DS record is set for any of your domain names that have DNS hosted on your box, you will be prompted by status checks to update the DS record.
+* Roundcube's login cookie is updated to use a new encryption algorithm (AES-256-CBC instead of DES-EDE-CBC).
 
 v0.53 (April 12, 2021)
 ----------------------
diff --git a/setup/webmail.sh b/setup/webmail.sh
index 912bd5e5..98e12d1a 100755
--- a/setup/webmail.sh
+++ b/setup/webmail.sh
@@ -91,8 +91,9 @@ fi
 
 # ### Configuring Roundcube
 
-# Generate a safe 24-character secret key of safe characters.
-SECRET_KEY=$(dd if=/dev/urandom bs=1 count=18 2>/dev/null | base64 | fold -w 24 | head -n 1)
+# Generate a secret key of PHP-string-safe characters appropriate
+# for the cipher algorithm selected below.
+SECRET_KEY=$(dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64 | sed s/=//g)
 
 # Create a configuration file.
 #
@@ -126,7 +127,8 @@ cat > $RCM_CONFIG <<EOF;
  );
 \$config['support_url'] = 'https://mailinabox.email/';
 \$config['product_name'] = '$PRIMARY_HOSTNAME Webmail';
-\$config['des_key'] = '$SECRET_KEY';
+\$config['cipher_method'] = 'AES-256-CBC'; # persistent login cookie and potentially other things
+\$config['des_key'] = '$SECRET_KEY'; # 37 characters -> ~256 bits for AES-256, see above
 \$config['plugins'] = array('html5_notifier', 'archive', 'zipdownload', 'password', 'managesieve', 'jqueryui', 'persistent_login', 'carddav');
 \$config['skin'] = 'elastic';
 \$config['login_autocomplete'] = 2;