diff --git a/internal/crypto/crypto.go b/internal/crypto/crypto.go
index 62ec62e25..07ea3cc43 100644
--- a/internal/crypto/crypto.go
+++ b/internal/crypto/crypto.go
@@ -373,93 +373,6 @@ func (k *Key) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error
 	return dst, nil
 }
 
-// Encrypt encrypts and authenticates data. Stored in ciphertext is IV || Ciphertext ||
-// MAC. Encrypt returns the new ciphertext slice, which is extended when
-// necessary. ciphertext and plaintext may not point to (exactly) the same
-// slice or non-intersecting slices.
-func (k *Key) Encrypt(ciphertext []byte, plaintext []byte) ([]byte, error) {
-	if !k.Valid() {
-		return nil, errors.New("invalid key")
-	}
-
-	ciphertext = ciphertext[:cap(ciphertext)]
-
-	// test for same slice, if possible
-	if len(plaintext) > 0 && len(ciphertext) > 0 && &plaintext[0] == &ciphertext[0] {
-		return nil, ErrInvalidCiphertext
-	}
-
-	// extend ciphertext slice if necessary
-	if len(ciphertext) < len(plaintext)+Extension {
-		ext := len(plaintext) + Extension - len(ciphertext)
-		ciphertext = append(ciphertext, make([]byte, ext)...)
-	}
-
-	iv := NewRandomNonce()
-	copy(ciphertext, iv[:])
-
-	c, err := aes.NewCipher(k.EncryptionKey[:])
-	if err != nil {
-		panic(fmt.Sprintf("unable to create cipher: %v", err))
-	}
-	e := cipher.NewCTR(c, ciphertext[:ivSize])
-	e.XORKeyStream(ciphertext[ivSize:], plaintext)
-
-	// truncate to only cover iv and actual ciphertext
-	ciphertext = ciphertext[:ivSize+len(plaintext)]
-
-	mac := poly1305MAC(ciphertext[ivSize:], ciphertext[:ivSize], &k.MACKey)
-	ciphertext = append(ciphertext, mac...)
-
-	return ciphertext, nil
-}
-
-// Decrypt verifies and decrypts the ciphertext. Ciphertext must be in the form
-// IV || Ciphertext || MAC. plaintext and ciphertext may point to (exactly) the
-// same slice.
-func (k *Key) Decrypt(plaintext []byte, ciphertextWithMac []byte) (int, error) {
-	if !k.Valid() {
-		return 0, errors.New("invalid key")
-	}
-
-	// check for plausible length
-	if len(ciphertextWithMac) < Extension {
-		return 0, errors.Errorf("trying to decrypt invalid data: ciphertext too small")
-	}
-
-	// check buffer length for plaintext
-	plaintextLength := len(ciphertextWithMac) - Extension
-	if len(plaintext) < plaintextLength {
-		return 0, errors.Errorf("plaintext buffer too small, %d < %d", len(plaintext), plaintextLength)
-	}
-
-	// extract mac
-	l := len(ciphertextWithMac) - macSize
-	ciphertextWithIV, mac := ciphertextWithMac[:l], ciphertextWithMac[l:]
-
-	// extract iv
-	iv, ciphertext := ciphertextWithIV[:ivSize], ciphertextWithIV[ivSize:]
-
-	// verify mac
-	if !poly1305Verify(ciphertext, iv, &k.MACKey, mac) {
-		return 0, ErrUnauthenticated
-	}
-
-	if len(ciphertext) != plaintextLength {
-		panic("plaintext and ciphertext lengths do not match")
-	}
-
-	// decrypt data
-	c, err := aes.NewCipher(k.EncryptionKey[:])
-	if err != nil {
-		panic(fmt.Sprintf("unable to create cipher: %v", err))
-	}
-	e := cipher.NewCTR(c, iv)
-	e.XORKeyStream(plaintext, ciphertext)
-
-	return plaintextLength, nil
-}
-
 // Valid tests if the key is valid.
 func (k *Key) Valid() bool {
 	return k.EncryptionKey.Valid() && k.MACKey.Valid()