diff --git a/README.md b/README.md
index 3a23406..e83cf7c 100644
--- a/README.md
+++ b/README.md
@@ -434,9 +434,6 @@ Remove all `locale` translation files.
 ---
 
 #### Encrypted root partition:
-##### `KERNEL_CRYPTFS`=false
-Enable Kernel Moduls for crypto
-
 ##### `ENABLE_CRYPTFS`=false
 Enable full system encryption with dm-crypt. Setup a fully LUKS encrypted root partition (aes-xts-plain64:sha512) and generate required initramfs. The /boot directory will not be encrypted. This parameter will be ignored if `BUILD_KERNEL`=false. `ENABLE_CRYPTFS` is experimental. SSH-to-initramfs is currently not supported but will be soon - feel free to help.
 
@@ -446,9 +443,12 @@ Set password of the encrypted root partition. This parameter is mandatory if `EN
 ##### `CRYPTFS_MAPPING`="secure"
 Set name of dm-crypt managed device-mapper mapping.
 
-##### `CRYPTFS_CIPHER`="aes-xts-plain64:sha512"
+##### `CRYPTFS_CIPHER`="aes-xts-plain64"
 Set cipher specification string. `aes-xts*` ciphers are strongly recommended.
 
+##### `CRYPTFS_HASH`=sha512
+Hash function and size to be used
+
 ##### `CRYPTFS_XTSKEYSIZE`=512
 Sets key size in bits. The argument has to be a multiple of 8.
 
diff --git a/rpi23-gen-image.sh b/rpi23-gen-image.sh
index c9e5725..9cde19c 100755
--- a/rpi23-gen-image.sh
+++ b/rpi23-gen-image.sh
@@ -223,7 +223,8 @@ REDUCE_LOCALE=${REDUCE_LOCALE:=true}
 ENABLE_CRYPTFS=${ENABLE_CRYPTFS:=false}
 CRYPTFS_PASSWORD=${CRYPTFS_PASSWORD:=""}
 CRYPTFS_MAPPING=${CRYPTFS_MAPPING:="secure"}
-CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64:sha512"}
+CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64"}
+CRYPTFS_HASH=${CRYPTFS_HASH:=":sha512"}
 CRYPTFS_XTSKEYSIZE=${CRYPTFS_XTSKEYSIZE:=512}
 #Dropbear-initramfs supports unlocking encrypted filesystem via SSH on bootup
 CRYPTFS_DROPBEAR=${CRYPTFS_DROPBEAR:=false}