diff --git a/src/header/crypt/mod.rs b/src/header/crypt/mod.rs
index 7fc49a7b13ee47ed6386dfaf2b89512f477bd514..f12ba53b012a525aaa5f50e1783dd83ad3d9d686 100644
--- a/src/header/crypt/mod.rs
+++ b/src/header/crypt/mod.rs
@@ -1,3 +1,6 @@
+// TODO: set this for entire crate when possible
+#![deny(unsafe_op_in_unsafe_fn)]
+
 use ::scrypt::password_hash::{Salt, SaltString};
 use alloc::{
     ffi::CString,
@@ -54,12 +57,14 @@ pub unsafe extern "C" fn crypt_r(
     setting: *const c_char,
     data: *mut crypt_data,
 ) -> *mut c_char {
-    if (*data).initialized == 0 {
-        *data = crypt_data::new();
+    if unsafe { (*data).initialized } == 0 {
+        unsafe { *data = crypt_data::new() };
     }
 
-    let key = CStr::from_ptr(key).to_str().expect("key must be utf-8");
-    let setting = CStr::from_ptr(setting)
+    let key = unsafe { CStr::from_ptr(key) }
+        .to_str()
+        .expect("key must be utf-8");
+    let setting = unsafe { CStr::from_ptr(setting) }
         .to_str()
         .expect("setting must be utf-8");
     let setting_bytes = setting.as_bytes();
@@ -89,8 +94,10 @@ pub unsafe extern "C" fn crypt_r(
         let len = inner.len();
         if let Ok(ret) = CString::new(inner) {
             let ret_ptr = ret.into_raw();
-            let dst = (*data).buff.as_mut_ptr();
-            ptr::copy_nonoverlapping(ret_ptr, dst.cast(), len);
+            let dst = unsafe { (*data).buff }.as_mut_ptr();
+            unsafe {
+                ptr::copy_nonoverlapping(ret_ptr, dst.cast(), len);
+            }
             ret_ptr.cast()
         } else {
             ptr::null_mut()