diff --git a/pkg/api/api.go b/pkg/api/api.go
index 2b2fc32b2ac5c4d582d42c311c11f5bba7494403..dd6980c4b9d61c4be205403f4e3e6b4242c19f95 100644
--- a/pkg/api/api.go
+++ b/pkg/api/api.go
@@ -100,11 +100,7 @@ func NewAPI() (*API, error) {
 	if err != nil {
 		return nil, errors.Wrap(err, "marshalling public key")
 	}
-	hasher := sha256.New()
-	if _, err = hasher.Write(b); err != nil {
-		return nil, errors.Wrap(err, "computing hash of public key")
-	}
-	pubkeyHashBytes := hasher.Sum(nil)
+	pubkeyHashBytes := sha256.Sum256(b)
 
 	pubkey := pem.EncodeToMemory(&pem.Block{
 		Type:  "PUBLIC KEY",
@@ -141,7 +137,7 @@ func NewAPI() (*API, error) {
 		logClient:    logClient,
 		logID:        tLogID,
 		pubkey:       string(pubkey),
-		pubkeyHash:   hex.EncodeToString(pubkeyHashBytes),
+		pubkeyHash:   hex.EncodeToString(pubkeyHashBytes[:]),
 		signer:       rekorSigner,
 		certChain:    certChain,
 		certChainPem: string(certChainPem),
diff --git a/pkg/api/index.go b/pkg/api/index.go
index cda6bf433675f311dc2093616ba11e43de3659de..42606cac9a313c8fcce04079dc9a3d64f71920b1 100644
--- a/pkg/api/index.go
+++ b/pkg/api/index.go
@@ -61,13 +61,9 @@ func SearchIndexHandler(params index.SearchIndexParams) middleware.Responder {
 			return handleRekorAPIError(params, http.StatusInternalServerError, err, failedToGenerateCanonicalKey)
 		}
 
-		hasher := sha256.New()
-		if _, err := hasher.Write(canonicalKey); err != nil {
-			return handleRekorAPIError(params, http.StatusInternalServerError, err, failedToGenerateCanonicalKey)
-		}
-		keyHash := hasher.Sum(nil)
+		keyHash := sha256.Sum256(canonicalKey)
 		var resultUUIDs []string
-		if err := redisClient.Do(httpReqCtx, radix.Cmd(&resultUUIDs, "LRANGE", strings.ToLower(hex.EncodeToString(keyHash)), "0", "-1")); err != nil {
+		if err := redisClient.Do(httpReqCtx, radix.Cmd(&resultUUIDs, "LRANGE", strings.ToLower(hex.EncodeToString(keyHash[:])), "0", "-1")); err != nil {
 			return handleRekorAPIError(params, http.StatusInternalServerError, err, redisUnexpectedResult)
 		}
 		result = append(result, resultUUIDs...)
diff --git a/pkg/signer/memory_test.go b/pkg/signer/memory_test.go
index 83bcc2072c3ccbc19da89a7b41452c7bb6b441a8..5ff42c825a6dde9fd529b59e5b6c57a6ad5aed00 100644
--- a/pkg/signer/memory_test.go
+++ b/pkg/signer/memory_test.go
@@ -18,8 +18,8 @@ package signer
 
 import (
 	"context"
-	"crypto"
 	"crypto/ecdsa"
+	"crypto/sha256"
 	"crypto/x509"
 	"testing"
 )
@@ -49,11 +49,10 @@ func TestMemory(t *testing.T) {
 	if !ok {
 		t.Fatalf("ecdsa public key: %v", err)
 	}
-	h := crypto.SHA256.New()
-	if _, err := h.Write(payload); err != nil {
-		t.Fatalf("writing payload: %v", err)
-	}
-	if !ecdsa.VerifyASN1(pk, h.Sum(nil), signature) {
+
+	h := sha256.Sum256(payload)
+
+	if !ecdsa.VerifyASN1(pk, h[:], signature) {
 		t.Fatalf("unable to verify signature")
 	}
 
@@ -63,7 +62,7 @@ func TestMemory(t *testing.T) {
 	if !ok {
 		t.Fatalf("cert ecdsa public key: %v", err)
 	}
-	if !ecdsa.VerifyASN1(pkCert, h.Sum(nil), signature) {
+	if !ecdsa.VerifyASN1(pkCert, h[:], signature) {
 		t.Fatalf("unable to verify signature")
 	}
 	// verify that the cert chain is configured for timestamping
diff --git a/pkg/types/jar/v0.0.1/entry.go b/pkg/types/jar/v0.0.1/entry.go
index 37df37f78e51d14c1212df773d289e6aeb477be7..aa30853b68733ab7673b87da9c968c765090f3ce 100644
--- a/pkg/types/jar/v0.0.1/entry.go
+++ b/pkg/types/jar/v0.0.1/entry.go
@@ -84,12 +84,8 @@ func (v V001Entry) IndexKeys() []string {
 	if err != nil {
 		log.Logger.Error(err)
 	} else {
-		hasher := sha256.New()
-		if _, err := hasher.Write(key); err != nil {
-			log.Logger.Error(err)
-		} else {
-			result = append(result, strings.ToLower(hex.EncodeToString(hasher.Sum(nil))))
-		}
+		keyHash := sha256.Sum256(key)
+		result = append(result, strings.ToLower(hex.EncodeToString(keyHash[:])))
 	}
 
 	if v.JARModel.Archive.Hash != nil {
diff --git a/pkg/types/jar/v0.0.1/entry_test.go b/pkg/types/jar/v0.0.1/entry_test.go
index 2a8d28bda92906fe46d96a5d4a004c044412a8ac..ca9dac795bc4a616558f6a73cf4ec57d091a9739 100644
--- a/pkg/types/jar/v0.0.1/entry_test.go
+++ b/pkg/types/jar/v0.0.1/entry_test.go
@@ -54,9 +54,8 @@ func TestCrossFieldValidation(t *testing.T) {
 
 	jarBytes, _ := ioutil.ReadFile("../../../../tests/test.jar")
 
-	h := sha256.New()
-	_, _ = h.Write(jarBytes)
-	dataSHA := hex.EncodeToString(h.Sum(nil))
+	h := sha256.Sum256(jarBytes)
+	dataSHA := hex.EncodeToString(h[:])
 
 	testServer := httptest.NewServer(http.HandlerFunc(
 		func(w http.ResponseWriter, r *http.Request) {
diff --git a/pkg/types/rekord/v0.0.1/entry.go b/pkg/types/rekord/v0.0.1/entry.go
index a7f63446fe416ccd828136aee9261877c230fe06..77c2abe6b6983212ba2dc0393c8663da542bf372 100644
--- a/pkg/types/rekord/v0.0.1/entry.go
+++ b/pkg/types/rekord/v0.0.1/entry.go
@@ -77,12 +77,8 @@ func (v V001Entry) IndexKeys() []string {
 	if err != nil {
 		log.Logger.Error(err)
 	} else {
-		hasher := sha256.New()
-		if _, err := hasher.Write(key); err != nil {
-			log.Logger.Error(err)
-		} else {
-			result = append(result, strings.ToLower(hex.EncodeToString(hasher.Sum(nil))))
-		}
+		keyHash := sha256.Sum256(key)
+		result = append(result, strings.ToLower(hex.EncodeToString(keyHash[:])))
 	}
 
 	result = append(result, v.keyObj.EmailAddresses()...)
diff --git a/pkg/types/rekord/v0.0.1/entry_test.go b/pkg/types/rekord/v0.0.1/entry_test.go
index b9eaa1f4f38e99828b487b3fad31e26d8b3e899e..782a11d043949fd0c7ac1d9a4d79cab036b52ff0 100644
--- a/pkg/types/rekord/v0.0.1/entry_test.go
+++ b/pkg/types/rekord/v0.0.1/entry_test.go
@@ -57,9 +57,8 @@ func TestCrossFieldValidation(t *testing.T) {
 	keyBytes, _ := ioutil.ReadFile("../../../../tests/test_public_key.key")
 	dataBytes, _ := ioutil.ReadFile("../../../../tests/test_file.txt")
 
-	h := sha256.New()
-	_, _ = h.Write(dataBytes)
-	dataSHA := hex.EncodeToString(h.Sum(nil))
+	h := sha256.Sum256(dataBytes)
+	dataSHA := hex.EncodeToString(h[:])
 
 	testServer := httptest.NewServer(http.HandlerFunc(
 		func(w http.ResponseWriter, r *http.Request) {
diff --git a/pkg/types/rpm/v0.0.1/entry.go b/pkg/types/rpm/v0.0.1/entry.go
index 10c9bdb3255f6a322070728fc0b81732e7b36245..29a17c7c4abb7cb819f886ea70e0f30fbb031880 100644
--- a/pkg/types/rpm/v0.0.1/entry.go
+++ b/pkg/types/rpm/v0.0.1/entry.go
@@ -81,12 +81,8 @@ func (v V001Entry) IndexKeys() []string {
 	if err != nil {
 		log.Logger.Error(err)
 	} else {
-		hasher := sha256.New()
-		if _, err := hasher.Write(key); err != nil {
-			log.Logger.Error(err)
-		} else {
-			result = append(result, strings.ToLower(hex.EncodeToString(hasher.Sum(nil))))
-		}
+		keyHash := sha256.Sum256(key)
+		result = append(result, strings.ToLower(hex.EncodeToString(keyHash[:])))
 	}
 
 	result = append(result, v.keyObj.EmailAddresses()...)
diff --git a/pkg/types/rpm/v0.0.1/entry_test.go b/pkg/types/rpm/v0.0.1/entry_test.go
index 865e677a1bfc469060aa8b0c3a9b710c21991f06..6b0cfdf968b8616212dc7ef67d163ccfe3f29cb1 100644
--- a/pkg/types/rpm/v0.0.1/entry_test.go
+++ b/pkg/types/rpm/v0.0.1/entry_test.go
@@ -56,9 +56,8 @@ func TestCrossFieldValidation(t *testing.T) {
 	keyBytes, _ := ioutil.ReadFile("../../../../tests/test_rpm_public_key.key")
 	dataBytes, _ := ioutil.ReadFile("../../../../tests/test.rpm")
 
-	h := sha256.New()
-	_, _ = h.Write(dataBytes)
-	dataSHA := hex.EncodeToString(h.Sum(nil))
+	h := sha256.Sum256(dataBytes)
+	dataSHA := hex.EncodeToString(h[:])
 
 	testServer := httptest.NewServer(http.HandlerFunc(
 		func(w http.ResponseWriter, r *http.Request) {
diff --git a/pkg/util/rfc3161.go b/pkg/util/rfc3161.go
index 6d80cd09f21b63bc554dc1d15296fbd1a4d1190f..17c702e7326414ccf03b27bc76ae4f23358ca11b 100644
--- a/pkg/util/rfc3161.go
+++ b/pkg/util/rfc3161.go
@@ -18,6 +18,7 @@ package util
 import (
 	"context"
 	"crypto"
+	"crypto/sha256"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
@@ -51,14 +52,10 @@ type SigningCertificateV2 struct {
 }
 
 func createSigningCertificate(certificate *x509.Certificate) ([]byte, error) {
-	h := crypto.SHA256.New() // TODO: Get from certificate, defaults to 256
-	_, err := h.Write(certificate.Raw)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create hash")
-	}
+	h := sha256.Sum256(certificate.Raw) // TODO: Get from certificate, defaults to 256
 	signingCert := SigningCertificateV2{
 		Certs: []EssCertIDv2{{
-			CertHash: h.Sum(nil),
+			CertHash: h[:],
 			IssuerNameAndSerial: IssuerNameAndSerial{
 				IssuerName:   GeneralName{Name: asn1.RawValue{Tag: 4, Class: 2, IsCompound: true, Bytes: certificate.RawIssuer}},
 				SerialNumber: certificate.SerialNumber,
@@ -174,11 +171,9 @@ func CreateRfc3161Response(ctx context.Context, req pkcs9.TimeStampReq, certChai
 	}
 
 	// TODO: Does this need to match the hash algorithm in the request?
-	h := crypto.SHA256.New()
 	alg, _ := x509tools.PkixDigestAlgorithm(crypto.SHA256)
 	contentInfoBytes, _ := contentInfo.Bytes()
-	h.Write(contentInfoBytes)
-	digest := h.Sum(nil)
+	h := sha256.Sum256(contentInfoBytes)
 
 	// Create SignerInfo and signature.
 	signingCert, err := createSigningCertificate(certChain[0])
@@ -189,7 +184,7 @@ func CreateRfc3161Response(ctx context.Context, req pkcs9.TimeStampReq, certChai
 	if err := attributes.Add(pkcs7.OidAttributeContentType, contentInfo.ContentType); err != nil {
 		return nil, err
 	}
-	if err := attributes.Add(pkcs7.OidAttributeMessageDigest, digest); err != nil {
+	if err := attributes.Add(pkcs7.OidAttributeMessageDigest, h[:]); err != nil {
 		return nil, err
 	}
 	if err := attributes.Add(asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 16, 2, 47}, signingCert); err != nil {
diff --git a/tests/e2e_test.go b/tests/e2e_test.go
index 7510ebcc492f12f9995a04e36ef72e29e863c136..9fc380be66bfaa946444a9d94eeaa5ea909555f0 100644
--- a/tests/e2e_test.go
+++ b/tests/e2e_test.go
@@ -20,7 +20,6 @@ package e2e
 import (
 	"bytes"
 	"context"
-	"crypto"
 	"crypto/ecdsa"
 	"crypto/sha256"
 	"crypto/x509"
@@ -192,15 +191,13 @@ func TestGet(t *testing.T) {
 	out = runCli(t, "search", "--public-key", pubPath)
 	outputContains(t, out, uuid)
 
-	hash := sha256.New()
 	artifactBytes, err := ioutil.ReadFile(artifactPath)
 	if err != nil {
 		t.Error(err)
 	}
-	hash.Write(artifactBytes)
-	sha := hash.Sum(nil)
+	sha := sha256.Sum256(artifactBytes)
 
-	out = runCli(t, "search", "--sha", fmt.Sprintf("sha256:%s", hex.EncodeToString(sha)))
+	out = runCli(t, "search", "--sha", fmt.Sprintf("sha256:%s", hex.EncodeToString(sha[:])))
 	outputContains(t, out, uuid)
 }
 
@@ -468,13 +465,8 @@ func TestSignedEntryTimestamp(t *testing.T) {
 	}
 
 	// verify the signature against the public key
-	h := crypto.SHA256.New()
-	if _, err := h.Write(canonicalized); err != nil {
-		t.Fatal(err)
-	}
-	sum := h.Sum(nil)
-
-	if !ecdsa.VerifyASN1(rekorPubKey, sum, []byte(sig)) {
+	h := sha256.Sum256(canonicalized)
+	if !ecdsa.VerifyASN1(rekorPubKey, h[:], []byte(sig)) {
 		t.Fatal("unable to verify")
 	}
 }
@@ -522,12 +514,8 @@ func TestTimestampResponseCLI(t *testing.T) {
 	}
 
 	// Now try with the digest.
-	h := crypto.SHA256.New()
-	if _, err := h.Write(payload); err != nil {
-		t.Fatalf("error creating digest")
-	}
-	digest := h.Sum(nil)
-	hexDigest := hex.EncodeToString(digest)
+	h := sha256.Sum256(payload)
+	hexDigest := hex.EncodeToString(h[:])
 	out = runCli(t, "timestamp", "--artifact-hash", hexDigest, "--out", responsePath)
 	outputContains(t, out, "Wrote response to")
 	cmd = exec.Command("openssl", "ts", "-verify", "-digest", hexDigest, "-in", responsePath, "-CAfile", CAPath)
diff --git a/tests/x509.go b/tests/x509.go
index 11fc4611c221db2da44ef07cfeea455f457ebf8d..9c3762547866eac7c30a336dd7bb2e9f53c510b1 100644
--- a/tests/x509.go
+++ b/tests/x509.go
@@ -131,10 +131,8 @@ func init() {
 }
 
 func SignX509Cert(b []byte) ([]byte, error) {
-	h := sha256.New()
-	h.Write(b)
-	dgst := h.Sum(nil)
-	signature, err := certPrivateKey.Sign(rand.Reader, dgst, crypto.SHA256)
+	dgst := sha256.Sum256(b)
+	signature, err := certPrivateKey.Sign(rand.Reader, dgst[:], crypto.SHA256)
 	return signature, err
 }