diff --git a/include/opendht/crypto.h b/include/opendht/crypto.h
index 67c95f1bff20c1629f084a7fe8b7d5c231dcd4f4..e72082ea7c75afe97a51752abcac833fedf681da 100644
--- a/include/opendht/crypto.h
+++ b/include/opendht/crypto.h
@@ -807,8 +807,11 @@ OPENDHT_PUBLIC inline Blob aesEncrypt(const Blob& data, const Blob& key) {
  * This function uses `stretchKey` to generate an AES key from the password and a random salt.
  * The result is a bundle including the salt that can be decrypted with `aesDecrypt(data, password)`.
  * If needed, the salt or encrypted data can be individually extracted from the bundle with `aesGetSalt` and `aesGetEncrypted`.
+ * @param data: data to encrypt
+ * @param password: password to encrypt the data with
+ * @param salt: optional salt to use for key derivation. If not provided, a random salt will be generated.
  */
-OPENDHT_PUBLIC Blob aesEncrypt(const Blob& data, std::string_view password);
+OPENDHT_PUBLIC Blob aesEncrypt(const Blob& data, std::string_view password, const Blob& salt = {});
 
 /**
  * AES-GCM decryption.
diff --git a/src/crypto.cpp b/src/crypto.cpp
index 4b6ee226733afffc47b84180d1e220e62d3c782b..eafce169fee2ad3f7c2ff5f2c20de4b3662a4590 100644
--- a/src/crypto.cpp
+++ b/src/crypto.cpp
@@ -103,11 +103,11 @@ Blob aesEncrypt(const uint8_t* data, size_t data_length, const Blob& key)
     return ret;
 }
 
-Blob aesEncrypt(const Blob& data, std::string_view password)
+Blob aesEncrypt(const Blob& data, std::string_view password, const Blob& salt)
 {
-    Blob salt;
-    Blob key = stretchKey(password, salt, 256 / 8);
-    return aesBuildEncrypted(aesEncrypt(data, key), salt);
+    Blob salt_actual = salt;
+    Blob key = stretchKey(password, salt_actual, 256 / 8);
+    return aesBuildEncrypted(aesEncrypt(data, key), salt_actual);
 }
 
 Blob aesDecrypt(const uint8_t* data, size_t data_length, const Blob& key)