diff --git a/.golangci.yaml b/.golangci.yaml
index b79168c94..4e39f1a45 100644
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -38,8 +38,8 @@ linters:
               desc: use github.com/portainer/portainer/pkg/libcrypto
             - pkg: github.com/portainer/libhttp
               desc: use github.com/portainer/portainer/pkg/libhttp
-            - pkg: golang.org/x/crypto/pbkdf2
-              desc: use standard crypto/pbkdf2 instead - important for FIPS mode
+            - pkg: golang.org/x/crypto
+              desc: golang.org/x/crypto is not allowed because of FIPS mode
     forbidigo:
       forbid:
         - pattern: ^tls\.Config$
diff --git a/api/crypto/aes.go b/api/crypto/aes.go
index 6809f1dc4..41f80f658 100644
--- a/api/crypto/aes.go
+++ b/api/crypto/aes.go
@@ -15,8 +15,9 @@ import (
 
 	"github.com/portainer/portainer/pkg/fips"
 
-	"golang.org/x/crypto/argon2"
-	"golang.org/x/crypto/scrypt"
+	// Not allowed in FIPS mode
+	"golang.org/x/crypto/argon2" //nolint:depguard
+	"golang.org/x/crypto/scrypt" //nolint:depguard
 )
 
 const (
diff --git a/api/crypto/hash.go b/api/crypto/hash.go
index 9c82dc514..e8b222abd 100644
--- a/api/crypto/hash.go
+++ b/api/crypto/hash.go
@@ -1,7 +1,8 @@
 package crypto
 
 import (
-	"golang.org/x/crypto/bcrypt"
+	// Not allowed in FIPS mode
+	"golang.org/x/crypto/bcrypt" //nolint:depguard
 )
 
 // Service represents a service for encrypting/hashing data.