diff --git a/meson.build b/meson.build
index 738879eb21..e4d8f29ec6 100644
--- a/meson.build
+++ b/meson.build
@@ -1707,7 +1707,8 @@ install_libsystemd_static = static_library(
                         libcap,
                         libblkid,
                         libmount,
-                        libgcrypt],
+                        libgcrypt,
+                        libopenssl],
         c_args : libsystemd_c_args + (static_libsystemd_pic ? [] : ['-fno-PIC']))
 
 libudev = shared_library(
diff --git a/src/libsystemd/meson.build b/src/libsystemd/meson.build
index 489ed12a73..154d9acd2a 100644
--- a/src/libsystemd/meson.build
+++ b/src/libsystemd/meson.build
@@ -166,7 +166,8 @@ libsystemd_static = static_library(
         include_directories : libsystemd_includes,
         link_with : libbasic,
         dependencies : [threads,
-                        librt],
+                        librt,
+                        libopenssl],
         c_args : libsystemd_c_args)
 
 libsystemd_sym = files('libsystemd.sym')
diff --git a/src/libsystemd/sd-id128/sd-id128.c b/src/libsystemd/sd-id128/sd-id128.c
index d5de935c77..28ae10a198 100644
--- a/src/libsystemd/sd-id128/sd-id128.c
+++ b/src/libsystemd/sd-id128/sd-id128.c
@@ -4,6 +4,11 @@
 #include <fcntl.h>
 #include <unistd.h>
 
+#if HAVE_OPENSSL
+#include <openssl/hmac.h>
+#include <openssl/sha.h>
+#endif
+
 #include "sd-id128.h"
 
 #include "alloc-util.h"
@@ -11,7 +16,9 @@
 #include "hexdecoct.h"
 #include "id128-util.h"
 #include "io-util.h"
+#if !HAVE_OPENSSL
 #include "khash.h"
+#endif
 #include "macro.h"
 #include "missing_syscall.h"
 #include "random-util.h"
@@ -271,13 +278,28 @@ _public_ int sd_id128_randomize(sd_id128_t *ret) {
 }
 
 static int get_app_specific(sd_id128_t base, sd_id128_t app_id, sd_id128_t *ret) {
-        _cleanup_(khash_unrefp) khash *h = NULL;
         sd_id128_t result;
-        const void *p;
-        int r;
 
         assert(ret);
 
+#if HAVE_OPENSSL
+        /* We prefer doing this in-process, since we this means we are not dependent on kernel configuration,
+         * and this also works in locked down container environments. But some distros don't like OpenSSL's
+         * license and its (in-) compatibility with GPL2, hence also support khash */
+        uint8_t md[256/8];
+        if (!HMAC(EVP_sha256(),
+                  &base, sizeof(base),
+                  (const unsigned char*) &app_id, sizeof(app_id),
+                  md, NULL))
+                return -ENOTRECOVERABLE;
+
+        /* Take only the first half. */
+        memcpy(&result, md, MIN(sizeof(md), sizeof(result)));
+#else
+        _cleanup_(khash_unrefp) khash *h = NULL;
+        const void *p;
+        int r;
+
         r = khash_new_with_key(&h, "hmac(sha256)", &base, sizeof(base));
         if (r < 0)
                 return r;
@@ -292,6 +314,7 @@ static int get_app_specific(sd_id128_t base, sd_id128_t app_id, sd_id128_t *ret)
 
         /* We chop off the trailing 16 bytes */
         memcpy(&result, p, MIN(khash_get_size(h), sizeof(result)));
+#endif
 
         *ret = id128_make_v4_uuid(result);
         return 0;