diff --git a/modules/programs/pwdutils/passwd.conf b/modules/programs/pwdutils/passwd.conf
index 5804e28c38b..3b10fa350b5 100644
--- a/modules/programs/pwdutils/passwd.conf
+++ b/modules/programs/pwdutils/passwd.conf
@@ -4,7 +4,7 @@ CRYPT=des
 
 # for local files, use a more secure hash. We
 # don't need to be portable here:
-CRYPT_FILES=blowfish
+CRYPT_FILES=@filesCipher@
 
 # sometimes we need to specify special options for
 # a hash (variable is prepended by the name of the
diff --git a/modules/programs/pwdutils/pwdutils.nix b/modules/programs/pwdutils/pwdutils.nix
index ec5d31a1ad1..a690d7dab3e 100644
--- a/modules/programs/pwdutils/pwdutils.nix
+++ b/modules/programs/pwdutils/pwdutils.nix
@@ -33,7 +33,14 @@ in
 
       { # /etc/default/passwd: configuration for passwd and friends
         # (e.g., hash algorithm for /etc/passwd).
-        source = ./passwd.conf;
+        source = pkgs.substituteAll {
+          src = ./passwd.conf;
+          # This depends on pam_unix2 being built with libxcrypt or libc's libcrypt.
+          # Only in the first case it will understand 'blowfish'. And pam_unix2
+          # is not built with libxcrypt at the time of writing (it did not build)
+          filesCipher = if (pkgs.stdenv.system == "armv5tel-linux") then
+            "des" else "blowfish";
+        };
         target = "default/passwd";
       }