diff --git a/Cargo.lock b/Cargo.lock
index ed9997101fbc7..ac64e65ee0ecf 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -16602,18 +16602,18 @@ dependencies = [
 
 [[package]]
 name = "secp256k1"
-version = "0.24.3"
+version = "0.28.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6b1629c9c557ef9b293568b338dddfc8208c98a18c59d722a9d53f859d9c9b62"
+checksum = "2acea373acb8c21ecb5a23741452acd2593ed44ee3d343e72baaa143bc89d0d5"
 dependencies = [
  "secp256k1-sys",
 ]
 
 [[package]]
 name = "secp256k1-sys"
-version = "0.6.1"
+version = "0.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "83080e2c2fc1006e625be82e5d1eb6a43b7fd9578b617fcc55814daf286bba4b"
+checksum = "09e67c467c38fd24bd5499dc9a18183b31575c12ee549197e3e20d57aa4fe3b7"
 dependencies = [
  "cc",
 ]
diff --git a/substrate/primitives/core/Cargo.toml b/substrate/primitives/core/Cargo.toml
index 25478bed2d952..34485c72ab03c 100644
--- a/substrate/primitives/core/Cargo.toml
+++ b/substrate/primitives/core/Cargo.toml
@@ -49,7 +49,7 @@ blake2 = { version = "0.10.4", default-features = false, optional = true }
 libsecp256k1 = { version = "0.7", default-features = false, features = ["static-context"], optional = true }
 schnorrkel = { version = "0.9.1", features = ["preaudit_deprecated", "u64_backend"], default-features = false }
 merlin = { version = "2.0", default-features = false }
-secp256k1 = { version = "0.24.0", default-features = false, features = ["recovery", "alloc"], optional = true }
+secp256k1 = { version = "0.28.0", default-features = false, features = ["recovery", "alloc"], optional = true }
 sp-core-hashing = { path = "hashing", default-features = false, optional = true }
 sp-runtime-interface = { path = "../runtime-interface", default-features = false}
 
diff --git a/substrate/primitives/core/src/ecdsa.rs b/substrate/primitives/core/src/ecdsa.rs
index 603fa515a30e8..471714582a6bb 100644
--- a/substrate/primitives/core/src/ecdsa.rs
+++ b/substrate/primitives/core/src/ecdsa.rs
@@ -336,7 +336,7 @@ impl Signature {
 	pub fn recover_prehashed(&self, message: &[u8; 32]) -> Option<Public> {
 		let rid = RecoveryId::from_i32(self.0[64] as i32).ok()?;
 		let sig = RecoverableSignature::from_compact(&self.0[..64], rid).ok()?;
-		let message = Message::from_slice(message).expect("Message is 32 bytes; qed");
+		let message = Message::from_digest_slice(message).expect("Message is 32 bytes; qed");
 
 		#[cfg(feature = "std")]
 		let context = SECP256K1;
@@ -458,7 +458,7 @@ impl Pair {
 
 	/// Sign a pre-hashed message
 	pub fn sign_prehashed(&self, message: &[u8; 32]) -> Signature {
-		let message = Message::from_slice(message).expect("Message is 32 bytes; qed");
+		let message = Message::from_digest_slice(message).expect("Message is 32 bytes; qed");
 
 		#[cfg(feature = "std")]
 		let context = SECP256K1;
@@ -508,12 +508,7 @@ impl Pair {
 #[cfg(feature = "full_crypto")]
 impl Drop for Pair {
 	fn drop(&mut self) {
-		let ptr = self.secret.as_mut_ptr();
-		for off in 0..self.secret.len() {
-			unsafe {
-				core::ptr::write_volatile(ptr.add(off), 0);
-			}
-		}
+		self.secret.non_secure_erase()
 	}
 }
 
@@ -760,7 +755,7 @@ mod test {
 		let msg = [0u8; 32];
 		let sig1 = pair.sign_prehashed(&msg);
 		let sig2: Signature = {
-			let message = Message::from_slice(&msg).unwrap();
+			let message = Message::from_digest_slice(&msg).unwrap();
 			SECP256K1.sign_ecdsa_recoverable(&message, &pair.secret).into()
 		};
 		assert_eq!(sig1, sig2);
diff --git a/substrate/primitives/io/Cargo.toml b/substrate/primitives/io/Cargo.toml
index 445104b736e0a..59df8895bb7fd 100644
--- a/substrate/primitives/io/Cargo.toml
+++ b/substrate/primitives/io/Cargo.toml
@@ -28,7 +28,7 @@ sp-trie = { path = "../trie", default-features = false, optional = true}
 sp-externalities = { path = "../externalities", default-features = false}
 sp-tracing = { path = "../tracing", default-features = false}
 log = { version = "0.4.17", optional = true }
-secp256k1 = { version = "0.24.0", features = ["recovery", "global-context"], optional = true }
+secp256k1 = { version = "0.28.0", features = ["recovery", "global-context"], optional = true }
 tracing = { version = "0.1.29", default-features = false }
 tracing-core = { version = "0.1.28", default-features = false}
 
diff --git a/substrate/primitives/io/src/lib.rs b/substrate/primitives/io/src/lib.rs
index c4182d6ab3a00..a300152ee66d1 100644
--- a/substrate/primitives/io/src/lib.rs
+++ b/substrate/primitives/io/src/lib.rs
@@ -1139,7 +1139,7 @@ pub trait Crypto {
 			.map_err(|_| EcdsaVerifyError::BadV)?;
 		let sig = RecoverableSignature::from_compact(&sig[..64], rid)
 			.map_err(|_| EcdsaVerifyError::BadRS)?;
-		let msg = Message::from_slice(msg).expect("Message is 32 bytes; qed");
+		let msg = Message::from_digest_slice(msg).expect("Message is 32 bytes; qed");
 		let pubkey = SECP256K1
 			.recover_ecdsa(&msg, &sig)
 			.map_err(|_| EcdsaVerifyError::BadSignature)?;
@@ -1185,7 +1185,7 @@ pub trait Crypto {
 			.map_err(|_| EcdsaVerifyError::BadV)?;
 		let sig = RecoverableSignature::from_compact(&sig[..64], rid)
 			.map_err(|_| EcdsaVerifyError::BadRS)?;
-		let msg = Message::from_slice(msg).expect("Message is 32 bytes; qed");
+		let msg = Message::from_digest_slice(msg).expect("Message is 32 bytes; qed");
 		let pubkey = SECP256K1
 			.recover_ecdsa(&msg, &sig)
 			.map_err(|_| EcdsaVerifyError::BadSignature)?;