diff --git a/pkg/app/cmd_install.go b/pkg/app/cmd_install.go
index 189f989..fd60efc 100644
--- a/pkg/app/cmd_install.go
+++ b/pkg/app/cmd_install.go
@@ -93,6 +93,20 @@ func (app *app) cmdInstall(cmdCtx context.Context, args []string) error {
 	// extra for some apc ups
 	kexAlgos = append(kexAlgos, "diffie-hellman-group-exchange-sha256")
 
+	// ciphers
+	// see defaults: https://cs.opensource.google/go/x/crypto/+/master:ssh/common.go;l=37
+	ciphers := []string{
+		"aes128-gcm@openssh.com", "aes256-gcm@openssh.com",
+		"chacha20-poly1305@openssh.com",
+		"aes128-ctr", "aes192-ctr", "aes256-ctr",
+	}
+
+	// insecure cipher options?
+	if app.config.install.insecureCipher != nil && *app.config.install.insecureCipher {
+		app.stdLogger.Println("WARNING: insecure ciphers are enabled (--insecurecipher). SSH with an insecure cipher is NOT secure and should NOT be used.")
+		ciphers = append(ciphers, "aes128-cbc", "3des-cbc")
+	}
+
 	// install file on UPS
 	// ssh config
 	config := &ssh.ClientConfig{
@@ -108,7 +122,7 @@ func (app *app) cmdInstall(cmdCtx context.Context, args []string) error {
 		ClientVersion: fmt.Sprintf("SSH-2.0-apc-p15-tool_v%s %s-%s", appVersion, runtime.GOOS, runtime.GOARCH),
 		Config: ssh.Config{
 			KeyExchanges: kexAlgos,
-			// Ciphers:      []string{"aes128-ctr"},
+			Ciphers:      ciphers,
 			// MACs:         []string{"hmac-sha2-256"},
 		},
 		// HostKeyAlgorithms: []string{"ssh-rsa"},
diff --git a/pkg/app/config.go b/pkg/app/config.go
index 5be5bd7..ed6cd9a 100644
--- a/pkg/app/config.go
+++ b/pkg/app/config.go
@@ -32,10 +32,11 @@ type config struct {
 	}
 	install struct {
 		keyCertPemCfg
-		hostAndPort *string
-		fingerprint *string
-		username    *string
-		password    *string
+		hostAndPort    *string
+		fingerprint    *string
+		username       *string
+		password       *string
+		insecureCipher *bool
 	}
 }
 
@@ -92,6 +93,7 @@ func (app *app) getConfig(args []string) error {
 	cfg.install.fingerprint = installFlags.StringLong("fingerprint", "", "the SHA256 fingerprint value of the ups' ssh server")
 	cfg.install.username = installFlags.StringLong("username", "", "username to login to the apc ups")
 	cfg.install.password = installFlags.StringLong("password", "", "password to login to the apc ups")
+	cfg.install.insecureCipher = installFlags.BoolLong("insecurecipher", "allows the use of insecure ssh ciphers (NOT recommended)")
 
 	installCmd := &ff.Command{
 		Name:      "install",