diff --git a/btrbk b/btrbk
index 6fbf541..585966f 100755
--- a/btrbk
+++ b/btrbk
@@ -582,7 +582,7 @@ sub init_transaction_log($$)
   my $file = shift;
   my $config_syslog_facility = shift;
   if(defined($file) && (not $dryrun)) {
-    if(open($tlog_fh, ">> $file")) {
+    if(open($tlog_fh, '>>', $file)) {
       # print headers (disabled)
       # print_formatted("transaction", [ ], output_format => "tlog", outfile => $tlog_fh);
       INFO "Using transaction log: $file";
@@ -1753,7 +1753,7 @@ sub btrfs_send_to_file($$$;$$)
       #   of slower random generation.
       my @gpg_options = ( '--batch', '--no-tty', '--no-random-seed-file', '--trust-model', 'always' );
       push @gpg_options, ( '--compress-algo', 'none' ) if($compress);  # NOTE: if --compress-algo is not set, gpg might still compress according to OpenPGP standard.
-      push(@gpg_options, ( '--no-default-keyring', '--keyring', $encrypt->{keyring} )) if($encrypt->{keyring});
+      push(@gpg_options, ( '--no-default-keyring', '--keyring', { unsafe => $encrypt->{keyring} } )) if($encrypt->{keyring});
       push(@gpg_options, ( '--default-recipient', $encrypt->{recipient} )) if($encrypt->{recipient});
       push @cmd_pipe, {
         cmd => [ 'gpg', @gpg_options, '--encrypt' ],
@@ -1783,7 +1783,7 @@ sub btrfs_send_to_file($$$;$$)
         if($encrypt->{kdf_backend}) {
           WARN "Both openssl_keyfile and kdf_backend are configured, ignoring kdf_backend!";
         }
-        $encrypt_key = '$(cat ' . $encrypt->{keyfile} . ')';
+        $encrypt_key = '$(cat ' . quoteshell($encrypt->{keyfile}) . ')';
       }
       elsif($encrypt->{kdf_backend}) {
         if($encrypt->{kdf_keygen_each}) {
@@ -1801,7 +1801,7 @@ sub btrfs_send_to_file($$$;$$)
           my $key_target_text = $encrypt->{kdf_keygen_each} ? "\"$vol_received->{PRINT}\"" : "all raw backups";
 
           print STDOUT "\nGenerate session key for $key_target_text:\n";
-          my $kdf_values = run_cmd(cmd => [ $encrypt->{kdf_backend}, $encrypt->{kdf_keysize} ],
+          my $kdf_values = run_cmd(cmd => [ { unsafe => $encrypt->{kdf_backend} }, $encrypt->{kdf_keysize} ],
                                    non_destructive => 1,
                                    name => $kdf_backend_name
                                   );
@@ -2947,7 +2947,7 @@ sub vinfo_rsh($;@)
   push(@ssh_options, '-p', $ssh_port) if($ssh_port);
   push(@ssh_options, '-c', $ssh_cipher_spec) if($ssh_cipher_spec ne "default");
   if($ssh_identity) {
-    push(@ssh_options, '-i', $ssh_identity);
+    push(@ssh_options, '-i', { unsafe => $ssh_identity });
   } else {
     WARN_ONCE "No SSH identity provided (option ssh_identity is not set) for: " . ($vinfo->{CONFIG}->{url} // $vinfo->{PRINT});
   }
@@ -6040,7 +6040,7 @@ MAIN:
   #
   $lockfile //= config_key($config, "lockfile");
   if(defined($lockfile) && (not $dryrun)) {
-    unless(open(LOCKFILE, ">>$lockfile")) {
+    unless(open(LOCKFILE, '>>', $lockfile)) {
       # NOTE: the lockfile is never deleted by design
       ERROR "Failed to open lock file '$lockfile': $!";
       exit 3;