diff --git a/command/agent/agent.go b/command/agent/agent.go
index 97198c36c2..225c813a9c 100644
--- a/command/agent/agent.go
+++ b/command/agent/agent.go
@@ -116,15 +116,22 @@ func Create(config *Config, logOutput io.Writer) (*Agent, error) {
 
 	// Setup encryption keyring files
 	if !config.DisableKeyring && config.EncryptKey != "" {
+		serfDir := filepath.Join(config.DataDir, "serf")
+		if err := os.MkdirAll(serfDir, 0700); err != nil {
+			return nil, err
+		}
+
 		keys := []string{config.EncryptKey}
 		keyringBytes, err := json.MarshalIndent(keys, "", "  ")
 		if err != nil {
 			return nil, err
 		}
+
 		paths := []string{
-			filepath.Join(config.DataDir, "serf", "keyring_lan"),
-			filepath.Join(config.DataDir, "serf", "keyring_wan"),
+			filepath.Join(serfDir, "keyring_lan"),
+			filepath.Join(serfDir, "keyring_wan"),
 		}
+
 		for _, path := range paths {
 			if _, err := os.Stat(path); err == nil {
 				continue
diff --git a/command/agent/command.go b/command/agent/command.go
index 91118fc630..4f31249bbc 100644
--- a/command/agent/command.go
+++ b/command/agent/command.go
@@ -792,6 +792,10 @@ Options:
   -data-dir=path           Path to a data directory to store agent state
   -dc=east-aws             Datacenter of the agent
   -encrypt=key             Provides the gossip encryption key
+  -disable-keyring         Disables the use of an encryption keyring. The
+                           Default behavior is to persist encryption keys using
+                           a keyring file, and reload the keys on subsequent
+                           starts. This argument disables keyring persistence.
   -join=1.2.3.4            Address of an agent to join at start time.
                            Can be specified multiple times.
   -join-wan=1.2.3.4        Address of an agent to join -wan at start time.