diff --git a/command/agent/command.go b/command/agent/command.go
index 4f31249bbc..649cded48f 100644
--- a/command/agent/command.go
+++ b/command/agent/command.go
@@ -219,6 +219,13 @@ func (c *Command) readConfig() *Config {
 		c.Ui.Error("WARNING: Windows is not recommended as a Consul server. Do not use in production.")
 	}
 
+	// Warn if an encryption key is passed while a keyring already exists
+	if config.EncryptKey != "" && config.CheckKeyringFiles() {
+		c.Ui.Error(fmt.Sprintf(
+			"WARNING: Keyring already exists, ignoring new key %s",
+			config.EncryptKey))
+	}
+
 	// Set the version info
 	config.Revision = c.Revision
 	config.Version = c.Version
@@ -586,6 +593,9 @@ func (c *Command) Run(args []string) int {
 		}(wp)
 	}
 
+	// Determine if gossip is encrypted
+	gossipEncrypted := (config.EncryptKey != "" || config.CheckKeyringFiles())
+
 	// Let the agent know we've finished registration
 	c.agent.StartSync()
 
@@ -598,7 +608,7 @@ func (c *Command) Run(args []string) int {
 	c.Ui.Info(fmt.Sprintf("  Cluster Addr: %v (LAN: %d, WAN: %d)", config.AdvertiseAddr,
 		config.Ports.SerfLan, config.Ports.SerfWan))
 	c.Ui.Info(fmt.Sprintf("Gossip encrypt: %v, RPC-TLS: %v, TLS-Incoming: %v",
-		config.EncryptKey != "", config.VerifyOutgoing, config.VerifyIncoming))
+		gossipEncrypted, config.VerifyOutgoing, config.VerifyIncoming))
 
 	// Enable log streaming
 	c.Ui.Info("")
diff --git a/command/agent/config.go b/command/agent/config.go
index e099c64b14..2fad1db399 100644
--- a/command/agent/config.go
+++ b/command/agent/config.go
@@ -411,6 +411,18 @@ func (c *Config) ClientListenerAddr(override string, port int) (string, error) {
 	return addr.String(), nil
 }
 
+// CheckKeyringFiles checks for existence of the keyring files for Serf
+func (c *Config) CheckKeyringFiles() bool {
+	serfDir := filepath.Join(c.DataDir, "serf")
+	if _, err := os.Stat(filepath.Join(serfDir, "keyring_lan")); err != nil {
+		return false
+	}
+	if _, err := os.Stat(filepath.Join(serfDir, "keyring_wan")); err != nil {
+		return false
+	}
+	return true
+}
+
 // DecodeConfig reads the configuration from the given reader in JSON
 // format and decodes it into a proper Config structure.
 func DecodeConfig(r io.Reader) (*Config, error) {