diff --git a/acl/acl.go b/acl/acl.go
index 1a8a6d2bc..29a7569d8 100644
--- a/acl/acl.go
+++ b/acl/acl.go
@@ -172,7 +172,7 @@ type PolicyACL struct {
 	// keyringRules contains the keyring policies. The keyring has
 	// a very simple yes/no without prefix mathing, so here we
 	// don't need to use a radix tree.
-	keyringRules map[string]struct{}
+	keyringRule string
 }
 
 // New is used to construct a policy based ACL from a set of policies
@@ -183,7 +183,6 @@ func New(parent ACL, policy *Policy) (*PolicyACL, error) {
 		keyRules:     radix.New(),
 		serviceRules: radix.New(),
 		eventRules:   radix.New(),
-		keyringRules: make(map[string]struct{}),
 	}
 
 	// Load the key policy
@@ -202,9 +201,7 @@ func New(parent ACL, policy *Policy) (*PolicyACL, error) {
 	}
 
 	// Load the keyring policy
-	for _, krp := range policy.Keyring {
-		p.keyringRules[krp.Policy] = struct{}{}
-	}
+	p.keyringRule = policy.Keyring
 
 	return p, nil
 }
@@ -350,29 +347,17 @@ func (p *PolicyACL) EventWrite(name string) bool {
 // KeyringRead is used to determine if the keyring can be
 // read by the current ACL token.
 func (p *PolicyACL) KeyringRead() bool {
-	// First check for an explicit deny
-	if _, ok := p.keyringRules[KeyringPolicyDeny]; ok {
+	switch p.keyringRule {
+	case KeyringPolicyRead, KeyringPolicyWrite:
+		return true
+	default:
 		return false
 	}
-
-	// Now check for read or write. Write implies read.
-	_, ok := p.keyringRules[KeyringPolicyRead]
-	if !ok {
-		_, ok = p.keyringRules[KeyringPolicyWrite]
-	}
-	return ok
 }
 
 // KeyringWrite determines if the keyring can be manipulated.
 func (p *PolicyACL) KeyringWrite() bool {
-	// First check for an explicit deny
-	if _, ok := p.keyringRules[KeyringPolicyDeny]; ok {
-		return false
-	}
-
-	// Check for read permission
-	_, ok := p.keyringRules[KeyringPolicyWrite]
-	return ok
+	return p.keyringRule == KeyringPolicyWrite
 }
 
 // ACLList checks if listing of ACLs is allowed
diff --git a/acl/policy.go b/acl/policy.go
index 0327b2ef2..d9e62792e 100644
--- a/acl/policy.go
+++ b/acl/policy.go
@@ -28,7 +28,7 @@ type Policy struct {
 	Keys     []*KeyPolicy     `hcl:"key,expand"`
 	Services []*ServicePolicy `hcl:"service,expand"`
 	Events   []*EventPolicy   `hcl:"event,expand"`
-	Keyring  []*KeyringPolicy `hcl:"keyring"`
+	Keyring  string           `hcl:"keyring"`
 }
 
 // KeyPolicy represents a policy for a key
@@ -61,17 +61,6 @@ func (e *EventPolicy) GoString() string {
 	return fmt.Sprintf("%#v", *e)
 }
 
-// KeyringPolicy represents a policy for the encryption keyring.
-type KeyringPolicy struct {
-	// We only need a single field for the keyring, since access
-	// is binary (allowed or disallowed) and no prefix is respected.
-	Policy string
-}
-
-func (k *KeyringPolicy) GoString() string {
-	return fmt.Sprintf("%#v", *k)
-}
-
 // Parse is used to parse the specified ACL rules into an
 // intermediary set of policies, before being compiled into
 // the ACL
@@ -121,14 +110,12 @@ func Parse(rules string) (*Policy, error) {
 	}
 
 	// Validate the keyring policy
-	for _, krp := range p.Keyring {
-		switch krp.Policy {
-		case KeyringPolicyRead:
-		case KeyringPolicyWrite:
-		case KeyringPolicyDeny:
-		default:
-			return nil, fmt.Errorf("Invalid keyring policy: %#v", krp)
-		}
+	switch p.Keyring {
+	case KeyringPolicyRead:
+	case KeyringPolicyWrite:
+	case KeyringPolicyDeny:
+	default:
+		return nil, fmt.Errorf("Invalid keyring policy: %#v", p.Keyring)
 	}
 
 	return p, nil