diff --git a/vault/barrier_aes_gcm.go b/vault/barrier_aes_gcm.go
index a348deac5..46540cacb 100644
--- a/vault/barrier_aes_gcm.go
+++ b/vault/barrier_aes_gcm.go
@@ -362,7 +362,6 @@ func (b *AESGCMBarrier) Unseal(key []byte) error {
 	if err := json.Unmarshal(plain, &init); err != nil {
 		return fmt.Errorf("failed to unmarshal barrier init file")
 	}
-	defer memzero(init.Key)
 
 	// Setup a new keyring, this is for backwards compatability
 	keyring := NewKeyring()
diff --git a/vault/barrier_aes_gcm_test.go b/vault/barrier_aes_gcm_test.go
index e5b3e36b4..0f23666d7 100644
--- a/vault/barrier_aes_gcm_test.go
+++ b/vault/barrier_aes_gcm_test.go
@@ -105,6 +105,14 @@ func TestAESGCMBarrier_BackwardsCompatible(t *testing.T) {
 	}
 	inm.Put(pe)
 
+	// Create a fake key
+	gcm, _ = b.aeadFromKey(encrypt)
+	pe = &physical.Entry{
+		Key:   "test/foo",
+		Value: b.encrypt(initialKeyTerm, gcm, []byte("test")),
+	}
+	inm.Put(pe)
+
 	// Should still be initialized
 	isInit, err := b.Initialized()
 	if err != nil {
@@ -137,6 +145,15 @@ func TestAESGCMBarrier_BackwardsCompatible(t *testing.T) {
 	if out == nil {
 		t.Fatalf("should have keyring file")
 	}
+
+	// Attempt to read encrypted key
+	entry, err := b.Get("test/foo")
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if string(entry.Value) != "test" {
+		t.Fatalf("bad: %#v", entry)
+	}
 }
 
 // Verify data sent through is encrypted