diff --git a/builtin/logical/transit/path_encrypt_test.go b/builtin/logical/transit/path_encrypt_test.go
index 227ff4cf4..732d2d582 100644
--- a/builtin/logical/transit/path_encrypt_test.go
+++ b/builtin/logical/transit/path_encrypt_test.go
@@ -578,6 +578,31 @@ func TestTransit_BatchEncryptionCase12(t *testing.T) {
 	}
 }
 
+// Case13: Incorrect input for nonce when we aren't in convergent encryption should fail the operation
+func TestTransit_BatchEncryptionCase13(t *testing.T) {
+	var err error
+
+	b, s := createBackendWithStorage(t)
+
+	batchInput := []interface{}{
+		map[string]interface{}{"plaintext": "bXkgc2VjcmV0IGRhdGE=", "nonce": "YmFkbm9uY2U="},
+	}
+
+	batchData := map[string]interface{}{
+		"batch_input": batchInput,
+	}
+	batchReq := &logical.Request{
+		Operation: logical.CreateOperation,
+		Path:      "encrypt/my-key",
+		Storage:   s,
+		Data:      batchData,
+	}
+	_, err = b.HandleRequest(context.Background(), batchReq)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
 // Test that the fast path function decodeBatchRequestItems behave like mapstructure.Decode() to decode []BatchRequestItem.
 func TestTransit_decodeBatchRequestItems(t *testing.T) {
 	tests := []struct {
diff --git a/changelog/13690.txt b/changelog/13690.txt
new file mode 100644
index 000000000..03bbc116e
--- /dev/null
+++ b/changelog/13690.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/transit: Ensure that Vault does not panic for invalid nonce size when we aren't in convergent encryption mode.
+```
\ No newline at end of file
diff --git a/sdk/helper/keysutil/policy.go b/sdk/helper/keysutil/policy.go
index 9ab9944b8..1b198a35f 100644
--- a/sdk/helper/keysutil/policy.go
+++ b/sdk/helper/keysutil/policy.go
@@ -1655,6 +1655,8 @@ func (p *Policy) SymmetricEncryptRaw(ver int, encKey, plaintext []byte, opts Sym
 		if err != nil {
 			return nil, errutil.InternalError{Err: err.Error()}
 		}
+	} else if len(nonce) != aead.NonceSize() {
+		return nil, errutil.UserError{Err: fmt.Sprintf("base64-decoded nonce must be %d bytes long but given %d bytes", aead.NonceSize(), len(nonce))}
 	}
 
 	// Encrypt and tag with AEAD