diff --git a/changelog/31733.txt b/changelog/31733.txt
new file mode 100644
index 0000000000..bdfd3aa0ad
--- /dev/null
+++ b/changelog/31733.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/transit: Fix nil pointer panic when restoring malformed backup data.
+```
diff --git a/sdk/helper/keysutil/lock_manager.go b/sdk/helper/keysutil/lock_manager.go
index 254fedeb64..f1efcbc76e 100644
--- a/sdk/helper/keysutil/lock_manager.go
+++ b/sdk/helper/keysutil/lock_manager.go
@@ -162,6 +162,11 @@ func (lm *LockManager) RestorePolicy(ctx context.Context, storage logical.Storag
 		return err
 	}
 
+	// Validate that the policy exists in the backup data
+	if keyData.Policy == nil {
+		return errors.New("backup data does not contain a valid policy")
+	}
+
 	// Set a different name if desired
 	if name != "" {
 		keyData.Policy.Name = name
diff --git a/sdk/helper/keysutil/lock_manager_test.go b/sdk/helper/keysutil/lock_manager_test.go
index 0857e6dc5f..b41a284bcf 100644
--- a/sdk/helper/keysutil/lock_manager_test.go
+++ b/sdk/helper/keysutil/lock_manager_test.go
@@ -6,6 +6,7 @@ package keysutil
 import (
 	"context"
 	"crypto/rand"
+	"encoding/base64"
 	"testing"
 
 	"github.com/hashicorp/vault/sdk/logical"
@@ -98,3 +99,18 @@ func TestImportPolicy(t *testing.T) {
 		})
 	}
 }
+
+func TestRestorePolicy_NilPolicy(t *testing.T) {
+	lm, err := NewLockManager(false, 0)
+	require.NoError(t, err)
+
+	ctx := context.Background()
+	storage := &logical.InmemStorage{}
+
+	// Create backup data without "policy" field (causes nil Policy)
+	invalidBackup := base64.StdEncoding.EncodeToString([]byte(`{"archived_keys": null}`))
+
+	err = lm.RestorePolicy(ctx, storage, "test-key", invalidBackup, false)
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "backup data does not contain a valid policy")
+}