diff --git a/http/sys_rekey.go b/http/sys_rekey.go
index 43dcd95ab6..86d0d5dd19 100644
--- a/http/sys_rekey.go
+++ b/http/sys_rekey.go
@@ -113,6 +113,11 @@ func handleSysRekeyInitPut(core *vault.Core, recovery bool, w http.ResponseWrite
 		return
 	}
 
+	if len(req.PGPKeys) > 0 && len(req.PGPKeys) != req.SecretShares-req.StoredShares {
+		respondError(w, http.StatusBadRequest, fmt.Errorf("incorrect number of PGP keys for rekey"))
+		return
+	}
+
 	// Initialize the rekey
 	err := core.RekeyInit(&vault.SealConfig{
 		SecretShares:    req.SecretShares,
diff --git a/http/sys_rekey_test.go b/http/sys_rekey_test.go
index 4811bd2411..52729628e0 100644
--- a/http/sys_rekey_test.go
+++ b/http/sys_rekey_test.go
@@ -10,6 +10,22 @@ import (
 	"github.com/hashicorp/vault/vault"
 )
 
+// Test to check if the API errors out when wrong number of PGP keys are
+// supplied for rekey
+func TestSysRekeyInit_pgpKeysEntriesForRekey(t *testing.T) {
+	core, _, token := vault.TestCoreUnsealed(t)
+	ln, addr := TestServer(t, core)
+	defer ln.Close()
+	TestServerAuth(t, addr, token)
+
+	resp := testHttpPut(t, token, addr+"/v1/sys/rekey/init", map[string]interface{}{
+		"secret_shares":    5,
+		"secret_threshold": 3,
+		"pgp_keys":         []string{"pgpkey1"},
+	})
+	testResponseStatus(t, resp, 400)
+}
+
 func TestSysRekeyInit_Status(t *testing.T) {
 	core, _, token := vault.TestCoreUnsealed(t)
 	ln, addr := TestServer(t, core)