diff --git a/http/sys_seal.go b/http/sys_seal.go
index aa143ff48d..9bb77efa93 100644
--- a/http/sys_seal.go
+++ b/http/sys_seal.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"net/http"
 
+	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/vault/vault"
 )
 
@@ -55,8 +56,12 @@ func handleSysUnseal(core *vault.Core) http.Handler {
 
 		// Attempt the unseal
 		if _, err := core.Unseal(key); err != nil {
-			respondError(w, http.StatusInternalServerError, err)
-			return
+			// Ignore ErrInvalidKey because its a user error that we
+			// mask away. We just show them the seal status.
+			if !errwrap.ContainsType(err, new(vault.ErrInvalidKey)) {
+				respondError(w, http.StatusInternalServerError, err)
+				return
+			}
 		}
 
 		// Return the seal status
diff --git a/http/sys_seal_test.go b/http/sys_seal_test.go
index c1cb0da80e..c4543f19a3 100644
--- a/http/sys_seal_test.go
+++ b/http/sys_seal_test.go
@@ -97,16 +97,13 @@ func TestSysUnseal(t *testing.T) {
 }
 
 func TestSysUnseal_badKey(t *testing.T) {
-	// TODO: wait on Armon to fix error message from core
-	t.Skip()
-
 	core := testCore(t)
 	testCoreInit(t, core)
 	ln, addr := testServer(t, core)
 	defer ln.Close()
 
 	resp := testHttpPut(t, addr+"/v1/sys/unseal", map[string]interface{}{
-		"key": "foo",
+		"key": "0123",
 	})
 
 	var actual map[string]interface{}