diff --git a/lightningd/hsm_control.c b/lightningd/hsm_control.c
index e051b19ef..5f1d43465 100644
--- a/lightningd/hsm_control.c
+++ b/lightningd/hsm_control.c
@@ -16,6 +16,7 @@
 #include <lightningd/log_status.h>
 #include <string.h>
 #include <sys/socket.h>
+#include <sys/stat.h>
 #include <sys/types.h>
 #include <wally_bip32.h>
 #include <wire/wire_sync.h>
@@ -92,6 +93,16 @@ void hsm_init(struct lightningd *ld)
 	if (!ld->hsm)
 		err(1, "Could not subd hsm");
 
+	/* If hsm_secret is encrypted and the --encrypted-hsm startup option is
+	 * not passed, don't let hsmd use the first 32 bytes of the cypher as the
+	 * actual secret. */
+	if (!ld->config.keypass) {
+		struct stat st;
+		if (stat("hsm_secret", &st) == 0 && st.st_size > 32)
+			errx(1, "hsm_secret is encrypted, you need to pass the "
+			        "--encrypted-hsm startup option.");
+	}
+
 	ld->hsm_fd = fds[0];
 	if (!wire_sync_write(ld->hsm_fd, towire_hsm_init(tmpctx,
 							 &ld->topology->bitcoind->chainparams->bip32_key_version,