diff --git a/lib/options.go b/lib/options.go
index f558bf9ef669..f41eb8e4717d 100644
--- a/lib/options.go
+++ b/lib/options.go
@@ -182,6 +182,9 @@ func parsePrivateKey(privKey, password string) ([]byte, error) {
 		return nil, fmt.Errorf("failed to decode PEM key")
 	}
 	blockType := block.Type
+	if blockType == "ENCRYPTED PRIVATE KEY" {
+		return nil, fmt.Errorf("encrypted pkcs8 formatted key is not supported")
+	}
 	if encrypted := x509.IsEncryptedPEMBlock(block); encrypted {
 		decryptedKey, err := x509.DecryptPEMBlock(block, []byte(password))
 		if err != nil {
diff --git a/lib/options_test.go b/lib/options_test.go
index 1e81058b409d..9ce2949faf2c 100644
--- a/lib/options_test.go
+++ b/lib/options_test.go
@@ -398,7 +398,7 @@ func TestOptions(t *testing.T) {
 			assert.NoError(t, err)
 
 			var opts2 Options
-			errMsg := "tls: failed to parse private key"
+			errMsg := "encrypted pkcs8 formatted key is not supported"
 			err = json.Unmarshal(optsData, &opts2)
 			assert.Error(t, err)
 			assert.Contains(t, err.Error(), errMsg)