diff --git a/vault/seal_autoseal.go b/vault/seal_autoseal.go
index 1a46d26339e7..436160dad636 100644
--- a/vault/seal_autoseal.go
+++ b/vault/seal_autoseal.go
@@ -137,7 +137,15 @@ func (d *autoSeal) GetStoredKeys(ctx context.Context) ([][]byte, error) {
 	// Decode the barrier entry
 	var keys [][]byte
 	if err := json.Unmarshal(pt, &keys); err != nil {
-		return nil, fmt.Errorf("failed to decode stored keys: %v, plaintext was %q", err, pe.Value)
+		return nil, errwrap.Wrapf("failed to decode stored keys: {{err}}", err)
+	}
+
+	// Upgrade the stored keys if the seal key has been rotated
+	if blobInfo.KeyInfo != nil && blobInfo.KeyInfo.KeyID != d.Access.KeyID() {
+		d.core.logger.Info("autoseal: upgrading stored keys")
+		if err := d.SetStoredKeys(ctx, keys); err != nil {
+			return nil, errwrap.Wrapf("failed to upgrade stored keys: {{err}}", err)
+		}
 	}
 
 	return keys, nil
@@ -393,6 +401,14 @@ func (d *autoSeal) VerifyRecoveryKey(ctx context.Context, key []byte) error {
 		return fmt.Errorf("recovery key does not match submitted values")
 	}
 
+	// Upgrade the recovery keys if the seal key has been rotated
+	if blobInfo.KeyInfo != nil && blobInfo.KeyInfo.KeyID != d.Access.KeyID() {
+		d.core.logger.Info("autoseal: upgrading recovery keys")
+		if err := d.SetRecoveryKey(ctx, pt); err != nil {
+			return errwrap.Wrapf("failed to upgrade recovery keys: {{err}}", err)
+		}
+	}
+
 	return nil
 }