diff --git a/cmd/ctlog/createctconfig/main.go b/cmd/ctlog/createctconfig/main.go
index 0b04379ce..5ad215047 100644
--- a/cmd/ctlog/createctconfig/main.go
+++ b/cmd/ctlog/createctconfig/main.go
@@ -63,7 +63,7 @@ var (
 	// TODO: Support ed25519
 	keyType     = flag.String("keytype", "ecdsa", "Which private key to generate [rsa,ecdsa]")
 	curveType   = flag.String("curvetype", "p256", "Curve type to use [p256, p384,p521]")
-	keyPassword = flag.String("key-password", "test", "Password for encrypting the PEM key")
+	keyPassword = flag.String("key-password", "", "Password for encrypting the PEM key")
 
 	// Supported elliptic curve functions.
 	supportedCurves = map[string]elliptic.Curve{
diff --git a/cmd/fulcio/createcerts/main.go b/cmd/fulcio/createcerts/main.go
index 6d2f5a786..a0290b34c 100644
--- a/cmd/fulcio/createcerts/main.go
+++ b/cmd/fulcio/createcerts/main.go
@@ -152,7 +152,7 @@ func createAll() ([]byte, []byte, []byte, string, error) {
 	// Encrypt the pem
 	block, err = pemutil.EncryptPKCS8PrivateKey(rand.Reader, block.Bytes, []byte(pwd), x509.PEMCipherAES256)
 	if err != nil {
-		return nil, nil, nil, "", fmt.Errorf("EncryptPEMBlock failed: %w", err)
+		return nil, nil, nil, "", fmt.Errorf("EncryptPKCS8PrivateKey failed: %w", err)
 	}
 
 	privPEM := pem.EncodeToMemory(block)
diff --git a/cmd/tsa/createcertchain/main.go b/cmd/tsa/createcertchain/main.go
index 8a4534094..c38493c96 100644
--- a/cmd/tsa/createcertchain/main.go
+++ b/cmd/tsa/createcertchain/main.go
@@ -25,6 +25,7 @@ import (
 	"os"
 
 	"github.com/google/uuid"
+	"go.step.sm/crypto/pemutil"
 
 	"github.com/sigstore/scaffolding/pkg/secret"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
@@ -98,7 +99,7 @@ func main() {
 	}
 	// Encrypt the pem with a uuid
 	pwd := uuid.New().String()
-	encryptedBlock, err := x509.EncryptPEMBlock(rand.Reader, block.Type, block.Bytes, []byte(pwd), x509.PEMCipherAES256) // nolint
+	encryptedBlock, err := pemutil.EncryptPKCS8PrivateKey(rand.Reader, block.Bytes, []byte(pwd), x509.PEMCipherAES256)
 	if err != nil {
 		logging.FromContext(ctx).Fatalf("Failed to encrypt private key: %v", err)
 	}
diff --git a/pkg/ctlog/config.go b/pkg/ctlog/config.go
index dc26d28b0..c29c2fa30 100644
--- a/pkg/ctlog/config.go
+++ b/pkg/ctlog/config.go
@@ -326,12 +326,14 @@ func (c *Config) marshalSecrets() (map[string][]byte, error) {
 		Bytes: marshalledPrivKey,
 	}
 	// Encrypt the pem
-	encryptedBlock, err := x509.EncryptPEMBlock(rand.Reader, block.Type, block.Bytes, []byte(c.PrivKeyPassword), x509.PEMCipherAES256) // nolint
-	if err != nil {
-		return nil, fmt.Errorf("failed to encrypt private key: %w", err)
+	if c.PrivKeyPassword != "" {
+		block, err = x509.EncryptPEMBlock(rand.Reader, block.Type, block.Bytes, []byte(c.PrivKeyPassword), x509.PEMCipherAES256) // nolint
+		if err != nil {
+			return nil, fmt.Errorf("failed to encrypt private key: %w", err)
+		}
 	}
 
-	privPEM := pem.EncodeToMemory(encryptedBlock)
+	privPEM := pem.EncodeToMemory(block)
 	if privPEM == nil {
 		return nil, fmt.Errorf("failed to encode encrypted private key")
 	}