diff --git a/cmd/encryption.go b/cmd/encryption.go
index 61ed2cc35a1e54acff1cb229c0514f1bf15b21cb..7bc451ed028ebad92a5a2146780eec6a39526247 100644
--- a/cmd/encryption.go
+++ b/cmd/encryption.go
@@ -91,7 +91,7 @@ func RotateEncryptionKey(
 		return APIURL, caCrt, clientCert, clientKey, nil, fmt.Errorf("can't rotate encryption keys: Key Rotation is not supported with custom configuration")
 	}
 	if !kubeCluster.IsEncryptionEnabled() {
-		return APIURL, caCrt, clientCert, clientKey, nil, fmt.Errorf("can't rotate encryption keys: Encryption Configuration is disabled")
+		return APIURL, caCrt, clientCert, clientKey, nil, fmt.Errorf("can't rotate encryption keys: Encryption Configuration is disabled. Please disable rotate_encryption_key and run rke up again")
 	}
 
 	kubeCluster.Certificates = rkeFullState.DesiredState.CertificatesBundle
diff --git a/cmd/up.go b/cmd/up.go
index b0a2bda42c3cb17222c00a35f33315e5fe285e35..cbc4af339837116ef6a7bd2f092a8fcdbc44d643 100644
--- a/cmd/up.go
+++ b/cmd/up.go
@@ -104,7 +104,10 @@ func ClusterUp(ctx context.Context, dialersOptions hosts.DialersOptions, flags c
 	}
 	// if we need to rotate the encryption key, do so and then return
 	if kubeCluster.RancherKubernetesEngineConfig.RotateEncryptionKey {
-		return RotateEncryptionKey(ctx, clusterState.CurrentState.RancherKubernetesEngineConfig.DeepCopy(), dialersOptions, flags)
+		// rotate the encryption key only when updating an existing cluster
+		if clusterState.CurrentState.RancherKubernetesEngineConfig != nil {
+			return RotateEncryptionKey(ctx, clusterState.CurrentState.RancherKubernetesEngineConfig.DeepCopy(), dialersOptions, flags)
+		}
 	}
 
 	log.Infof(ctx, "Building Kubernetes cluster")