diff --git a/CHANGELOG.md b/CHANGELOG.md
index a6554886..e5914488 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+- Explicit rejection of encrypted client certificate keys. [#15](https://github.com/keeshux/passepartout-ios/issues/15)
 - Attach .ovpn when reporting a connectivity issue, stripped of sensitive data. [#13](https://github.com/keeshux/passepartout-ios/pull/13)
 - iTunes File Sharing (skythedesu). [#14](https://github.com/keeshux/passepartout-ios/pull/14)
 - Tunnel failure reporting in UI. [#8](https://github.com/keeshux/passepartout-ios/pull/8)
diff --git a/Passepartout/Sources/VPN/TunnelKitProvider+FileConfiguration.swift b/Passepartout/Sources/VPN/TunnelKitProvider+FileConfiguration.swift
index 99558147..a38bdb55 100644
--- a/Passepartout/Sources/VPN/TunnelKitProvider+FileConfiguration.swift
+++ b/Passepartout/Sources/VPN/TunnelKitProvider+FileConfiguration.swift
@@ -99,6 +99,10 @@ extension TunnelKitProvider.Configuration {
         var tlsKeyLines: [Substring]?
         var tlsWrap: SessionProxy.TLSWrap?
 
+        var currentBlockName: String?
+        var currentBlock: [String] = []
+        var unsupportedError: ApplicationError? = nil
+
         log.verbose("Configuration file:")
         for line in lines {
             log.verbose(line)
@@ -111,10 +115,6 @@ extension TunnelKitProvider.Configuration {
                 }
             }
 
-            var currentBlockName: String?
-            var currentBlock: [String] = []
-            var unsupportedError: ApplicationError? = nil
-            
             Regex.blockBegin.enumerateComponents(in: line) {
                 isHandled = true
                 let tag = $0.first!
@@ -145,7 +145,11 @@ extension TunnelKitProvider.Configuration {
                     clientCertificate = CryptoContainer(pem: currentBlock.joined(separator: "\n"))
                     
                 case "key":
-                    clientKey = CryptoContainer(pem: currentBlock.joined(separator: "\n"))
+                    let container = CryptoContainer(pem: currentBlock.joined(separator: "\n"))
+                    clientKey = container
+                    if container.isEncrypted {
+                        unsupportedError = ApplicationError.unsupportedConfiguration(option: "encrypted client certificate key")
+                    }
                     
                 case "tls-auth":
                     tlsKeyLines = currentBlock.map { Substring($0) }
@@ -382,3 +386,9 @@ private extension NSRegularExpression {
         }
     }
 }
+
+extension CryptoContainer {
+    var isEncrypted: Bool {
+        return pem.contains("ENCRYPTED")
+    }
+}
diff --git a/README.md b/README.md
index 2d0e4617..15467013 100644
--- a/README.md
+++ b/README.md
@@ -73,7 +73,7 @@ Unsupported:
     - `--compress` other than empty
 - Proxy
 - External file references (inline `<block>` only)
-- Encrypted certificate private key (will raise error TunnelKitNative Code=205)
+- Encrypted client certificate keys
 
 Ignored: