diff --git a/cmd/dex-overlord/main.go b/cmd/dex-overlord/main.go
index b8d48fc9..9f4715cf 100644
--- a/cmd/dex-overlord/main.go
+++ b/cmd/dex-overlord/main.go
@@ -72,6 +72,10 @@ func main() {
 		log.Fatalf("Unable to use --admin-listen flag: %v", err)
 	}
 
+	if len(keySecrets.BytesSlice()) == 0 {
+		log.Fatalf("Must specify at least one key secret")
+	}
+
 	dbCfg := db.Config{
 		DSN:                *dbURL,
 		MaxIdleConnections: 1,
diff --git a/cmd/dex-worker/main.go b/cmd/dex-worker/main.go
index 8e0aceb9..a13aeb0c 100644
--- a/cmd/dex-worker/main.go
+++ b/cmd/dex-worker/main.go
@@ -135,6 +135,9 @@ func main() {
 			UsersFile:      *users,
 		}
 	} else {
+		if len(keySecrets.BytesSlice()) == 0 {
+			log.Fatalf("Must specify at least one key secret")
+		}
 		if *dbMaxIdleConns == 0 {
 			log.Warning("Running with no limit on: database idle connections")
 		}
diff --git a/db/key.go b/db/key.go
index 3ac45034..126a5e81 100644
--- a/db/key.go
+++ b/db/key.go
@@ -90,6 +90,9 @@ type privateKeySetBlob struct {
 }
 
 func NewPrivateKeySetRepo(dbm *gorp.DbMap, useOldFormat bool, secrets ...[]byte) (*PrivateKeySetRepo, error) {
+	if len(secrets) == 0 {
+		return nil, errors.New("must provide at least one key secret")
+	}
 	for i, secret := range secrets {
 		if len(secret) != 32 {
 			return nil, fmt.Errorf("key secret %d: expected 32-byte secret", i)
diff --git a/db/key_test.go b/db/key_test.go
index 99449b46..7d035fcc 100644
--- a/db/key_test.go
+++ b/db/key_test.go
@@ -7,6 +7,10 @@ import (
 func TestNewPrivateKeySetRepoInvalidKey(t *testing.T) {
 	_, err := NewPrivateKeySetRepo(nil, false, []byte("sharks"))
 	if err == nil {
-		t.Fatalf("Expected non-nil error")
+		t.Errorf("Expected non-nil error for key secret that was not 32 bytes")
+	}
+	_, err = NewPrivateKeySetRepo(nil, false)
+	if err == nil {
+		t.Fatalf("Expected non-nil error when creating repo with no key secrets")
 	}
 }