diff --git a/heat/api/middleware/fault.py b/heat/api/middleware/fault.py
index c8cf3e8aab..dd4b386bc8 100644
--- a/heat/api/middleware/fault.py
+++ b/heat/api/middleware/fault.py
@@ -77,6 +77,7 @@ class FaultWrapper(wsgi.Middleware):
         'StopActionFailed': webob.exc.HTTPInternalServerError,
         'EventSendFailed': webob.exc.HTTPInternalServerError,
         'ServerBuildFailed': webob.exc.HTTPInternalServerError,
+        'InvalidEncryptionKey': webob.exc.HTTPInternalServerError,
         'NotSupported': webob.exc.HTTPBadRequest,
         'MissingCredentialError': webob.exc.HTTPBadRequest,
         'UserParameterMissing': webob.exc.HTTPBadRequest,
diff --git a/heat/common/crypt.py b/heat/common/crypt.py
index d5619dff0d..ac9cdcf1b1 100644
--- a/heat/common/crypt.py
+++ b/heat/common/crypt.py
@@ -21,6 +21,7 @@ from oslo_serialization import jsonutils
 from oslo_utils import encodeutils
 from oslo_utils import importutils
 
+from heat.common import exception
 from heat.common.i18n import _
 
 auth_opts = [
@@ -128,7 +129,10 @@ def cryptography_decrypt_v1(value, encryption_key=None):
     encryption_key = get_valid_encryption_key(encryption_key, fix_length=True)
     encoded_key = base64.b64encode(encryption_key.encode('utf-8'))
     sym = fernet.Fernet(encoded_key)
-    return sym.decrypt(encodeutils.safe_encode(value))
+    try:
+        return sym.decrypt(encodeutils.safe_encode(value))
+    except fernet.InvalidToken:
+        raise exception.InvalidEncryptionKey()
 
 
 def get_valid_encryption_key(encryption_key, fix_length=False):
diff --git a/heat/common/exception.py b/heat/common/exception.py
index 0947f48a8c..e498971644 100644
--- a/heat/common/exception.py
+++ b/heat/common/exception.py
@@ -161,6 +161,11 @@ class TemplateOutputError(HeatException):
     msg_fmt = _('Error in %(resource)s output %(attribute)s: %(message)s')
 
 
+class InvalidEncryptionKey(HeatException):
+    msg_fmt = _('Can not decrypt data with the auth_encryption_key'
+                ' in heat config.')
+
+
 class InvalidExternalResourceDependency(HeatException):
     msg_fmt = _("Invalid dependency with external %(resource_type)s "
                 "resource: %(external_id)s")
diff --git a/heat/tests/test_crypt.py b/heat/tests/test_crypt.py
index ad1af2e236..b1192b3d39 100644
--- a/heat/tests/test_crypt.py
+++ b/heat/tests/test_crypt.py
@@ -60,3 +60,17 @@ class CryptTest(common.HeatTestCase):
 
     def test_encrypt_decrypt_dict_default_enc_key(self):
         self._test_encrypt_decrypt_dict()
+
+    def test_decrypt_dict_invalid_key(self):
+        data = {'p1': u'happy',
+                '2': [u'a', u'little', u'blue'],
+                '6': 7}
+        encrypted_data = crypt.encrypted_dict(
+            data, '767c3ed056cbaa3b9dfedb8c6f825bf0')
+        ex = self.assertRaises(exception.InvalidEncryptionKey,
+                               crypt.decrypted_dict,
+                               encrypted_data,
+                               '767c3ed056cbaa3b9dfedb8c6f825bf1')
+        self.assertEqual('Can not decrypt data with the auth_encryption_key '
+                         'in heat config.',
+                         six.text_type(ex))