diff --git a/swift/common/middleware/crypto/keymaster.py b/swift/common/middleware/crypto/keymaster.py
index da337d37e6..39986e3db2 100644
--- a/swift/common/middleware/crypto/keymaster.py
+++ b/swift/common/middleware/crypto/keymaster.py
@@ -214,6 +214,10 @@ class BaseKeyMaster(object):
         if self.active_secret_id not in self._root_secrets:
             raise ValueError('No secret loaded for active_root_secret_id %s' %
                              self.active_secret_id)
+        for secret_id, secret in self._root_secrets.items():
+            if not isinstance(secret, bytes):
+                raise ValueError('Secret with id %s is %s, not bytes' % (
+                    secret_id, type(secret)))
 
     @property
     def root_secret(self):
diff --git a/swift/common/middleware/crypto/kms_keymaster.py b/swift/common/middleware/crypto/kms_keymaster.py
index 3cef333c7a..f9a542e1a4 100644
--- a/swift/common/middleware/crypto/kms_keymaster.py
+++ b/swift/common/middleware/crypto/kms_keymaster.py
@@ -96,7 +96,10 @@ class KmsKeyMaster(BaseKeyMaster):
             except Exception:
                 raise ValueError("Secret with key_id '%s' is not a symmetric "
                                  "key (type: %s)" % (key_id, str(type(key))))
-            root_secrets[secret_id] = key.get_encoded()
+            secret = key.get_encoded()
+            if not isinstance(secret, bytes):
+                secret = secret.encode('utf-8')
+            root_secrets[secret_id] = secret
         return root_secrets
 
 
diff --git a/test/unit/common/middleware/crypto/test_kms_keymaster.py b/test/unit/common/middleware/crypto/test_kms_keymaster.py
index dcb1521766..28222a27bd 100644
--- a/test/unit/common/middleware/crypto/test_kms_keymaster.py
+++ b/test/unit/common/middleware/crypto/test_kms_keymaster.py
@@ -129,7 +129,10 @@ class MockBarbicanKeyManager(object):
             raise ValueError(ERR_MESSAGE_SECRET_INCORRECTLY_SPECIFIED)
         elif key_id == TEST_KMS_NONE_KEY_ID:
             return None
-        key_str = (str(key_id[0]) * 32).encode('utf8')
+        if 'unicode' in key_id:
+            key_str = key_id[0] * 32
+        else:
+            key_str = (str(key_id[0]) * 32).encode('utf8')
         return MockBarbicanKey(key_str, key_id)
 
 
@@ -806,6 +809,8 @@ class TestKmsKeymaster(unittest.TestCase):
         config.update({
             'key_id_foo': 'foo-valid_kms_key_id-123456',
             'key_id_bar': 'bar-valid_kms_key_id-123456',
+            'key_id_baz': 'zz-valid_unicode_kms_key_id-123456',
+            'key_id_non_ascii': u'\N{SNOWMAN}_unicode_key_id',
             'active_root_secret_id': 'foo'})
 
         # Set side_effect functions.
@@ -825,7 +830,9 @@ class TestKmsKeymaster(unittest.TestCase):
         expected_secrets = {
             None: b'vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv',
             'foo': b'ffffffffffffffffffffffffffffffff',
-            'bar': b'bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb'}
+            'bar': b'bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb',
+            'baz': b'zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz',
+            'non_ascii': b'\xe2\x98\x83' * 32}
         self.assertDictEqual(self.app._root_secrets, expected_secrets)
         self.assertEqual(self.app.active_secret_id, 'foo')