diff --git a/internal/bsr/internal/sign/sign.go b/internal/bsr/internal/sign/sign.go
index 8adfec2770..67ee800f64 100644
--- a/internal/bsr/internal/sign/sign.go
+++ b/internal/bsr/internal/sign/sign.go
@@ -12,6 +12,7 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
+	"sync"
 
 	"github.com/hashicorp/boundary/internal/bsr/internal/is"
 	"github.com/hashicorp/boundary/internal/bsr/kms"
@@ -29,6 +30,10 @@ type Writer struct {
 	buf *bytes.Buffer
 	w   io.Writer
 	tee io.Writer
+
+	// This lock protects the buf and w variables defined in this Writer struct as a
+	// consequence of these variables both being written to at the same time using tee
+	l sync.Mutex
 }
 
 // NewWriter returns a Writer that wraps an io.Writer.
@@ -52,6 +57,8 @@ func NewWriter(_ context.Context, w io.Writer, keys *kms.Keys) (*Writer, error)
 }
 
 func (w *Writer) Write(b []byte) (int, error) {
+	w.l.Lock()
+	defer w.l.Unlock()
 	return w.tee.Write(b)
 }
 
@@ -63,6 +70,8 @@ func (w *Writer) WriteString(s string) (int, error) {
 // Close implements the io.Closer method.
 func (w *Writer) Close() error {
 	const op = "sign.(Writer).Close"
+	w.l.Lock()
+	defer w.l.Unlock()
 	var i interface{} = w.w
 	v, ok := i.(io.WriteCloser)
 	if ok {
@@ -75,6 +84,8 @@ func (w *Writer) Close() error {
 
 // Sign returns the signature of the data written to the writer.
 func (w *Writer) Sign(ctx context.Context) (*wrapping.SigInfo, error) {
+	w.l.Lock()
+	defer w.l.Unlock()
 	sig, err := w.keys.SignWithPrivKey(ctx, w.buf.Bytes())
 	if err != nil {
 		return nil, err