diff --git a/CHANGELOG.md b/CHANGELOG.md
index 15ac117bd..4bb88c5a6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -20,6 +20,8 @@ IMPROVEMENTS:
 
 BUG FIXES:
 
+  * core: nicer error message if an encrypted private key is used for
+      SSH. [GH-1445]
   * builder/amazon-chroot: Can properly build HVM images now. [GH-1360]
   * builder/amazon-chroot: Fix crash in root device check. [GH-1360]
   * builder/amazon-instance: Fix deprecation warning for `ec2-bundle-vol`
diff --git a/common/ssh/key.go b/common/ssh/key.go
index b26981f3d..11a4b0742 100644
--- a/common/ssh/key.go
+++ b/common/ssh/key.go
@@ -1,6 +1,7 @@
 package ssh
 
 import (
+	"encoding/pem"
 	"fmt"
 	"io/ioutil"
 	"os"
@@ -21,6 +22,19 @@ func FileSigner(path string) (ssh.Signer, error) {
 		return nil, err
 	}
 
+	// We parse the private key on our own first so that we can
+	// show a nicer error if the private key has a password.
+	block, _ := pem.Decode(keyBytes)
+	if block == nil {
+		return nil, fmt.Errorf(
+			"Failed to read key '%s': no key found", path)
+	}
+	if block.Headers["Proc-Type"] == "4,ENCRYPTED" {
+		return nil, fmt.Errorf(
+			"Failed to read key '%s': password protected keys are\n"+
+				"not supported. Please decrypt the key prior to use.", path)
+	}
+
 	signer, err := ssh.ParsePrivateKey(keyBytes)
 	if err != nil {
 		return nil, fmt.Errorf("Error setting up SSH config: %s", err)