diff --git a/cmd/talosctl/cmd/mgmt/cluster/create.go b/cmd/talosctl/cmd/mgmt/cluster/create.go
index c753c7b25..cf30cf812 100644
--- a/cmd/talosctl/cmd/mgmt/cluster/create.go
+++ b/cmd/talosctl/cmd/mgmt/cluster/create.go
@@ -455,7 +455,7 @@ func create(ctx context.Context, flags *pflag.FlagSet) (err error) {
 
 					keys = append(keys, &v1alpha1.EncryptionKey{
 						KeyKMS: &v1alpha1.EncryptionKeyKMS{
-							KMSEndpoint: "http://" + nethelpers.JoinHostPort(ip.String(), port),
+							KMSEndpoint: "grpc://" + nethelpers.JoinHostPort(ip.String(), port),
 						},
 						KeySlot: i,
 					})
diff --git a/internal/pkg/encryption/keys/kms.go b/internal/pkg/encryption/keys/kms.go
index 204a326d2..9ac173994 100644
--- a/internal/pkg/encryption/keys/kms.go
+++ b/internal/pkg/encryption/keys/kms.go
@@ -128,9 +128,9 @@ func (h *KMSKeyHandler) getConn(ctx context.Context) (*grpc.ClientConn, error) {
 	}
 
 	if endpoint.Insecure {
-		transportCredentials = credentials.NewTLS(&tls.Config{})
-	} else {
 		transportCredentials = insecure.NewCredentials()
+	} else {
+		transportCredentials = credentials.NewTLS(&tls.Config{})
 	}
 
 	return grpc.DialContext(ctx, endpoint.Host, grpc.WithTransportCredentials(transportCredentials))