diff --git a/command/init.go b/command/init.go
index 2c7b0dfa43..b126962a62 100644
--- a/command/init.go
+++ b/command/init.go
@@ -97,12 +97,11 @@ Init Options:
   -pgp-keys               If provided, must be a comma-separated list of
                           files on disk containing binary-format public PGP
                           keys. The number of files must match 'key-shares'.
-                          The output unseal keys will be hex-encoded and
-                          encrypted, in order, with the given public keys.
+                          The output unseal keys will encrypted and hex-encoded,
+                          in order, with the given public keys.
                           If you want to use them with the 'vault unseal'
-                          command, you will need to hex decode, decrypt, and
-                          hex encode the result; this will be the plaintext
-                          unseal key.
+                          command, you will need to hex decode and decrypt;
+                          this will be the plaintext unseal key.
 `
 	return strings.TrimSpace(helpText)
 }
diff --git a/command/pgp_test.go b/command/pgp_test.go
index f43d8af411..77a7dd9ffb 100644
--- a/command/pgp_test.go
+++ b/command/pgp_test.go
@@ -113,7 +113,7 @@ func parseDecryptAndTestUnsealKeys(t *testing.T, input, rootToken string, core *
 			t.Fatalf("Error decrypting with key %d (%s): %s", i, encodedKeys[i], err)
 		}
 		ptBuf.ReadFrom(md.UnverifiedBody)
-		unsealKeys = append(unsealKeys, hex.EncodeToString(ptBuf.Bytes()))
+		unsealKeys = append(unsealKeys, ptBuf.String())
 	}
 
 	err = core.Seal(rootToken)
@@ -124,7 +124,7 @@ func parseDecryptAndTestUnsealKeys(t *testing.T, input, rootToken string, core *
 	for i, unsealKey := range unsealKeys {
 		unsealBytes, err := hex.DecodeString(unsealKey)
 		if err != nil {
-			t.Fatalf("Error decoding hex string %s: %s", unsealKey, err)
+			t.Fatalf("Error hex decoding unseal key %s: %s", unsealKey, err)
 		}
 		unsealed, err := core.Unseal(unsealBytes)
 		if err != nil {
diff --git a/command/rekey.go b/command/rekey.go
index c89b1f8c23..17046c1593 100644
--- a/command/rekey.go
+++ b/command/rekey.go
@@ -234,13 +234,11 @@ Unseal Options:
   -pgp-keys               If provided, must be a comma-separated list of
                           files on disk containing binary-format public PGP
                           keys. The number of files must match 'key-shares'.
-                          The output unseal keys will be hex-encoded and
-                          encrypted, in order, with the given public keys.
+                          The output unseal keys will encrypted and hex-encoded,
+                          in order, with the given public keys.
                           If you want to use them with the 'vault unseal'
-                          command, you will need to hex decode, decrypt, and
-                          hex encode the result; this will be the plaintext
-                          unseal key.
-
+                          command, you will need to hex decode and decrypt;
+                          this will be the plaintext unseal key.
 `
 	return strings.TrimSpace(helpText)
 }
diff --git a/helper/pgpkeys/encryptshares.go b/helper/pgpkeys/encryptshares.go
index 30fbeddc7c..3cc1eda8bd 100644
--- a/helper/pgpkeys/encryptshares.go
+++ b/helper/pgpkeys/encryptshares.go
@@ -3,6 +3,7 @@ package pgpkeys
 import (
 	"bytes"
 	"encoding/base64"
+	"encoding/hex"
 	"fmt"
 
 	"golang.org/x/crypto/openpgp"
@@ -34,7 +35,7 @@ func EncryptShares(secretShares [][]byte, pgpKeys []string) ([][]byte, error) {
 		if err != nil {
 			return nil, fmt.Errorf("Error setting up encryption for PGP message: %s", err)
 		}
-		_, err = pt.Write(secretShares[i])
+		_, err = pt.Write([]byte(hex.EncodeToString(secretShares[i])))
 		if err != nil {
 			return nil, fmt.Errorf("Error encrypting PGP message: %s", err)
 		}
diff --git a/website/source/docs/http/sys-init.html.md b/website/source/docs/http/sys-init.html.md
index d08c78ed5a..3b8f1fb893 100644
--- a/website/source/docs/http/sys-init.html.md
+++ b/website/source/docs/http/sys-init.html.md
@@ -73,7 +73,8 @@ description: |-
 
   <dt>Returns</dt>
   <dd>
-    A JSON-encoded object including the master keys and initial root token:
+    A JSON-encoded object including the (possibly encrypted, if
+    <code>pgp_keys</code> was provided) master keys and initial root token:
 
     ```javascript
     {
diff --git a/website/source/docs/http/sys-rekey.html.md b/website/source/docs/http/sys-rekey.html.md
index 1daa4c6fb4..2f25a9cf4b 100644
--- a/website/source/docs/http/sys-rekey.html.md
+++ b/website/source/docs/http/sys-rekey.html.md
@@ -149,7 +149,8 @@ description: |-
 
   <dt>Returns</dt>
   <dd>
-    A JSON-encoded object indicating completion and if so with the new master keys:
+    A JSON-encoded object indicating completion and if so with the (possibly
+    encrypted, if <code>pgp_keys</code> was provided) new master keys:
 
     ```javascript
     {