diff --git a/lib/chef/provider/private_key.rb b/lib/chef/provider/private_key.rb
index efbfc55..7a3ec7d 100644
--- a/lib/chef/provider/private_key.rb
+++ b/lib/chef/provider/private_key.rb
@@ -195,6 +195,7 @@ def load_current_resource
     if new_key
       begin
         key, key_format = Cheffish::KeyFormatter.decode(new_key, new_resource.pass_phrase, new_path)
+
         if key
           @current_private_key = key
           resource.format key_format[:format]
@@ -205,7 +206,8 @@ def load_current_resource
           resource.cipher key_format[:cipher]
         end
       rescue
-        # If there's an error reading, we assume format and type are wrong and don't futz with them
+        # promote a raised error up the stack
+        raise $!
       end
     else
       resource.action :delete
diff --git a/lib/cheffish/key_formatter.rb b/lib/cheffish/key_formatter.rb
index 2c4011b..08b72ef 100644
--- a/lib/cheffish/key_formatter.rb
+++ b/lib/cheffish/key_formatter.rb
@@ -10,7 +10,12 @@ class KeyFormatter
     # Returns nil or key, format
     def self.decode(str, pass_phrase=nil, filename='')
       key_format = {}
-      key_format[:format] = format_of(str)
+      key_format[:format], key_format[:encrypted] = format_of(str)
+
+      # make sure we have a pass phrase for an encrypted key
+      if key_format[:encrypted] && pass_phrase.nil?
+        raise "You are attempting to use an encrypted key but did not provide a password"
+      end
 
       case key_format[:format]
       when :openssh
@@ -83,13 +88,26 @@ def self.decode_openssh_key(str, filename='')
     end
 
     def self.format_of(key_contents)
-      if key_contents.start_with?('-----BEGIN ')
-        :pem
+
+      format = nil
+      encrypted = nil
+
+      if key_contents.include?('ENCRYPTED')
+        encrypted = true
+      end
+
+      if key_contents.start_with?('-----BEGIN RSA PRIVATE KEY')
+        format = :pem
       elsif key_contents.start_with?('ssh-rsa ') || key_contents.start_with?('ssh-dss ')
-        :openssh
+        format = :openssh
+      # TODO figure out der format
+      # else
+      #   :der
       else
-        :der
+        format = :unknown
       end
+
+      [format, encrypted]
     end
 
     def self.type_of(key)
diff --git a/lib/cheffish/version.rb b/lib/cheffish/version.rb
index f032c88..31a69fa 100644
--- a/lib/cheffish/version.rb
+++ b/lib/cheffish/version.rb
@@ -1,3 +1,3 @@
 module Cheffish
-  VERSION = '0.6.2'
+  VERSION = '0.6.3'
 end