diff --git a/src/apps.js b/src/apps.js
index 5e264db59..9ba942ee0 100644
--- a/src/apps.js
+++ b/src/apps.js
@@ -2179,7 +2179,7 @@ async function importApp(app, data, auditSource) {
             await mounts.tryAddMount(mountObject, { timeout: 10 });
 
         }
-        error = await backups.testProviderConfig(backupConfig);
+        error = await backups.testConfig(backupConfig);
         if (error) throw error;
 
         if ('password' in backupConfig) {
diff --git a/src/backups.js b/src/backups.js
index 9ace7cf66..5cac0f57f 100644
--- a/src/backups.js
+++ b/src/backups.js
@@ -24,8 +24,8 @@ exports = module.exports = {
     setSnapshotInfo,
 
     validatePolicy,
+    validateEncryptionPassword,
     testConfig,
-    testProviderConfig,
 
     remount,
     getMountStatus,
@@ -340,22 +340,13 @@ async function testConfig(backupConfig) {
 
     if (backupConfig.format !== 'tgz' && backupConfig.format !== 'rsync') return new BoxError(BoxError.BAD_FIELD, 'unknown format');
 
-    if ('password' in backupConfig) {
-        if (typeof backupConfig.password !== 'string') return new BoxError(BoxError.BAD_FIELD, 'password must be a string');
-        if (backupConfig.password.length < 8) return new BoxError(BoxError.BAD_FIELD, 'password must be atleast 8 characters');
-    }
-
     await storage.api(backupConfig.provider).testConfig(backupConfig);
 }
 
-// this skips password check since that policy is only at creation time
-async function testProviderConfig(backupConfig) {
-    assert.strictEqual(typeof backupConfig, 'object');
+async function validateEncryptionPassword(password) {
+    assert.strictEqual(typeof password, 'string');
 
-    const func = storage.api(backupConfig.provider);
-    if (!func) return new BoxError(BoxError.BAD_FIELD, 'unknown storage provider');
-
-    await storage.api(backupConfig.provider).testConfig(backupConfig);
+    if (password.length < 8) return new BoxError(BoxError.BAD_FIELD, 'password must be atleast 8 characters');
 }
 
 async function remount(auditSource) {
diff --git a/src/provision.js b/src/provision.js
index 9fb6fa956..cdaab1f37 100644
--- a/src/provision.js
+++ b/src/provision.js
@@ -219,7 +219,7 @@ async function restore(backupConfig, remotePath, version, sysinfoConfig, options
             await safe(mounts.tryAddMount(newMount, { timeout: 10 })); // 10 seconds
         }
 
-        let error = await backups.testProviderConfig(backupConfig);
+        let error = await backups.testConfig(backupConfig);
         if (error) throw error;
 
         if ('password' in backupConfig) {
diff --git a/src/settings.js b/src/settings.js
index 74a9696f7..5fb7fd804 100644
--- a/src/settings.js
+++ b/src/settings.js
@@ -464,6 +464,9 @@ async function setBackupConfig(backupConfig) {
     if (error) throw error;
 
     if ('password' in backupConfig) { // user set password
+        const error = await backups.validateEncryptionPassword(backupConfig.password);
+        if (error) throw error;
+
         backupConfig.encryption = backups.generateEncryptionKeysSync(backupConfig.password);
         delete backupConfig.password;
     }