diff --git a/src/routes/user/apps/appdefinition/AppDefinitionRouter.ts b/src/routes/user/apps/appdefinition/AppDefinitionRouter.ts
index ae306e2..cbb2a4e 100644
--- a/src/routes/user/apps/appdefinition/AppDefinitionRouter.ts
+++ b/src/routes/user/apps/appdefinition/AppDefinitionRouter.ts
@@ -395,13 +395,28 @@ router.post('/update/', function (req, res, next) {
     ) {
         res.send(
             new BaseApi(
-                ApiStatusCodes.STATUS_ERROR_GENERIC,
+                ApiStatusCodes.ILLEGAL_PARAMETER,
                 'Missing required Github/BitBucket/Gitlab field'
             )
         )
         return
     }
 
+    if (
+        repoInfo &&
+        repoInfo.sshKey &&
+        repoInfo.sshKey.indexOf('ENCRYPTED') > 0 &&
+        !CaptainConstants.configs.disableEncryptedCheck
+    ) {
+        res.send(
+            new BaseApi(
+                ApiStatusCodes.ILLEGAL_PARAMETER,
+                'You cannot use encrypted SSH keys'
+            )
+        )
+        return
+    }
+
     if (
         repoInfo &&
         repoInfo.sshKey &&
diff --git a/src/utils/CaptainConstants.ts b/src/utils/CaptainConstants.ts
index 783fc7c..b37f799 100644
--- a/src/utils/CaptainConstants.ts
+++ b/src/utils/CaptainConstants.ts
@@ -58,6 +58,9 @@ const configs = {
     certbotImageName: 'caprover/certbot-sleeping:v2.11.0',
 
     certbotCertCommandRules: undefined as CertbotCertCommandRule[] | undefined,
+
+    // this is added in 1.13 just as a safety - remove this after 1.14
+    disableEncryptedCheck: false,
 }
 
 export interface CertbotCertCommandRule {