diff --git a/src/CrossSigningManager.js b/src/CrossSigningManager.js
index 2184eaf347..f428697e74 100644
--- a/src/CrossSigningManager.js
+++ b/src/CrossSigningManager.js
@@ -96,6 +96,9 @@ async function getSecretStorageKey({ keys: keyInfos }, ssssItemName) {
         {
             keyInfo: info,
             checkPrivateKey: async (input) => {
+                if (!info.pubkey) {
+                    return true;
+                }
                 const key = await inputToKey(input);
                 return MatrixClientPeg.get().checkSecretStoragePrivateKey(key, info.pubkey);
             },
diff --git a/src/DeviceListener.js b/src/DeviceListener.js
index 6a506db496..03a701d715 100644
--- a/src/DeviceListener.js
+++ b/src/DeviceListener.js
@@ -147,6 +147,15 @@ export default class DeviceListener {
                 }
             }
             return;
+        } else if (await cli.secretStorageKeyNeedsUpgrade()) {
+            // FIXME: do we a different message?
+            ToastStore.sharedInstance().addOrReplaceToast({
+                key: THIS_DEVICE_TOAST_KEY,
+                title: _t("Encryption upgrade available"),
+                icon: "verification_warning",
+                props: {kind: 'upgrade_encryption'},
+                component: sdk.getComponent("toasts.SetupEncryptionToast"),
+            });
         } else {
             ToastStore.sharedInstance().dismissToast(THIS_DEVICE_TOAST_KEY);
         }