diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
index fe852f6914..dfa0b5dcff 100755
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
@@ -20,6 +20,7 @@
 import org.apache.commons.lang.StringUtils;
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.crypto.CipherSuite;
 import org.apache.hadoop.fs.Path;
 import org.apache.ranger.credentialapi.CredentialReader;
 import org.apache.ranger.kms.dao.DaoManager;
@@ -442,6 +443,7 @@ public KeyVersion createKey(String name, byte[] material, Options options) throw
         logger.debug("==> createKey({})", name);
 
         KeyVersion ret;
+        validateKeyCiphers(options.getCipher());
 
         try (AutoClosableWriteLock ignored = new AutoClosableWriteLock(lock)) {
             reloadKeys();
@@ -597,6 +599,16 @@ private static Configuration getConfiguration(boolean loadHadoopDefaults, String
         return conf;
     }
 
+    private void validateKeyCiphers(String ciphers) throws IOException {
+        if (StringUtils.isNotEmpty(ciphers)) {
+            try {
+                CipherSuite.convert(ciphers);
+            }  catch (Exception e) {
+                throw new IOException("Invalid ciphers: " + ciphers, e);
+            }
+        }
+    }
+
     private static void getFromJceks(Configuration conf, String path, String alias, String key) {
         logger.debug("==> getFromJceks()");