The disclosed embodiments are directed to preventing the writing of malformed cryptographic keys to a memory device. In one embodiment, a system is disclosed comprising a storage array, the storage array storing a first cryptographic key; and a processor configured to: receive a command from a host processor, the command including a second cryptographic key, a first signature, a second signature, and at least one field, determine that the first signature is valid using the second cryptographic key and the at least one field, determine that the second signature is valid using the first cryptographic key, the first signature and the at least one field, and replace the first cryptographic key with the second cryptographic key after determining that both the first signature and second signature are valid.