diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6815b0c8d..2d83a40cf 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,17 +14,19 @@ BUG FIXES:
 
   * core: Default variable file "terraform.tfvars" is auto-loaded. [GH-59]
   * providers/cloudflare: Include the proper bins so the cloudflare
-    provider is compiled
+      provider is compiled
   * providers/aws: Engine version for RDS now properly set [GH-118]
   * providers/aws: Security groups now depend on each other and
   * providers/aws: DB instances now wait for destroys, have proper
-    dependencies and allow passing skip_final_snapshot
+      dependencies and allow passing skip_final_snapshot
   * providers/aws: Add associate_public_ip_address as an attribute on
-    the aws_instance resource [GH-85]
+      the aws_instance resource [GH-85]
   * providers/aws: Fix cidr blocks being updated [GH-65, GH-85]
   * providers/aws: Description is now required for security groups
   * providers/digitalocean: Private IP addresses are now a separate
-    attribute
+      attribute
+  * provisioner/all: If an SSH key is given with a password, a better
+      error message is shown. [GH-73]
 
 ## 0.1.0 (July 28, 2014)
 
diff --git a/helper/ssh/provisioner.go b/helper/ssh/provisioner.go
index d84bfa356..a0350d1f2 100644
--- a/helper/ssh/provisioner.go
+++ b/helper/ssh/provisioner.go
@@ -1,6 +1,7 @@
 package ssh
 
 import (
+	"encoding/pem"
 	"fmt"
 	"io/ioutil"
 	"log"
@@ -105,10 +106,25 @@ func PrepareConfig(conf *SSHConfig) (*Config, error) {
 		if err != nil {
 			return nil, fmt.Errorf("Failed to read key file '%s': %v", conf.KeyFile, err)
 		}
+
+		// We parse the private key on our own first so that we can
+		// show a nicer error if the private key has a password.
+		block, _ := pem.Decode(key)
+		if block == nil {
+			return nil, fmt.Errorf(
+				"Failed to read key '%s': no key found", conf.KeyFile)
+		}
+		if block.Headers["Proc-Type"] == "4,ENCRYPTED" {
+			return nil, fmt.Errorf(
+				"Failed to read key '%s': password protected keys are\n"+
+					"not supported. Please decrypt the key prior to use.", conf.KeyFile)
+		}
+
 		signer, err := ssh.ParsePrivateKey(key)
 		if err != nil {
 			return nil, fmt.Errorf("Failed to parse key file '%s': %v", conf.KeyFile, err)
 		}
+
 		sshConf.Auth = append(sshConf.Auth, ssh.PublicKeys(signer))
 	}
 	if conf.Password != "" {