diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/TokenPassphraseBootstrapCheck.java b/plugin/src/main/java/org/elasticsearch/xpack/security/TokenPassphraseBootstrapCheck.java
index ae56133bd95..f495cefcfc9 100644
--- a/plugin/src/main/java/org/elasticsearch/xpack/security/TokenPassphraseBootstrapCheck.java
+++ b/plugin/src/main/java/org/elasticsearch/xpack/security/TokenPassphraseBootstrapCheck.java
@@ -19,17 +19,19 @@ final class TokenPassphraseBootstrapCheck implements BootstrapCheck {
 
     static final int MINIMUM_PASSPHRASE_LENGTH = 8;
 
-    private final Settings settings;
+    private final boolean tokenServiceEnabled;
+    private final SecureString tokenPassphrase;
 
     TokenPassphraseBootstrapCheck(Settings settings) {
-        this.settings = settings;
+        this.tokenServiceEnabled = XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.get(settings);
+        this.tokenPassphrase = TokenService.TOKEN_PASSPHRASE.get(settings);
     }
 
     @Override
     public boolean check() {
-        if (XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.get(settings)) {
-            try (SecureString secureString = TokenService.TOKEN_PASSPHRASE.get(settings)) {
-                return secureString.length() < MINIMUM_PASSPHRASE_LENGTH || secureString.equals(TokenService.DEFAULT_PASSPHRASE);
+        try (SecureString ignore = tokenPassphrase) {
+            if (tokenServiceEnabled) {
+                return tokenPassphrase.length() < MINIMUM_PASSPHRASE_LENGTH || tokenPassphrase.equals(TokenService.DEFAULT_PASSPHRASE);
             }
         }
         // service is not enabled so no need to check
diff --git a/plugin/src/test/java/org/elasticsearch/xpack/security/TokenPassphraseBootstrapCheckTests.java b/plugin/src/test/java/org/elasticsearch/xpack/security/TokenPassphraseBootstrapCheckTests.java
index 97b99b152ac..6e040a643a0 100644
--- a/plugin/src/test/java/org/elasticsearch/xpack/security/TokenPassphraseBootstrapCheckTests.java
+++ b/plugin/src/test/java/org/elasticsearch/xpack/security/TokenPassphraseBootstrapCheckTests.java
@@ -47,4 +47,15 @@ public class TokenPassphraseBootstrapCheckTests extends ESTestCase {
         secureSettings.setString(TokenService.TOKEN_PASSPHRASE.getKey(), TokenService.DEFAULT_PASSPHRASE);
         assertFalse(new TokenPassphraseBootstrapCheck(settings).check());
     }
+
+    public void testTokenPassphraseCheckAfterSecureSettingsClosed() throws Exception {
+        Settings settings = Settings.builder().put(XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.getKey(), true).build();
+        MockSecureSettings secureSettings = new MockSecureSettings();
+        secureSettings.setString("foo", "bar"); // leniency in setSecureSettings... if its empty it's skipped
+        settings = Settings.builder().put(settings).setSecureSettings(secureSettings).build();
+        secureSettings.setString(TokenService.TOKEN_PASSPHRASE.getKey(), TokenService.DEFAULT_PASSPHRASE);
+        final TokenPassphraseBootstrapCheck check = new TokenPassphraseBootstrapCheck(settings);
+        secureSettings.close();
+        assertTrue(check.check());
+    }
 }